Overview of security in Office 2013
Applies to: Office 365 ProPlus, Office 2013
Topic Last Modified: 2014-10-16
Summary: Understand the new security features in Office 2013: authentication, identity, Web app catalog and extension, escrow key, and more.
Audience: IT Professionals
Office 2013 includes new authentication functionality. Now users create a profile, sign in one time, and then seamlessly work on and access local and cloud Office files without needing to re-identify themselves. Users can connect multiple services, such as an organization’s OneDrive for Business or a user’s personal OneDrive account, to their Office profile. After that, they'll have instant access to all their files and associated storage. Users authenticate one time for all Office apps, including OneDrive. This is true regardless of the identity provider, whether it is the Microsoft account or the user ID that you use to access Office 365 for professionals and small businesses, or the authentication protocol that is used by the app. Protocols include, for example, OAuth, forms based, claims based, and Windows Integrated Authentication. From a user perspective, it all just works. From the IT perspective, these connected services can easily be managed.
This article is part of the Guide to Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.
Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.
Protection starts with authentication and identity. In this release, Office makes a fundamental change from computer- centered identity and authentication to user-centered identity and authentication. This shift enables content, resources, most recently used lists, settings, links to communities, and personalization to roam seamlessly with users as they move from desktop, to tablet, to smartphone, or to a shared or public computer. For the IT admin, user audit trails and compliance are also separated by identity.
In this new environment, users sign in to Office 365 by using one of the following identities:
Their Microsoft-managed, work or school account ID For Office 365 business use, where Microsoft-hosted enterprise and smaller organization user IDs are stored in the cloud. This scenario also supports multiple linked user IDs and single sign-on.
Their federated, org-owned user ID For Office 365 business use, where enterprise user IDs are stored on premises.
Their Microsoft account Typically, users use this identity to sign in to Office 365 for nonbusiness purposes. Users can have multiple Windows Live IDs that are linked and then sign in one time, get authenticated, and then switch from one Microsoft account to another during the same session. They don't have to be re-authenticated.
The IT admin can also set up any user to use multifactor authentication for Office 365. Multifactor authentication increases the security of users beyond just a password. With multifactor authentication for Office 365, users are required to acknowledge a phone call, text message, or an app notification on their smartphone after correctly entering their password. Only after this second authentication factor has been satisfied can a user sign in. For set-up steps, see set up multi-factor authentication for Office 365.
From an IT admin’s perspective, Active Directory is at the heart of this new paradigm. IT admins can do the following:
Control user password policies across devices and services
Use Group Policies to configure the operating environment
Manage with Forefront Identity Manager (FIM) or Active Directory Federation Services (AD FS)
The cloud makes the following all possible:
User accounts can be cloud-managed by using a web portal Setup is simple. You can provision users manually for greatest control. No servers are required. Microsoft manages all that for you.
Any on-premises directories are Active Directory synchronized to the web portal Provisioning can be automated and can co-exist with the cloud managed accounts.
Users have single sign-on capability by using AD FS Provisioning can be automated, and multifactor authentication is supported.
As shown in the following diagram, as the IT pro admin, you are in charge. If yours is a smaller business, you can use identity services in Microsoft Azure to establish, manage, and authenticate your users. User accounts are cloud-managed by using a web portal and Azure Active Directory in the Microsoft cloud. No servers are required. Microsoft manages all that for you. When identity and authentication are handled completely in the cloud without affinity to any on-premises Active Directory store, IT admins can still provision or deprovision IDs and user access to services through the portal or PowerShell cmdlets.
In step 1, IT pros connect to the web access Office 365 admin center in the Microsoft cloud. They request new or manage existing organization IDs.
In step 2, these requests are passed on to your Azure AD.
In step 3, if this is a change request, the change is made and reflected back to the Office 365 admin center. If this is a new ID request, a request for a new ID is issued to the ID provisioning platform.
In step 4, new IDs and changes to existing IDs are reflected back to the Office 365 admin center.
Office 365 identity and authentication managed completely in the cloud—without local Active Directory interaction.
In the next diagram, after you’ve set up users in the Office 365 admin center in the Microsoft cloud, they can sign in from any device. And Office 365 ProPlus can be installed on up to five of their devices.
After you’ve provisioned a user (see the previous diagram), in step 1, they sign in to Office using one of the following identities:
Their work or school account (for example, email@example.com or firstname.lastname@example.org)
Their personal Microsoft account (for example, email@example.com)
In step 2, Microsoft figures out where they want to authenticate and which files and Office settings they want to use depending on the identity they have chosen. That identity is associated with an Azure AD, and their email identity and associated password are passed to the correct Azure AD server for authentication.
