Threats and Countermeasures
Published: November 11, 2007 This guide is a component of the 2007 Microsoft Office Security Guide. It provides detailed vulnerability, countermeasure, and impact information about security-related Group Policy settings for the 2007 Microsoft® Office release as well as setting recommendations for two different security environments: Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF). It is designed to help you make more informed decisions by providing relevant information about each of the settings. This guide also contains Common Configuration Enumeration (CCE) IDs for all the settings. CCE provides identifiers to system configurations to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. With respect to the Security Content Automation Protocol (SCAP), CCE is primarily used to identify security related configuration issues. For example, CCE IDs could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents. For more information about CCE, visit the CCE Web site. The majority of settings are User Policy settings, which are listed in the first section. A much smaller section that provides information about Computer Policy settings follows the first section. The Applies to: information for every setting in this guide indicates the Group Policy location or locations that contain the setting, as determined by the administrative template files. Each setting applies to one or more 2007 Office applications. If a setting is said to apply to the Microsoft Office 2007 System, it does not necessarily mean that the setting applies to all 2007 Office applications, although it might apply to more than one. AcknowledgmentsThe SA-SC team would like to acknowledge and thank the group of people who produced 2007 Microsoft Office Security Guide: Threats and Countermeasures. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this guide. Content Developers Bill Gruber – Microsoft Paul Henry – Wadeware LLC Paul Slater – Wadeware LLC Development Lead Ross Carter – Microsoft Editors John Cobb – Wadeware LLC Jennifer Kerns – Wadeware LLC Steve Wacker – Wadeware LLC Product Managers Alain Meeus – Microsoft Jim Stuart – Microsoft Program Manager Flicka Enloe – Microsoft Release Manager Karina Larson – Microsoft Reviewers Alan Myrvold – Microsoft Alessio Roic – Microsoft Alex Vandurme – NCIRC/NATO Amanda Hartin – Microsoft Amani Ahmed – Microsoft Ambrose Treacy – Microsoft Anurag Jain – Microsoft Benjamin Gay – Microsoft Brad Albrecht – Microsoft Bryan Staats – Microsoft Chase Carpenter – Microsoft Dave Kesterson – Microsoft David Vanophalvens – NCIRC/NATO Dheeraj Sarpangal – Microsoft Ed McGinn – Microsoft Emily Kao Messmer – Microsoft Eugene Siu – Microsoft Harshal Doshi – Microsoft Howie Dickerman – Microsoft Jeremy Pankratz – Microsoft Joshua Edwards – Microsoft Korean Government Kurt Dillard – Microsoft Maithili Dandige – Microsoft Mark Simos – Microsoft Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd Norman Vadnais – Independent Padgett Peterson – Lockheed Martin Patrick Smith – Microsoft Patty Nicholson – Microsoft Paul Prekeges – Microsoft Raf Cox – Microsoft Ryan Gregg – Microsoft Stacia Snapp – Microsoft Su-Piao Bill Wu – Microsoft Tim Getsch – Microsoft Tom Garity – Independent Travis Ratnam – Microsoft Travis Rhodes – Microsoft Tristan Davis – Microsoft Waqas Nazir – V-Empower Inc. Yuriko Kobayashi – Microsoft Zeyad Rajabi – Microsoft In addition, the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version. Test Manager Gaurav Singh Bora – Microsoft Testers Harish Ananthapadmaanabhan – Infosys Technologies Ltd. IndiraDevi Chandran – Infosys Technologies Ltd. RaxitKumar Gajjar – Infosys Technologies Ltd. Sumit Parikh – Infosys Technologies Ltd. |
|