User Policy Security Settings E-L

Published: November 11, 2007

The settings in this section are arranged alphabetically by setting name.

User Policy Setting Information

A description is provided for each setting, along with information about the applications to which it applies, the vulnerability the setting addresses, how the vulnerability is addressed, and any other considerations. A table is also included for each setting that shows the setting's location in Group Policy, the ADM file that contains the setting, and the recommended configuration for EC and SSLF environments.

EKU filtering

Applies to: 2007 Office system

This setting allows administrators to specify enhanced key usage (EKU) values to be used in filtering a list of digital certificates for signing Excel 2007, PowerPoint 2007, and Word 2007 documents.

Vulnerability

An enhanced key usage (EKU) extension to a digital certificate is a collection of one or more values that indicate how a certificate should be used. Examples of EKU values include Smart Card Logon and Client Authentication. EKU filtering allows you to filter the list of installed certificates that can be used for digitally signing documents. The filtered list will appear when users attempt to select a certificate for digitally signing a document.

By default, EKU filtering is not enabled. If EKU filtering is not used, users could accidentally or maliciously use the wrong type of certificate for digitally signing a document or validating a signature, which could compromise information security or make it impossible to verify the signature of a document.

Countermeasure

If this setting is Enabled, administrators can specify a list of object identifiers (OIDs) that represent acceptable EKUs for certificates used in conjunction with signed documents. For example, for a certificate with the Encrypting File System (1.3.6.1.4.1.311.10.3.4) identifier, the OID is 1.3.6.1.4.1.311.10.3.4. This list of appropriate OIDs will vary according to the specific certificates that the organization uses.

For a list of object IDs associated with Microsoft cryptography, see Knowledge Base article 287547, Object IDs associated with Microsoft cryptography.

Table 1.146. EKU filtering

Impact

If this setting is Enabled, 2007 Office users might be more restricted as to which certificates they can use for digitally signing documents. You will need to ensure that the EKU field is completed on the certificates you wish to use for digital signing.

Email Forms Beaconing UI

Applies to: InfoPath

This setting controls whether users are warned when an InfoPath form contains a Web beaconing threat.

Vulnerability

Malicious users could send e-mail InfoPath forms with embedded Web beacons that can be used to track when recipients open the form and provide confirmation that recipients' e-mail addresses are valid. Additional information gathered by the form or information entered by users could also be sent to an external server and leave the users vulnerable to additional attacks.

By default, InfoPath 2007 users are only warned of a beaconing threat if the form originates from the Internet.

Countermeasure

If this setting is Enabled, administrators can choose from three options for controlling when InfoPath 2007 users are prompted about Web beaconing threats:

• Never show UI
• Always show UI
• Show UI if XSN is in Internet Zone

Important If Disabled or Enabled|Never show UI is chosen, users will not be warned of Web beaconing threats. This configuration can significantly compromise security.

Table 1.147. Email Forms Beaconing UI

Impact

The recommended setting for the EC environment does not alter the default configuration and therefore should not affect usability. If the recommended setting for the SSLF environment is chosen, users will be warned of potential Web beaconing threats even if they are from the local intranet. It is possible that some internal forms might use beaconing techniques legitimately. If so, these forms will need to be redesigned or users will need to be educated about the warning message that displays.

Enable Customer Experience Improvement Program

Applies to: 2007 Office system

This setting controls whether users can participate in the Microsoft Office Customer Experience Improvement Program to help improve Microsoft Office.

Vulnerability

When users choose to participate in the Customer Experience Improvement Program (CEIP), 2007 Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data.

By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies.

Countermeasure

If this setting is Disabled, 2007 Office users cannot participate in the Customer Experience Improvement Program.

Table 1.148. Enable Customer Experience Improvement Program

Impact

The Customer Experience Improvement Program sends data to Microsoft silently and without affecting application usage, so choosing Disabled will not cause usability issues for 2007 Office users.

Enable links in e-mail messages

Applies to: Outlook

This setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook 2007 are enabled.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

Outlook 2007's Junk E-mail Filter evaluates each incoming message for possible spam or phishing content. Suspicious message detection is always turned on.

