Plan cryptography and encryption settings for Office 2010
Applies to: Office 2010
Topic Last Modified: 2011-11-28
Microsoft Office 2010 contains settings that let you control the way that data is encrypted when you use certain Microsoft Office applications. These applications include Microsoft Access 2010, Excel 2010, OneNote 2010, PowerPoint 2010, Project 2010, and Word 2010.
This article discusses cryptography and encryption in Office 2010, describes the settings that you can use to encrypt data, and provides information about compatibility with previous versions of Microsoft Office. For information about Microsoft Outlook 2010, see Plan for e-mail messaging cryptography in Outlook 2010.
As you plan your encryption settings, consider the following guidelines:
We recommend that you do not change the default encryption settings unless your organization's security model requires encryption settings that differ from the default settings.
We recommend that you enforce password length and complexity to help ensure that strong passwords are used when you encrypt data. For more information, see Plan password complexity settings for Office 2010.
We recommend that you do not use RC4 encryption. For more information, see Compatibility with previous versions of Office later in this article.
There is not an administrative setting that lets you force users to encrypt documents. However, there is an administrative setting that lets you remove the ability to add passwords to documents and, therefore, disallow the encryption of documents. For more information, see Cryptography and encryption settings later in this article.
Saving documents in trusted locations does not affect encryption settings. If a document is encrypted and it is saved in a trusted location, a user must provide a password to open the document.
In this article:
About cryptography and encryption in Office 2010
Cryptography and encryption settings
Compatibility with previous versions of Office
About cryptography and encryption in Office 2010
The available encryption algorithms to use with Office depend on the algorithms that can be accessed through the APIs (application programming interface) in the Windows operating system. Office 2010, in addition to maintaining support for Cryptography API (CryptoAPI), also includes support for CNG (CryptoAPI: Next Generation), which was first made available in the 2007 Microsoft Office system with Service Pack 2 (SP2).
CNG allows for more agile encryption, where different encryption and hashing algorithms supported on the host computer can be specified to be used during the document encryption process. CNG also allows for better extensibility encryption, where third-party encryption modules can be used.
When Office uses CryptoAPI, the encryption algorithms depend on those that are availablein a CSP (Crypto Service Provider), which is part of the Windows operating system. The following registry key contains a list of CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
The following CNG encryption algorithms, or any other CNG cipher extension installed on the system, can be used with Office 2010 or the 2007 Office system SP2:
AES, DES, DESX, 3DES, 3DES_112, and RC2
The following CNG hashing algorithms, or any other CNG cipher extension that is installed on the system, can be used with Office 2010 or the 2007 Office system SP2:
MD2, MD4, MD5, RIPEMD-128, RIPEMD-160, SHA-1, SHA256, SHA384, and SHA512
Although there are Office 2010 settings to change how encryption is performed, when you encrypt Open XML Format files (.docx, .xslx, .pptx, and so on) the default values — AES (Advanced Encryption Standard), 128-bit key length, SHA1, and CBC (cipher block chaining) — provide strong encryption and should be fine for most organizations. AES encryption is the strongest industry-standard algorithm that is available and was selected by the National Security Agency (NSA) to be used as the standard for the United States Government. AES encryption is supported on Windows XP SP2, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008.
Cryptography and encryption settings
Before you can use the settings discussed in this section, you must install the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool(https://go.microsoft.com/fwlink/p/?LinkId=189316) download package, which contains new and updated Group Policy administrative template files and OCT files.
The tables in this section list cryptography and encryption settings. For each setting, the following information is provided:
The setting name
What the setting does
The default configuration for the setting
Where to find the setting in the Group Policy Object Editor
Unless otherwise noted, you will find Group Policy settings under the User Configuration/Administrative Templates node of the Group Policy Object Editor when you edit a local or domain-based Group Policy object (GPO).
Note
The locations in the Group Policy Object Editor presented in this article apply when you invoke the Group Policy Object Editor to edit a GPO. To edit local Group Policy, use the Local Group Policy Editor. To edit domain-based Group Policy, use the Group Policy Management Console (GPMC). Either tool invokes the Group Policy Object Editor when you edit a GPO. For more information, see Use Group Policy to enforce Office 2010 settings and Group Policy overview for Office 2010.
