Security Guide

Published: November 11, 2007

Welcome to the 2007 Microsoft Office Security Guide. This guide provides prescriptive guidance for identifying risks and mitigating security threats that relate to the 2007 Microsoft® Office release. It is designed to help you make changes to the default configuration of desktop and laptop computers that run the 2007 Office release in Active Directory® environments.

This guide is part of a Solution Accelerator that provides prescriptive guidance in the form of recommendations, best practices, and step-by-step procedures to help you plan for and securely deploy the 2007 Office release. It includes information about how to deploy recommended security settings for two different types of environments:

• The recommended settings for Enterprise Client (EC) environments are for organizations that seek to balance security and functionality. Typical security-conscious enterprises, government departments, and other organizations should start with the EC recommendations and customize them to meet their individual circumstances and requirements.
• The recommended settings for Specialized Security - Limited Functionality (SSLF) environments are for organizations with very stringent security standards, and for which security is more important than application functionality. These settings are designed for organizations and departments with national security responsibilities or that handle highly classified information. You may choose to apply the SSLF settings to a subset of the computers in your organization, or balance the EC and SSLF recommendations to fit your needs.

The Solution Accelerator that includes this guide also provides the GPOAccelerator, a tool you can use to deploy security settings. This tool automatically creates all the Group Policy objects (GPOs) you need to deploy the recommended security settings in your environment. A comprehensive security settings reference called Threats and Countermeasures is also included in the Solution Accelerator to help your security architects, planners, and administrators understand what each security setting does, its recommended configuration, and which threats it mitigates. These settings are also summarized in an Office Excel® workbook called Security Settings for 2007 Office Applications.

Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved this prescriptive guidance to make it:

• Proven. Based on field experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the steps to success.
• Relevant. Addresses real-world security concerns.

Regardless of whether you're a consultant, a security specialist, or an IT professional in a midsize or large organization, this guide will provide you with the technical resources and insight that you need to develop an effective security strategy for the 2007 Office release.

Guide Purpose and Scope

The purpose of this guide is to help IT professionals accomplish the following:

• Understand the most common security threats and threat agents that pose a risk to laptops and desktops that run the 2007 Office release.
• Identify and understand the security mitigation mechanisms, technologies, and settings that are provided in the 2007 Office release.
• Design and configure an organizational unit (OU) structure that follows recommended guidelines and best practices from Microsoft for deploying security settings for the 2007 Office release.
• Plan, test, and deploy recommended security settings for two different types of security environments using the GPOAccelerator tool.

Microsoft Office Applications Discussed in this Guide

The information in this guide applies only to the following applications in the 2007 Office release:

• Microsoft Office Access™ 2007
• Microsoft Office Excel 2007
• Microsoft Office InfoPath® 2007
• Microsoft Office Outlook® 2007
• Microsoft Office PowerPoint® 2007
• Microsoft Office Word 2007

This guide does not apply to earlier versions of Microsoft Office because many of the settings and features discussed in this guide were not available previously. It was tested on Windows® XP Professional with Service Pack 2 (SP2) and on Windows Vista®. It has not been tested on Windows Server® 2003, although the recommendations in this guide might apply to computers that run the 2007 Office release on Windows Server 2003 SP1 or later.

As mentioned earlier, this guide provides prescriptive security setting recommendations for two different types of environments: the EC environment, which balances security and application functionality, and the SSLF environment, which emphasizes security over application functionality. You can use the information in the companion guide, Threats and Countermeasures, to modify the recommended settings to create different configurations for other specialized environments.

Audience

The 2007 Microsoft Office Security Guide is intended primarily for IT generalists, security specialists, network architects, and other IT professionals and consultants who plan and design deployments of the 2007 Office release on both desktop and laptop computers in midsize and large organizations. The guide is not intended for home users. Specifically, this guide is for individuals whose job roles include the following:

• IT generalist. People in this role handle security at every level in organizations ranging in size from 50 to 500 client computers. IT generalists focus on securing the computers that they manage quickly and simply.
• Security specialist. This role focuses on how to provide security across computing platforms within an organization. Security specialists identify security features and settings and then provide recommendations about how their customers can most effectively use them in risk-prone environments.
• IT operations, help desk, and deployment staff. People in these roles focus on integrating security and controlling change in the deployment process, whereas deployment staff focuses on administering security updates quickly. People in these roles also troubleshoot application-related security issues that involve how to install, configure, and improve the usability and manageability of software. They monitor these types of issues to define measurable security improvements with minimal impact on critical business applications.
• Network architect and planner. People in these roles drive the network architecture efforts for computers in their organization.
• Consultant. People in this role work in organizations that range in size from 50 to 5,000 or more client computers. IT consultants are aware of many kinds of security scenarios that span all the business levels of an organization. IT consultants from both Microsoft Services and partners take advantage of knowledge transfer tools for enterprise customers and partners.

