Computer Policy Security Settings
Published: November 11, 2007 The Computer Policy settings in this section are arranged alphabetically by setting name. Computer Policy Setting InformationA description is provided for each setting, along with information about the applications to which it applies, the vulnerability the setting addresses, how the vulnerability is addressed, and any other considerations. A table is also included for each setting that shows the setting's location in Group Policy, the ADM file that contains the setting, the recommended configuration for EC and SSLF environments, and any associated Common Configuration Enumeration (CCE) identifiers. Bind to objectApplies to: 2007 Office system This setting determines whether Microsoft® Internet Explorer® performs its typical safety checks on Microsoft ActiveX® controls when opening URLs that are passed to it by a 2007 Office application.
VulnerabilityInternet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load. CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply the typical security checks to any ActiveX objects embedded in Web pages that are opened by the selected applications. Table 2.1. Bind to object
For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. ImpactEnabling this setting can cause some disruptions for users who open Web pages that contain potentially dangerous ActiveX controls from 2007 Office applications. However, because any affected controls are usually blocked by default when Internet Explorer opens Web pages, most users should not experience significant usability issues. Block popupsApplies to: 2007 Office system This setting controls whether Internet Explorer blocks pop-up windows when opening URLs that are passed to it by a 2007 Office application.
VulnerabilityThe Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk. CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply its pop-up blocker functionality to any Web pages that are opened by the selected applications. Table 2.2. Block popups
For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. ImpactEnabling this setting can cause some disruptions for users who open Web pages containing pop-up windows from 2007 Office applications. Pop-up windows can be beneficial and even necessary for some Web pages to function correctly. To see these pop-up windows, users will have to add the affected Web sites to the Allowed sites list in Internet Explorer's Pop-up Blocker Settings dialog box. Disable Package RepairApplies to: 2007 Office system This setting controls whether 2007 Office users can choose to repair corrupted Office Open XMP documents. VulnerabilityBy default, when a 2007 Office application detects that an Office Open XML document is corrupted, the user has the option to repair the corrupted document. CountermeasureIf this setting is Enabled, 2007 Office applications do not attempt to repair corrupted Office Open XML documents. This setting can be used to guard against theoretical zero-day attacks that target the package repair feature and that potentially involve an attacker rewriting Office Open XML package files. Table 2.3. Disable Package Repair
ImpactThe recommended setting for the SSLF configuration is Enabled, which means that 2007 Office users will not be able to repair corrupted Office Open XML package files by themselves. Users who attempt to open corrupted files will require administrative assistance to access the file. Disable user name and passwordApplies to: 2007 Office system This setting controls whether Internet Explorer opens URLs containing user information that are passed to it by a 2007 Office application.
VulnerabilityThe Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form https://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL https://www.wingtiptoys.com@example.com appears to open https://www.wingtiptoys.com but actually opens https://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk. CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any URLs containing user authentication information opened by the designated applications. Table 2.4. Disable user name and password
For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. ImpactEnabling this setting can cause some disruptions for users who open URLs containing user authentication information from 2007 Office applications. Because such URLs are blocked by default when Internet Explorer opens Web pages through conventional means, however, most users should not experience significant usability issues. Disable VBA for Office applicationsApplies to: 2007 Office system This setting controls whether 2007 Office applications other than Microsoft Office Access™ 2007 can use Microsoft Visual Basic® for Applications (VBA). VulnerabilityBy default, most Office applications, including Microsoft Office Excel® 2007, Outlook® 2007, PowerPoint® 2007, and Word 2007, can execute Visual Basic for Applications (VBA) code that customizes and automates application operation. VBA could also be used by inexperienced or malicious developers to create dangerous code that can harm users' computers or compromise the confidentiality, integrity, or availability of data. CountermeasureIf this setting is Enabled, the 2007 versions of Excel, Outlook, PowerPoint, Publisher, SharePoint® Designer, and Word cannot execute any VBA code. Enabling this setting does not install or remove any VBA–related code or files from users' computers.
Table 2.5. Disable VBA for Office applications
ImpactIf this setting is Enabled, VBA code will not function in 2007 Office applications (except Access). If your organization has business-critical requirements for using documents with VBA code, you might not be able to enable this setting. InfoPath APTCA Assembly allowable listApplies to: InfoPath This setting enables administrators to configure a list of assemblies in the Global Assembly Cache (GAC) that can be called by Microsoft Office InfoPath® 2007. VulnerabilityThe GAC contains shared assemblies that can be called from other applications. If an application is fully trusted, it can access any assembly in the GAC. If an application is partially trusted, it can only access assemblies in the GAC that have the AllowPartiallyTrustedCallersAttribute (APTCA) attribute set. A malicious user could attempt to design an InfoPath 2007 form that would access an assembly with the APTCA attribute set but that is not intended for use by InfoPath forms. To protect against this type of attack, an InfoPath form's business logic can call into assemblies in the Global Assembly Cache (GAC) only if two conditions are met:
CountermeasureIf this setting is Enabled, administrators can add entries to the APTCA assembly allowable list. To add a new assembly to the allowable list, add a new String Value entry that corresponds to the APTCA key. The Value Name field should be the public key token for the assembly and the Value Data field should be 1 for InfoPath 2007 to allow loading the assembly. If the Value Data field is not 1, the assembly will fail to load. Table 2.6. InfoPath APTCA Assembly allowable list
ImpactThis setting does not change the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are added to the allowable list. InfoPath APTCA Assembly Allowable List EnforcementApplies to: InfoPath This setting controls whether InfoPath 2007 can call into assemblies that are not on the APTCA Assembly Allowable List. VulnerabilityBy default, an InfoPath 2007 form's business logic can only call into Global Assembly Cache (GAC) assemblies that are listed in the APTCA Assembly Allowable List. If this configuration is changed, forms can call into any assembly in the GAC that has the Allow Partially Trust Callers Attribute (APTCA) set. This configuration could allow malicious developers to access assemblies in the GAC that were not intended to be used by InfoPath forms. CountermeasureIf this setting is Enabled, InfoPath 2007 forms cannot call into any assembly that is not on the APTCA Assembly Allowable List and overrides any configuration changes on the local computer. Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement
ImpactThis setting enforces the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are listed in the allowable list. Navigate URLApplies to: 2007 Office system This setting controls whether Internet Explorer attempts to load malformed URLs that are passed to it from 2007 Office applications.
VulnerabilityTo protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases. CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any malformed URLs that are passed to it by the selected applications. Table 2.8. Navigate URL
For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. ImpactEnabling this setting does not block any legitimate URLs, and is therefore unlikely to cause usability issues for any 2007 Office users. Saved from URLApplies to: 2007 Office system This setting controls whether Internet Explorer evaluates URLs passed to it by 2007 Office applications for Mark of the Web (MOTW) comments.
VulnerabilityTypically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run. CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will evaluate any URLs that are passed to it by the selected applications for MOTW comments. Table 2.9. Saved from URL
For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. ImpactEnabling this setting can cause some Web pages saved on UNC shares to run in a more restrictive security zone when opened from 2007 Office applications than they would if the setting were disabled or not configured. However, a page with a MOTW indicating it was saved from an Internet site is presumed to have been designed to run in the Internet zone in the first place, so most users should not experience significant usability issues.
|
|
.gif)
Important Recent testing of this setting determined that it did not function as expected. For more information, see this .gif)
Note This setting does not affect Access 2007..jpg)