Security Best Practices for Office 2010 Applications
Published: July 18, 2011
Author: Ross Carter, Technical Writer and CISSP
Microsoft Office 2010 is the most secure version of Microsoft Office yet. With an improved trust model that persists trust on a per-file basis and new technologies such as Office File Validation and Protected View, users are better protected against exploits that utilize Office documents as attack vectors. In addition, under-the-hood improvements in encryption technologies, new digital signature capabilities and support for domain-based password complexity requirements enables users to more effectively secure their Office documents against tampering. Support for Data Execution Prevention adds an extra layer of defensive protection, which, combined with other Office security technologies, provides defense-in-depth protection for users who work with Office applications.
In addition to these out-of-the box security improvements, understanding Office security capabilities and using the best practices noted below will help ensure that your Office environment matches your security posture.
Office 2010 Security
Understand the security architecture, features, and settings that are available in Office 2010:
Office 2010 Security Baseline
Use the Microsoft security configuration recommendations that are in the Office 2010 Security Baseline, which is included with the Microsoft Security Compliance Manager tool:
Enterprise Client (EC) or Specialized Security-Limited Functionality (SSLF) Environments
Select the Office 2010 Security Baseline (EC or SSLF) that best fits your organization's security needs:
Customize Your Security Baseline
Determine whether any of the Microsoft recommended settings need to be changed to fit your organization's requirements, such as internal company polices and controls:
Use Group Policy to enforce Office 2010 settings:
End User Training
Help the users in your organization understand and use the security features in Microsoft Office 2010:
About the Author
Ross Carter is a technical writer on the Office Resource Kit team where he focuses on writing security guidance for IT professionals. Ross has over 20 years of industry experience working in different capacities with security and networking products and technologies. Ross is a CISSP and holds a master's degree in science specializing in telecommunications.