By default, Outlook handles suspicious messages in two ways:

• If the Junk E-mail Filter does not consider a message to be spam but does consider it to be phishing, the message is left in the Inbox but any links in the message are disabled and users cannot use the Reply and Reply All functionality. In addition, any attachments in the suspicious message are blocked.
• If the Junk E-mail Filter considers the message to be both spam and phishing, the message is automatically sent to the Junk E-mail folder. Any message sent to the Junk E-mail folder is converted to plain text format and all links are disabled. In addition, the Reply and Reply All functionality is disabled and any attachments in the message are blocked. The InfoBar alerts users to this change in functionality. If users are certain that a message is legitimate, they can click the InfoBar and enable the links in the message.

Users can change the way Outlook handles phishing messages in the Junk E-mail Options dialog box by clearing the Disable links and other functionality in phishing messages (Recommended) check box. If this check box is cleared, Outlook will not disable links in suspected phishing messages unless they are classified as junk e-mail, which could allow users to disclose confidential information to malicious Web sites.

Countermeasure

If this setting is Disabled, Outlook 2007 disables all links in suspected phishing messages, even if they are not classified as junk e-mail, and does not allow users to change this setting.

Important If this setting is Enabled, Outlook will not disable links in suspected phishing messages that are not also classified as junk e-mail. This configuration can significantly reduce security.

Table 1.149. Enable links in e-mail messages

Impact

Disabling this setting enforces the default configuration in Outlook 2007, and is therefore unlikely to cause significant usability issues for most users.

Enable RPC encryption

Applies to: Outlook

This setting controls whether Outlook 2007 uses RPC encryption to communicate with Microsoft Exchange servers.

Vulnerability

By default, the remote procedure call (RPC) communication channel between an Outlook 2007 client computer and an Exchange server is not encrypted. If a malicious person is able to eavesdrop on the network traffic between Outlook and the server, they might be able to access confidential information.

Countermeasure

If this setting is Enabled, Outlook 2007 uses RPC encryption when communicating with an Exchange server.

Note RPC encryption only encrypts the data from the Outlook client computer to the Exchange server. It does not encrypt the messages themselves as they traverse the Internet.

Table 1.150. Enable RPC encryption

Impact

Enabling this setting should not have any significant effect on users. However, there is always a trade-off between secure communication and performance, so you should evaluate the performance impact of encrypting every connection from the Outlook 2007 client computer and the Exchange server.

Encrypt all e-mail messages

Applies to: Outlook

This setting allows administrators to require that all e-mail messages be encrypted when sent from Outlook 2007.

Vulnerability

Most e-mail messages are sent in clear text, which leaves them vulnerable to interception. When stronger security is required, users can encrypt messages with digital certificates so that they can only be read by the intended recipients. Organizations with very strong security requirements might wish to require that users encrypt all e-mail messages that they send.

Countermeasure

If this setting is Enabled, the Encrypt button is automatically selected on all outgoing e-mail messages, meeting invitations, and other Outlook 2007 items. Users must select an appropriate certificate to encrypt the message for the intended recipient.

Table 1.151. Encrypt all e-mail messages

Impact

The recommended setting for both EC and SSLF configurations is Not configured. Although encrypting e-mail provides effective protection, enabling this setting can be impractical even for the most security-conscious organizations because it prevents users from sending any e-mail messages to recipients for whom they do not have valid certificates. If your organization wishes to standardize the use of e-mail encryption while allowing users to send unencrypted messages when encryption is not available, Microsoft recommends using the Office Customization Tool (OCT) to enable encryption by default in new 2007 Office installations. This configuration allows users to disable encryption for individual messages as needed, while ensuring that other messages are encrypted. For more information about the OCT, see Office Customization Tool in the 2007 Office system.

Encryption type for password protected Office 97-2003 files

Applies to: 2007 Office system

This setting allows administrators to specify an encryption type for password-protected Office 97-2003 files.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files.

By default, Excel 2007, PowerPoint 2007, and Word 2007 use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files.

Countermeasure

If this setting is Enabled, administrators can specify the type of encryption that Office applications will use to encrypt password-protected files in the older Office 97-2003 file formats. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer.

Specify the encryption type to use by entering it in the provided text box in the following form:

<Encryption Provider>,<Encryption Algorithm>,<Encryption Key Length>

For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128

Table 1.152. Encryption type for password protected Office 97-2003 files

Impact

Consider the needs of your organization and users when selecting an encryption method to enforce. If you work for a government agency, contract for a government agency, or otherwise work with very sensitive information, you might need to select a method that complies with policies that govern how such information is processed. Remember that you will need to ensure that the selected cryptographic service provider is installed on the computers of all users who need to work with password-protected Office 97-2003 files.

Encryption type for password protected Office Open XML files

Applies to: 2007 Office system

This setting allows administrators to specify an encryption type for Office Open XML files.

