Skip to main content


Security Best Practices for Office 2010 Applications

Published: July 18, 2011

Author: Ross Carter, Technical Writer and CISSP

Microsoft Office 2010 is the most secure version of Microsoft Office yet. With an improved trust model that persists trust on a per-file basis and new technologies such as Office File Validation and Protected View, users are better protected against exploits that utilize Office documents as attack vectors. In addition, under-the-hood improvements in encryption technologies, new digital signature capabilities and support for domain-based password complexity requirements enables users to more effectively secure their Office documents against tampering. Support for Data Execution Prevention adds an extra layer of defensive protection, which, combined with other Office security technologies, provides defense-in-depth protection for users who work with Office applications.

In addition to these out-of-the box security improvements, understanding Office security capabilities and using the best practices noted below will help ensure that your Office environment matches your security posture.

Office 2010 Security

Understand the security architecture, features, and settings that are available in Office 2010:

Office 2010 Security Baseline

Use the Microsoft security configuration recommendations that are in the Office 2010 Security Baseline, which is included with the Microsoft Security Compliance Manager tool:

Enterprise Client (EC) or Specialized Security-Limited Functionality (SSLF) Environments

Select the Office 2010 Security Baseline (EC or SSLF) that best fits your organization's security needs:

  • The EC environment is for an organization that has typical security needs. It is suitable for midsize and large organizations that seek to balance security and functionality.
  • The SSLF environment is intended for organizations in which security is paramount. It is only suitable for midsize and large organizations that have stringent security standards, and for which security is more important than application functionality. The SSLF settings can also be applied to a subset of computers in a larger organization, such as a department that handles especially sensitive information.

Customize Your Security Baseline

Determine whether any of the Microsoft recommended settings need to be changed to fit your organization's requirements, such as internal company polices and controls:

  • To obtain a high-level understanding of threats and countermeasures for Office 2010 read the article, " Understand security threats and countermeasures for Office 2010"
  • To obtain an understanding of specific security features and capabilities, read the planning guidance that is available on the Office Security Resource Center.
  • To obtain an understanding of a specific security setting, click the Threats and Countermeasures tab within the Microsoft Office 2010 Security Baseline Solution Accelerator.

Group Policy

Use Group Policy to enforce Office 2010 settings:

  • Use Security Compliance Manager to create a Group Policy Object (GPO) Backup of your security baseline, whether it has been customized or not.
  • Use Group Policy Management Console (GPMC) to link the newly created GPO Backup to the desired Active Directory container, such as an organizational unit (OU).

End User Training

Help the users in your organization understand and use the security features in Microsoft Office 2010:

About the Author

Ross Carter photoRoss Carter is a technical writer on the Office Resource Kit team where he focuses on writing security guidance for IT professionals. Ross has over 20 years of industry experience working in different capacities with security and networking products and technologies. Ross is a CISSP and holds a master's degree in science specializing in telecommunications.

Microsoft Security Newsletter

Sign up for a free monthly roundup of security news, bulletins, and guidance for IT pros and developers.