Why Is Security Important for the 2007 Office Release?

Microsoft is committed to making security a central concern in every product it releases. There are several factors that make securing desktop productivity applications, such as the 2007 Office release, particularly important. These factors include:

• Fully integrated security architecture. A strong information security design integrates all elements of the IT infrastructure. Microsoft Office is the tool of choice for most users to produce, consume, and communicate data in addition to collaborating with colleagues. The 2007 Office release extends a comprehensive set of controls and management capabilities to the application layer, which provides additional options to dynamically respond to threats and regulatory requirements swiftly and with minimal effort.
• Attacks on desktop applications are increasing. Desktop applications, including the applications in the 2007 Office release, are increasingly coming under attack as malicious programmers turn their attention away from centralized servers and instead attempt to gain access to data that is stored on client computers. To address this issue, it's important to implement the appropriate security settings and technologies that are part of the 2007 Office release.
• Data protection. Like all desktop productivity software, the applications in the 2007 Office release provide ways to create and manipulate data. Much of this data contains sensitive information, such as intellectual property or confidential records. Protecting this sensitive information is crucial to an organization's success and security.

Information Security Risks and Defense-in-Depth

Generally, IT professionals and IT security specialists see three types of risks to information security:

• Confidentiality risks. These risks represent threats to your organization’s intellectual property from unauthorized users and malicious code that attempt to access what is said, written, and created within your organization.
• Integrity risks. These risks represent threats to your business resources from unauthorized users and malicious code that attempt to corrupt the business data on which your organization relies. Database servers, data files, e-mail servers—any business asset that contains critical information for your organization—can be threatened by integrity risks.
• Availability risks. These risks represent threats to your business processes by unauthorized users and malicious code that attempt to disrupt the way you do business and the way your information workers complete their work. Business intelligence processes, application features and capabilities, and document workflow processes can all be threatened by availability risks.

To help ensure that your organization is protected from all three of these risk categories, a defense-in-depth security strategy is recommended—that is, a security strategy that includes multiple overlapping layers of defense against unauthorized users and malicious code. Layers will typically include perimeter network protection such as firewalls, physical security measures such as physically secure datacenters and server rooms, and desktop security tools such as personal firewalls, virus scanning programs, and spyware detection.

If the 2007 Office release is part of your environment, your defense-in-depth strategy must also include the mitigation mechanisms that are provided with the 2007 Office release. These mitigation mechanisms include a wide range of technologies, settings, and features, such as trusted publishers, encryption, trusted locations, digital signatures, privacy settings, and security settings for Microsoft ActiveX® controls, add-ins, and Microsoft Visual Basic® for Applications (VBA) macros. Together, these technologies, settings, and features can help mitigate threats to the security of your environment. By using these mitigation mechanisms, you help protect the intellectual property, business resources, and business processes that are at the heart of your business.

Infrastructure Requirements

This guidance assumes that you have used industry-standard guidelines and best practices to develop your organization's security architecture, and that you use industry-current security technologies to protect your organization's infrastructure. It also assumes that you have accomplished the following:

• Deployed an Active Directory environment throughout your organization, which allows desktops, laptops, and server computers to be centrally managed with Group Policy.
• Implemented the recommendations and best practices that are prescribed in the Windows XP Security Guide or the Windows Vista Security Guide. These guides provide prescriptive guidance for securing desktop and laptop computers that run the Windows XP and Windows Vista operating systems, and are available from the Microsoft Download Center and from the Microsoft TechNet Web site.
• Hardened and secured your servers according to the Windows Server 2003 Security Guide. This guide provides prescriptive guidance for securing servers that run the Windows Server 2003 operating system, and is available from the Microsoft Download Center and from the Microsoft TechNet Web site.

If you do not meet these infrastructure requirements, the following resources are available to help you secure and upgrade your infrastructure.