In step 3, their request is tested and then granted, and the Office applications are streamed to their device and are ready to use. Their OneDrive for Business saved documents associated with that identity are available to view, edit, and save either locally to their device or back to OneDrive for Business.
Identity provisioning populated by using the Azure directory synchronization. This is cloud managed authentication.
The following diagram shows a scenario with a hybrid on-premises and cloud deployment. The Microsoft cloud Azure AD Sync tool keeps your on-premises and in-the-cloud corporate user identities synchronized.
In step 1, install the Azure AD Sync tool. This tool helps to keep Azure AD up to date with the latest changes you make in your on-premises directory.
In steps 2 and 3, create new users in your on-premises Active Directory. The Azure AD Sync tool will periodically check your on-premises Active Directory server for any new identities you have created. Then, it provisions these identities into Azure AD, links the on-premises and cloud identities to one another, and makes them visible to you through the Office 365 admin center.
In steps 4 and 5, as changes are made to the identity in the on-premises Active Directory, those changes are synchronized to the Azure AD and made available to you through the Office 365 admin center.
In steps 6 and 7, if your users include federated users, those users log in with your AD FS. AD FS generates a security token and that token is passed to Azure AD. The token is verified and validated and the users are then authorized for Office 365.
Identity provisioning that is populated by using the Azure directory synchronization; Active Directory Federation Server 2.0 and cloud managed authentication.
In the user experience, identity is surfaced when the user signs in.
The client user interface At the start of each session, a user can choose to connect either to their personal cloud by using their Microsoft account, or to their on-premises corporate server, or Microsoft-managed cloud for services such as Office 365 and for their documents, pictures, or other data.
If a user chooses to connect by using their Microsoft ID, they sign in by using their Microsoft account (formerly called Passport or Windows Live ID), or they can choose to connect by using the user ID they use to access Office 365.
After they are signed in, that user is also free to switch identities at any time from the Backstage of any Office app.
The client infrastructure Behind the scenes, client authentication APIs enable users to sign in and out and switch the active user identity. More APIs keep track of roaming settings (preferences and most recently used documents) and the services available to each identity.
Other cloud identity services Users are automatically signed in to these native services:
OneDrive, for a Microsoft account sign on, or SharePoint Online for a corporate identity
Roaming most recently used files and settings
Microsoft account activities
Users can also log on to third-party cloud services after they sign in by using a Microsoft account. For example, if they sign in to LinkedIn or Facebook, the connection will roam with that identity.
Use Group Policy settings to control desktops configurations
With more than 4,000 Group Policy control objects at your disposal, you can use Group Policy to mandate user settings for Office. This means that you can create a range of lightly-managed to highly-restricted desktop configurations for your users. Your Group Policy settings always have precedence over Office Customization Tool (OCT) settings. You can also use Group Policy settings to disable particular file formats that are not secure over the network. See Configure security by using OCT or Group Policy for Office 2013 for more information.
A word about Microsoft data centers
The Microsoft Data Center Security Program is risk-based and multidimensional. It takes people, processes, and technology into consideration. The Privacy Program makes sure that consistent global standard “high bar” privacy practices are followed for data handling and data transfer. The Microsoft data centers are also physically secure. All 700,000+ square feet and tens of thousands of servers are guarded 24 hours a day, 7 days a week. If there is a power failure, days of ancillary power are available. These data centers are geographically redundant and located in North America, Europe, and Asia.
Office 365 never scans your email messages or documents to build analytics, mine data, advertise, or improve our own service. Your data always belongs completely to you or your company, and you can remove it from our data center servers any time.
Office 365 complies with the following important and business essential industry standards:
ISO 27001 certified Office 365 meets or exceeds the rigorous set of physical, logical, process, and management controls defined by ISO/TEC 27001:2005.
EU model clauses Office 365 is compliant with and able to sign standard contractual clauses that relate to the EU model clauses and EU Safe Harbor framework.
HIPAA-Business Associate Agreement Office 365 can sign requirements for HIPAA with all customers. HIPAA governs the use, disclosure, and safeguarding of protected health information.
Catalogs and web extensions
Office 2013 includes a new extensibility model for Office clients that enables web developers to create apps for Office, which are web extensions that use the power of the web to extend Office clients. An app for Office is a region inside an Office application that contains a web page that can interact with the document to augment content and provide new interactive content types and functionality. Users can obtain apps for Office from the new Office marketplace or from a private catalog in the form of stand-alone apps or subcomponents of a document template solution, or a SharePoint application.
In the Trust Center, under Trusted App Catalogs, you can control apps for Office, including the following:
Disabling all apps
Disabling apps from the Office Store only
Adding or removing trusted catalogs from the Trusted Catalogs Table
Reset a document’s password with an escrow key and the new DocRecrypt tool
Office 2013 provides a new escrow key capability. This allows the IT admin of an organization to decrypt password-protected documents by using a private escrow key. For example, if a document was encrypted by using Word, Excel, or PowerPoint, and the original owner of the document has either forgotten the password or has left the organization, it would be possible for the IT admin to retrieve the data by using the private escrow key.