Where to find the setting in the Office Customization Tool (OCT)
Unless otherwise noted, you will find OCT settings on the Modify user settings page of the OCT when you configure a setup customization file.
Note
When you create a new Setup customization .msp file, or open an existing customization .msp file for which file format settings have not been configured for Excel 2010, PowerPoint 2010, or Word 2010, you might be prompted to choose a default file format for users. This happens if the geographic location of the computer on which you are running the OCT is set to a European location, You can choose to keep the current settings for the Setup customization file, or choose either Open XML Formats (which support all the features of Office 2010), or OpenDocument formats. For more information about these file formats, click Learn more to access OCT help.
For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see Configure security for Office 2010.
The following table lists the settings that are available to change the encryption algorithms when you use Microsoft Office versions that access CryptoAPI. This includes Office versions up to and including Office 2010.
| Setting | What it does | Default configuration | Group Policy object editor location | OCT location |
|---|---|---|---|---|
Encryption type for password-protected Office Open XML files |
Allows you to specify an encryption type for Office Open XML files. |
Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files. |
Microsoft Office 2010\Security Settings\Trust Center\Protected View |
Microsoft Office 2010\Security Settings\Trust Center\Protected View |
Encryption type for password-protected Office 97-2003 files |
Allows you to specify an encryption type for password-protected Office 97-2003 files. |
Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files. |
Same location as previous policy setting. |
Same location as previous policy setting. |
In Office 2010, if you must change the Encryption type for password-protected Office Open XML files setting, you first must enable the Specify encryption compatibility setting and select the Use legacy format option. The Specify encryption compatibility setting is available for Access 2010, Excel 2010, PowerPoint 2010, and Word 2010.
The following table lists the settings that are available to change the encryption algorithms when you use Office 2010. These settings apply to Access 2010, Excel 2010, OneNote 2010, PowerPoint 2010, Project 2010, and Word 2010.
Note
All of the following settings, except for the Set parameters for CNG context and Specify CNG random number generator algorithm settings, are applicable even when you use a supported operating system for Office 2010, such as Windows XP SP3, which does not include support for CNG. In this case, Office 2010 uses CryptoAPI instead of CNG. These settings apply only when you use Office 2010 for encryption of Open XML files.
| Setting | What it does | Default configuration | Group Policy object editor location | OCT location |
|---|---|---|---|---|
Set CNG cipher algorithm |
Allows you to configure the CNG cipher algorithm that is used. |
AES is used. |
Microsoft Access 2010\Application Settings\Security\Cryptography Microsoft Excel 2010\Excel Options\Security\Cryptography Microsoft OneNote 2010\OneNote Options\Security\Cryptography Microsoft PowerPoint 2010\PowerPoint Options\Security\Cryptography Microsoft Project 2010\Security\Cryptography Microsoft Word 2010\Word Options\Security\Cryptography |
Microsoft Access 2010\Application Settings\Security\Cryptography Microsoft Excel 2010\Excel Options\Security\Cryptography Microsoft OneNote 2010\OneNote Options\Security\Cryptography Microsoft PowerPoint 2010\PowerPoint Options\Security\Cryptography Microsoft Project 2010\Security\Cryptography Microsoft Word 2010\Word Options\Security\Cryptography |
Configure CNG cipher chaining mode |
Allows you to configure the cipher chaining mode that is used. |
Cipher Block Chaining (CBC) is the CNG cipher chaining mode that is used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Set CNG cipher key length |
Allows you to configure the number of bits to use when you create the cipher key. This number will be rounded down to a multiple of 8. |
128 bits are used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Specify encryption compatibility |
Allows you to specify the encrypted database compatibility. |
Use next generation format option is applied. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Set parameters for CNG context |
Allows you to specify the encryption parameters that should be used for the CNG context. |
Default CNG values will be used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Specify CNG hash algorithm |
Allows you to specify the hash algorithm that is used. |
SHA1 is used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Set CNG password spin count |
Allows you to specify the number of times to spin (rehash) the password verifier. |
The default (100000) is used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Specify CNG random number generator algorithm |
Allows you to configure the CNG random number generator to use. |
The default random number generator will be used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
Specify CNG salt length |
Allows you to specific the number of bytes of salt that should be used. |
The default length of 16 is used. |
Same locations as previous policy setting. |
Same locations as previous policy setting. |
In addition to the CNG settings that were listed in the previous table, the CNG setting that is listed in the following table can be configured for Excel 2010, PowerPoint 2010, and Word 2010.