Vulnerability

If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, 2007 Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files.

On computers that run Windows Vista, the default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit. On computers that run Windows XP, the default CSP is Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), AES-128, 128-bit.

Countermeasure

If this setting is Enabled, administrators can specify the type of encryption that Office applications will use to encrypt password-protected files in the Office Open XML file formats used by Excel 2007, PowerPoint 2007, and Word 2007. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer.

Specify the encryption type to use by entering it in the provided text box in the following form:

<Encryption Provider>,<Encryption Algorithm>,<Encryption Key Length>

For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128

Table 1.153. Encryption type for password protected Office Open XML files

Impact

Consider the needs of your organization and users when selecting an encryption method to enforce. If you work for a government agency, contract for a government agency, or otherwise work with very sensitive information, you might need to select a method that complies with policies that govern how such information is processed. Remember, you will need to ensure that the selected cryptographic service provider is installed on the computers of all users who need to work with password-protected Office Open XML files.

Ensure all S/MIME signed messages have a label

Applies to: Outlook

This setting controls whether Outlook 2007 requires labels on S/MIME signed messages.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

S/MIME V3 Enhanced Security Services (ESS) extensions for security labels and signed receipts can help provide security-enhanced e-mail communications within your organization. You can also use these extensions to customize security to fit your requirements. If your organization develops and provides S/MIME V3 security policies to add custom security labels, this setting can help you enforce these policies by requiring that users attach a security label to each Outlook 2007 e-mail message before it is sent. For example:

• An Internal Use Only label might be implemented as a security label to apply to an e-mail message that should not be sent or forwarded outside your company.
• A security label can specify that certain recipients cannot forward or print the message, if those recipients also have the security policy installed.

Countermeasure

If this setting is Enabled, labels must be attached to all Outlook 2007 S/MIME messages before they are sent. Users can attach labels to messages in the Message Options dialog box by clicking Security Settings, ensuring that the Add digital signature to this message check box is selected, and selecting a label under Security Label.

Table 1.154. Ensure all S/MIME signed messages have a label

Impact

Enabling this setting can create some additional work for users who use Outlook 2007 to send many S/MIME signed messages by requiring them to select an appropriate label for each one. Users who do not send S/MIME signed messages will not be affected by this setting.

Force file extension to match file type

Applies to: Excel

This setting controls how Excel 2007 loads file types that do not match their extension.

Vulnerability

Excel 2007 can load files with extensions that do not match the files' type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls, Excel can properly load it as a CSV file.

Some attacks target specific file formats. If Excel is allowed to load files with extensions that do not match their file types, a malicious person can deceive users into loading dangerous files that have incorrect extensions.

By default, if users attempt to open files with the wrong extension, Excel opens the file and displays a warning that the file type is not what Excel expected.

Countermeasure

If this setting is Enabled, administrators can choose from three options for working with files that have non-matching extensions:

• Allow different. Excel 2007 opens the files properly without warning users that the files have non-matching extensions. If users subsequently edit and save the files, Excel preserves both the true, underlying file format and the incorrect file extension.
• Allow different, but warn. Excel opens the files properly, but warns users about the file type mismatch. This option is the default configuration in Excel.
• Always match file type. Excel does not open any files that have non-matching extensions.

Table 1.155. Force file extension to match file type

Impact

Earlier versions of Excel did not enforce file type matching. Enabling this setting and selecting Always match file type might cause disruptions for users who rely on the functionality of earlier versions of Excel, and could interfere with the operation of tools and scripts that rely on it.

Fortezza certificate policies

Applies to: Outlook

This setting specifies a list of policies allowed in the policies extension of a certificate that indicate the certificate is a Fortezza certificate.

Vulnerability

Fortezza is a hardware–based encryption standard created by the National Security Agency (NSA), a division of the United States Department of Defense. To be valid for use with Fortezza, a certificate must include an appropriate policy in the certificate's policies extension.

Countermeasure

If this setting is Enabled, administrators can enter a list of policies in the supplied text box that can be used to indicate that a certificate is a Fortezza certificate. The list should be separated by semi-colons. For example: policy1;policy2;policy3.

Table 1.156. Fortezza certificate policies

Impact

If your organization uses Fortezza, you will have to use this setting to enable support for Fortezza certificates. It should not create any usability issues for end users if configured correctly.

Hidden text

Applies to: Word

This policy controls whether text that is formatted as hidden displays on Word 2007 users' monitor screens.