The escrow key capability works only with files that are saved and encrypted by using next generation cryptography. This is the default encryption that is used in Office 2010 and Office 2013. If, for compatibility reasons, the default behavior was changed to use the legacy format, escrow key functionality will not be available. For details about this new feature, see Remove or reset file passwords in Office 2013.
Improvements to digital signatures in Office 2013 include the following:
Support for Open Document Format (ODF v1.2) file formats
Enhancements to XAdES (XML Advanced Electronic Signatures)
Support for ODF v1.2 file formats enables people to digitally sign ODF documents in Office 2013 by using invisible digital signatures. These digitally-signed documents do not support signature lines or stamps. In addition, Office 2013 provides digital signature verification of ODF documents that are signed from inside other applications but that are opened in Office 2013.
XAdES improvements in Office 2013 include an improved user experience when you create an XAdES digital signature. Users are given more detailed information about the signature.
Information Rights Management (IRM)
Office 2013 includes a new IRM client, which has a new UI to help simplify identity selection. It also supports automatic service discovery of Rights Management Services (RMS) servers. In addition, Office 2013 has read-only IRM support for Microsoft Office Web Application Companions (WACs). WACs can view IRM-protected documents in a SharePoint library or IRM-protected documents that are attached to messages in Outlook Web Access (OWA).
Office 2013 provides an improved protected view, which is a sandbox technology, when Office 2013 is used with Windows 2012 as the operating system. Office 2013 uses the Windows 2012 AppContainer feature, which provides stronger process isolation and also blocks network access from the sandbox. Protected view was introduced in Office 2010. Protected view helps reduce exploits to computers by opening files in a restricted environment, referred to as a lowbox, so that they can be examined before they are opened for editing in Excel, PowerPoint, or Word.
At Microsoft, security is considered during every step of the software life-cycle. Every employee who contributes to an Office feature or product is required to take security training and continue to learn as the industry and threats evolve. When designing a feature or product, the team is required to consider user data security and privacy from the beginning and how threats to these can be reduced by using encryption, authentication, or other methods. Their decisions are based on the environment, expected or potential exposure, and data sensitivity. The team performs multiple attack surface reviews and creates an incident response plan before an Office product is ever released.
Microsoft doesn’t just rely on employees to make sure user data is safe. It also uses tools and automated quality assurance tests. These fall into three general categories:
Functional testing Where every piece of the user interface is verified to make sure that user input, output, and action is as intended and advertised.
Fuzz testing Where large amounts of random or unexpected data are injected into the software to reveal security problems. Fuzz testing was a big part of the Office 2007 release and continues to be with this latest release.
For web applications Dynamic or web scanning tools are used to test for potential security bugs like cross-site scripting (XSS) or SQL injection.
The testing never stops. The Microsoft Security Response Center (MSRC) is responsible for handling security issues that are uncovered after a product has released. This team can quickly mobilize and deliver swift fixes to customers.
A quick review of security progress over the last several Office releases
Security controls that were introduced in Office XP, Office 2003, Office 2007, and Office 2010 reduced attacks, improved the user experience, hardened, and reduced the attack surface, and made it easier for IT admins to build a robust defense against threats while maintaining user productivity. Here’s how:
Introduction of the following features has mitigated attacks on Office:
Document flow protection
The following features have improved the user experience:
The Trust Center and message bar, trusted locations, trusted publishers, and sticky trust decisions
Actionable security prompts
Improvements to the Encrypt with Password feature
XML file format support
Office has hardened the attack surface through the following features:
Data Execution Prevention (DEP) support
Group Policy enforcement
Trusted time-stamping support for digital signatures
Domain-based password complexity checking and enforcement
Office has reduced the attack surface through the following features:
Office file validation
Expanded file block settings
ActiveX control security
ActiveX “kill bit”
Integrity checking of encrypted files
Macro security levels
File fuzzing is used to identify previously unknown vulnerabilities in various file formats. The Office team has fuzzed millions of files tens of millions of times and discovered, and fixed, hundreds of vulnerabilities.
This hardware and software technology, which was built into Windows and extended to all Office applications starting with Office 2010, identifies files that attempt to run code in reserved memory. This protection is always on for 64-bit versions, and it is configurable by using Group Policy settings in 32-bit versions. If rogue code is detected, the affected application automatically shuts down.
Protected view, which enables safe viewing of suspicious files, was introduced in Office 2010. Now, with the Windows 2012 AppContainer, which is restricted from network access, process isolation is further improved.