| Setting | What it does | Default configuration | Group Policy object editor location | OCT location |
|---|---|---|---|---|
Use new key on password change |
Allows you to specify whether a new encryption key should be used when the password is changed. |
Do not use a new key option is applied. |
Microsoft Excel 2010\Excel Options\Security\Cryptography Microsoft PowerPoint 2010\PowerPoint Options\Security\Cryptography Microsoft Word 2010\Word Options\Security\Cryptography |
Microsoft Excel 2010\Excel Options\Security\Cryptography Microsoft PowerPoint 2010\PowerPoint Options\Security\Cryptography Microsoft Word 2010\Word Options\Security\Cryptography |
You can use the setting that is listed in the following table to remove the ability to add passwords to documents, therefore disallowing encryption of documents.
| Setting | What it does | Default configuration | Group Policy object editor location | OCT location |
|---|---|---|---|---|
Disable password to open UI |
Controls whether Office 2010 users can add passwords to documents. |
Users can add passwords to Excel workbooks, PowerPoint presentations, and Word documents. |
Microsoft Office 2010\Security Settings\Trust Center\Protected View |
Microsoft Office 2010\Security Settings\Trust Center\Protected View |
Compatibility with earlier versions of Office
If you have to encrypt Office documents, we recommend that you save the documents as Open XML Format files (.docx, .xlsx, .pptx, and so on) instead of Office 97–2003 format (.doc, .xls, .ppt, and so on). The encryption that is used for binary documents (.doc, .xls, .ppt) uses RC4. It is not recommended, as discussed in Security Considerations sections 4.3.2 and 4.3.3 of the Office Document Cryptography Structure Specification (https://go.microsoft.com/fwlink/p/?LinkId=192287). Documents that are saved in the older Office binary formats can only be encrypted by using RC4 to maintain compatibility with older versions of Microsoft Office. AES, the default and recommended encryption algorithm, is used to encrypt Open XML Format files.
Office 2010 and the 2007 Office system let you save documents as Open XML Format files. In addition, if you have Microsoft Office XP or Office 2003, you can use the Compatibility Pack to save documents as Open XML Format files.
Documents that are saved as Open XML Format files and encrypted by using Office 2010 can only be read by Office 2010, Office 2007 SP2, and Office 2003 with the Office 2007 SP2 compatibility pack. To ensure compatibility with all earlier versions of Office, you can create a registry key (if it does not already exist) under HKCU\Software\Microsoft\Office\14.0\<application>\Security\Crypto\ called CompatMode and disable it by setting it to 0. The values that you can enter for <application> represent the specific Office application that you are configuring this registry key for. For example, you can enter Access, Excel, PowerPoint, or Word. It is important to realize that, when you set CompatMode to 0, Office 2010 uses an Office 2007 compatible encryption format, instead of the enhanced security that is provided by default when you use Office 2010 to encrypt Open XML Format files. If you have to configure this setting for compatibility reasons, we recommend that you also use a third-party encryption module that allows for enhanced security, such as AES encryption.
If your organization uses the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint File Formats to encrypt Open XML Format files, you should review the following information:
By default, the Compatibility Pack uses the following settings to encrypt Open XML Format files:
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128 (on the Windows XP Professional operating system).
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128 (on Windows Server 2003 and Windows Vista operating systems).
Users are not notified that the Compatibility Pack uses these encryption settings.
The graphical user interface on earlier versions of Office might display incorrect encryption settings for Open XML Format files if the Compatibility Pack is installed.
Users cannot use the graphical user interface in earlier versions of Office to change the encryption settings for Open XML Format files.