Vulnerability

By default, Word 2007 does not display text formatted as hidden unless Show/Hide ¶ is selected or Word is configured to show hidden text in the Display section of the Word Options dialog box. If a document that contains hidden text is distributed, any sensitive information in the document could be at risk.

Countermeasure

If this setting is Enabled, Word 2007 displays hidden text at all times. Hidden text on monitor screens displays as underlined with a dotted line.

Table 1.157. Hidden text

Impact

Enabling this setting could create issues for Word 2007 users when they format documents that contain hidden text for printing or distribution. Displaying hidden text can change the way a document flows as well as make it difficult to judge the number of pages in a document and where Word will insert automatic page breaks.

Hide Junk Mail UI

Applies to: Outlook

This setting controls whether the Junk E-mail Filter is enabled in Outlook 2007.

Vulnerability

The Junk E-mail Filter in Outlook 2007 is designed to intercept the most obvious junk e-mail, or spam, and send it to users' Junk E-mail folders. The filter evaluates each incoming message based on several factors, including the time when the message was sent and the content of the message. The filter does not single out any particular sender or message type, but instead analyzes each message based on its content and structure to discover whether or not it is probably spam.

By default, the Junk E-mail Filter in Outlook 2007 is enabled. If this configuration is changed, users can receive large amounts of junk e-mail in their Inboxes, which could make it difficult for them to work with business-related e-mail messages.

Countermeasure

If this setting is Disabled, the Junk E-mail Filter in Outlook 2007 is active.

Table 1.158. Hide Junk Mail UI

Impact

The name of this setting is somewhat misleading, as enabling it turns off junk e-mail filtering in Outlook 2007 entirely, in addition to hiding the filtering controls from users. You can use the "Junk E-mail Protection level" setting, documented in this guide, to preset a filtering level and prevent users from changing it.

This setting does not affect the configuration of the Microsoft Exchange Server Intelligent Message Filter (IMF), which provides server-level junk e-mail filtering.

Ignore other applications

Applies to: Excel

This setting controls whether Excel 2007 can exchange data with other applications that use Dynamic Data Exchange (DDE).

Vulnerability

By default, Excel 2007 can use the Dynamic Data Exchange (DDE) protocol to exchange messages and data with other applications. For example, a cell in an Excel workbook can be dynamically linked to a value provided by another application, such as weather or stock price information. When the value provided by the other application changes, Excel can automatically update the value in the workbook. Although this functionality can help users ensure that Excel always has the latest data, it also means that workbook data is subject to change without user intervention, which could compromise the integrity of the data in some situations.

Countermeasure

If this setting is Enabled, the Ignore other applications that use Dynamic Data Exchange (DDE) check box is selected in the Advanced section of the Excel Options dialog box and users cannot change it.

Table 1.159. Ignore other applications

Impact

Enabling this setting can cause disruptions for users who rely on the DDE functionality in Excel 2007 to update information in workbooks. These users will have to use some other method to update information provided by other applications.

Important If this setting is enabled, users might see an error message when they double-click Excel workbooks in Windows Explorer to open them. For more information, see Knowledge Base article 211494, Excel opens without displaying a workbook.

Improve Proofing Tools

Applies to: 2007 Office system

This setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft.

Vulnerability

The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. Although this feature does not intentionally collect personal information, some of the content that is sent could include items that were marked as spelling or grammar errors, such as proper names and account numbers. However, any numbers such as account numbers, street addresses, and phone numbers are converted to zeroes when the data is collected. Microsoft uses this information solely to improve the effectiveness of the Office Proofing Tools, not to identify users.

By default, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies.

Countermeasure

If this setting is Disabled, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft.

Table 1.160. Improve Proofing Tools

Impact

The Customer Experience Improvement Program sends proofing tool data to Microsoft silently and without affecting application usage, so disabling the collection and transmission of proofing tool data is unlikely to cause usability issues for most users.

Include Internet in Safe Zones for Automatic Picture Download

Applies to: Outlook

This setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook 2007 users explictly choosing to do so.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

Malicious e-mail senders can send HTML e-mail messages with embedded Web beacons, which are pictures and other content from external servers that can be used to track whether recipients open the messages. Viewing e-mail messages that contain Web beacons provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail.

By default, Outlook 2007 does not download external content in HTML e-mail messages from untrusted senders via the Internet. If this configuration is changed, Outlook will display external content in all HTML e-mail messages received from the Internet, which could include Web beacons.