• Planning an Active Directory Deployment Project
• Windows Vista Hardware Assessment
• Windows Vista Security Guide
• Windows Vista Service Life-Cycle Management
• Data Encryption Toolkit for Mobile PCs
• Windows Server 2003 Security Guide
• Windows XP Security Guide
• Microsoft Security Web site
• Microsoft Learning Web site (includes information about Microsoft certification, e-learning, and online computer training)

Chapter Summary

The 2007 Microsoft Office Security Guide consists of this overview and five chapters. The following figure shows how you can use this guide and other 2007 Microsoft Office Security Guide deliverables to plan and deploy security settings in your environment.

As shown in Step 2 of the preceding figure, Chapters 1 through 4 in this guide will help you determine the most appropriate security settings for your environment. However, if you want to deploy the EC or SSLF settings exactly as prescribed without modification (for example, in a test environment), you can skip to Step 4 and follow the guidance in Chapter 5 and in How to Use the GPOAccelerator. You do not need to read Chapters 1 through 4 to deploy the prescribed EC or SSLF settings.

Note Microsoft recommends that you carefully evaluate the EC and SSLF settings before using them in a production environment.

A summary of each chapter follows.

Chapter 1: 2007 Office Release

This chapter provides the following information:

• An overview of the 2007 Office release security model, including a description of the underlying security principles.
• A description of new and updated security features and settings.
• A description of the common threats and threat agents that pose a risk to the 2007 Office release.

Chapter 2: Confidentiality

This chapter provides an overview of the 2007 Office release security technologies and settings that help mitigate threats to confidentiality, including:

• Privacy settings
• Encryption settings
• Information Rights Management settings

You can use this information during the envisioning and planning phases to better understand the threats that affect confidentiality and the possible mitigations that you can implement to address such threats.

Chapter 3: Integrity

This chapter provides an overview of the 2007 Office release security technologies and settings that help mitigate threats to integrity, including:

• Trusted publisher settings
• Trusted locations settings
• Digital signature settings

You can use this information during the envisioning and planning phases to better understand the threats that affect integrity and the possible mitigations that you can implement to address such threats.

Chapter 4: Availability

This chapter provides an overview of the 2007 Office release security technologies and settings that help mitigate threats to availability, including:

• ActiveX control settings
• Add-in settings
• VBA macro settings
• External content settings
• File block settings
• Microsoft Internet Explorer® settings

You can use this information during the envisioning and planning phases to better understand the threats that affect confidentiality and the possible mitigations that you can implement to address such threats.

Chapter 5: Designing and Implementing Security Settings

This chapter provides prescriptive guidance for choosing either the EC or SSLF environment settings as well as prescriptive guidance for designing an organizational unit (OU) structure.

Acknowledgments

The SA-SC team would like to acknowledge and thank the group of people who produced the 2007 Microsoft Office Security Guide. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this guide.

Content Developers

Bill Gruber – Microsoft

Paul Henry – Wadeware LLC

Paul Slater – Wadeware LLC

Development Lead

Ross Carter – Microsoft

Editors

Jennifer Kerns – Wadeware LLC

Steve Wacker – Wadeware LLC

Product Managers

Alain Meeus – Microsoft

Jim Stuart – Microsoft

Eric Yaver – Volt Information Sciences

Program Manager

Flicka Enloe – Microsoft

Release Manager

Karina Larson – Microsoft

Reviewers

Alex Vandurme – NCIRC/NATO

Brad Albrecht – Microsoft

Chase Carpenter – Microsoft

David Vanophalvens – NCIRC/NATO

Derick Campbell – Microsoft

Ed McGinn – Microsoft

Eugene Siu – Microsoft

Frank Simorjay – Microsoft

Joshua Edwards – Microsoft

Korean Government

Kurt Dillard – Microsoft

Mallikarjuna rao Nimmagadda – Microsoft

Mark Simos – Microsoft

Norman Vadnais – Independent

Padgett Peterson – Lockheed Martin

Raf Cox – Microsoft

Tom Garity – Independent

Waqas Nazir – V-Empower Inc.

In addition, the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.

Test Manager

Gaurav Singh Bora – Microsoft

Testers

Harish Ananthapadmaanabhan – Infosys Technologies Ltd.

IndiraDevi Chandran – Infosys Technologies Ltd.

RaxitKumar Gajjar – Infosys Technologies Ltd.

Sumit Parikh – Infosys Technologies Ltd.