Countermeasure

If this setting is Disabled, Outlook 2007 does not consider the Internet a safe zone, which means that Outlook will not automatically download content from external servers unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis.

Important If this setting is Enabled, Outlook will automatically download external content in all e-mail messages sent over the Internet and users will not be able to change the setting.

Table 1.161. Include Internet in Safe Zones for Automatic Picture Download

Impact

Disabling this setting enforces the default configuration, and is unlikely to cause usability issues for most Outlook 2007 users.

Include Intranet in Safe Zones for Automatic Picture Download

Applies to: Outlook

This setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook 2007 users explictly choosing to do so.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

Malicious e-mail senders can send HTML e-mail messages with embedded Web beacons, which are pictures and other content from external servers that can be used to track whether recipients open the messages. Viewing e-mail messages with Web beacons in them provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail.

By default, Outlook 2007 does not download external content in HTML e-mail messages from untrusted senders over the local intranet. If this configuration is changed, Outlook will display external content in all HTML e-mail messages received via the local intranet, which could include Web beacons.

Countermeasure

If this setting is Disabled, Outlook 2007 does not consider the local intranet a safe zone, which means that Outlook will not automatically download content from other servers in the Local Intranet zone unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis.

Important If this setting is Enabled, Outlook will automatically download external content in all e-mail messages sent over the local intranet and users will not be able to change the setting.

Table 1.162. Include Intranet in Safe Zones for Automatic Picture Download

Impact

Disabling this setting enforces the default configuration, and is unlikely to cause usability issues for most Outlook 2007 users.

Information Rights Management

Applies to: InfoPath

This setting determines whether InfoPath 2007 users can design Information Rights Management (IRM)-protected forms.

Vulnerability

By default, users can use Information Rights Management (IRM) in InfoPath 2007 to create forms that have restricted permission for specific people who will access the form. By using IRM, users can help prevent sensitive information from being printed, forwarded, or copied by unauthorized people.

Countermeasure

If this setting is Disabled, InfoPath 2007 users can design forms with IRM protections.

Note As with other Restricted Features settings, enabling this setting makes the feature unavailable and disabling the setting makes it available.

Table 1.163. Information Rights Management

Impact

Disabling this setting enforces the default configuration in InfoPath 2007, and is therefore unlikely to cause usability issues for most users.

Internet and network paths as hyperlinks

Applies to: Excel

This setting determines whether Excel 2007 automatically creates hyperlinks when users enter URL or UNC path information.

Important Recent testing of this setting determined that it did not function as expected. For more information, see this Knowledge Base article.

Vulnerability

By default, when users type a string of characters that Excel 2007 recognizes as a Uniform Resource Locator (URL) or Uniform Naming Convention (UNC) path to a resource on the Internet or a local network, Excel will transform it into a hyperlink. Clicking the hyperlink opens it in the configured default Web browser or the appropriate application. This functionality can enable users to accidentally create links to dangerous or restricted resources, which could create a security risk.

Countermeasure

If this setting is Disabled, the Internet and network paths as hyperlinks check box is cleared under Replace as you type in the AutoCorrect dialog box and users cannot change it.

Note If this setting is Enabled, Excel 2007 will automatically transform URLs and UNC paths to hyperlinks and users will not be able to disable this feature.

Table 1.164. Internet and network paths as hyperlinks

Impact

If this setting is disabled, Excel 2007 users will still be able to create new hyperlinks manually, so it is unlikely to cause significant disruptions for most users.

Junk E-mail protection level

Applies to: Outlook

This setting controls the level of junk e-mail filtering that Outlook 2007 performs.

Vulnerability

The Junk E-mail Filter in Outlook 2007 is designed to intercept the most obvious junk e-mail, or spam, and send it to users' Junk E-mail folders. The filter evaluates each incoming message based on several factors, including the time when the message was sent and the content of the message. The filter does not single out any particular sender or message type, but instead analyzes each message based on its content and structure to discover whether or not it is probably spam.

By default, users can choose from four levels of junk e-mail filtering:

• No Automatic Filtering. Outlook does not evaluate incoming messages by content. Outlook continues to evaluate messages by using the domain names and e-mail addresses in the users' Blocked Senders Lists, and continues to move messages from blocked senders to users' Junk E-mail folders.
• Low. Outlook only moves the most obvious spam messages to users' Junk E-mail folders. This level is the default setting.
• High. Outlook intercepts most junk e-mail, but might incorrectly classify some legitimate messages as junk. Users are advised to check their Junk E-mail folders often.
• Safe Lists Only. Outlook moves all incoming messages to users' Junk E-mail folders except messages from someone on users' Safe Senders Lists and messages sent to mailing lists on users' Safe Recipients Lists.

If users choose an inappropriate setting, they might miss important messages or accumulate large amounts of junk e-mail in their Inboxes.

Countermeasure

If this setting is Enabled, administrators can select one of the four listed options and apply it to all affected users, who will not be able to change it.

Table 1.165. Junk E-mail protection level

Impact

Different users might receive different amounts of junk e-mail. Enabling this setting might result in setting the junk e-mail protection level too high for some users and too low for others.

Key Usage Filtering

Applies to: 2007 Office system

This setting allows administrators to filter a list of digital certificates for signing Excel 2007, PowerPoint 2007, and Word 2007 documents, based on the Key Usage field.

Vulnerability

The Key Usage field in a certificate is used to represent a series of basic constraints about the broad types of operations that can be performed with the certificate. Key usage filtering allows you to filter the list of installed certificates that can be used for signing documents. The filtered list will appear when users attempt to select a certificate for digitally signing a document.

By default, digital certificates with the value of "digital signature" in the Key Usage field are listed as available certificates. If key filtering is not used, a user could accidentally or maliciously use the wrong type of certificate for digitally signing a document or validating a signature, which could compromise information security or make it impossible to verify the document's signature information.

Countermeasure

If this setting is Enabled, only certificates with "digital signature" in the Key Usage field are listed as available certificates for signing documents.

Table 1.166. Key Usage Filtering

Impact

If this setting is Enabled, you will need to ensure that the certificates that are used have the correct information in the Key Usage field so that they can be used to sign and validate digital signatures.

Legacy format signatures

Applies to: 2007 Office system

This setting controls whether users can apply binary format digital signatures to Office 97-2003 documents.

Vulnerability

By default, 2007 Office applications use the XML–based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office 2003 user opens an Excel, PowerPoint, or Word binary document with an XMLDSIG signature attached, the signature will be lost.

Countermeasure

If this setting is Enabled, 2007 Office applications use the Office 2003 binary format to apply digital signatures to Office 97-2003 binary documents so that they will be recognized by the Office 2003 release and earlier applications.

Table 1.167. Legacy format signatures

Impact

Enabling this setting is not likely to cause significant usability issues for most 2007 Office users.

Load Controls in Forms3

Applies to: 2007 Office system

This setting controls how 2007 Office applications load ActiveX controls in UserForms.

Vulnerability

ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant.

To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer—or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.

SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page.

If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode.

This setting allows administrators to control how ActiveX controls in UserForms should be initialized based upon whether they are SFI or UFI.

Countermeasure

If this setting is Enabled, administrators can choose from four options for loading controls in UserForms:

• 1. For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.
• 2. Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI:
  • For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties.
  • For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode.
  This option is the default configuration in the 2007 Microsoft Office release.
• 3. Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI:
  • For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties.
  • For an SFI signed control, load in safe mode.
• 4. For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode).

Table 1.168. Load Controls in Forms3

Impact

The recommended configuration for the EC environment is 1, which enforces the default configuration and is therefore unlikely to cause usability issues for most users.

Load pictures from Web pages not created in Excel

Applies to: Excel

This setting controls whether Excel 2007 loads graphics when opening Web pages that were not created in Excel.

Vulnerability

By default, when users open Web pages in Excel 2007, Excel loads any graphics that are included in the pages, regardless of whether they were originally created in Excel. Users can change this option in the Web Options dialog box, which is available from the Advanced section of the Excel Options dialog box.

Allowing Excel to load graphics created in other programs can make Excel vulnerable to possible future zero-day attacks that use graphic files as an attack vector. If such an event occurs, this setting can be used to mitigate the vulnerability.

Countermeasure

If this setting is Disabled, Excel 2007 will not load any pictures from Web pages that were not created in Excel.

Note If this setting is Enabled, Excel will load pictures from Web pages that were not created in Excel and users will not be able to change this configuration.

Table 1.169. Load pictures from Web pages not created in Excel

Impact

The recommended setting for the SSLF environment is Disabled, which means that Excel 2007 does not load pictures from Web pages that were not created in Excel. This configuration can cause some disruptions for users who load Web pages in Excel that were created by other applications. Users who do not load Web pages in Excel will not be affected by this setting.