Overview of security in the 2007 Office system
Updated: February 12, 2009
Applies To: Office Resource Kit
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
An organization's financial success often hinges on the productivity of its information workers and the integrity and confidentiality of its intellectual property. In the past, satisfying these business needs was difficult for IT professionals because protection often came at the expense of productivity. With a redesigned security model and many new and enhanced security features, the 2007 Microsoft Office system makes it possible for IT professionals to design desktop configurations that mitigate security threats while maintaining information worker productivity.
Underlying security principles
Prior to the 2007 Office system, designing a secure desktop configuration was usually a compromise between protection and productivity. On one hand, you could minimize the attack surface of your desktop configuration by disabling potentially risky functionality such as ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros, but the loss in functionality usually translated into a loss in information worker productivity, which had a detrimental effect on your organization's financial performance. On the other hand, you could maximize information worker productivity and strengthen your organization's financial performance by allowing information workers to freely use high-risk tools and application features, but the increase in attack surface carried a greater risk to intellectual property and a greater total cost of ownership (TCO) because of ongoing security attacks.
Confronted with this situation, most IT professionals chose a middle ground, which forced information workers to make critical security decisions. If a document contained ActiveX controls or macros from an unknown source, users were asked whether they wanted to enable the ActiveX controls or the macros. Users were not allowed to access the document until they answered the question. Although this was not a perfect solution, it did provide a mechanism for mitigating security threats without intruding too much on productivity. The main problem was that most users, when confronted with a security warning, dismissed the warning so they could access the document and get their work done. This was acceptable for low-risk internal documents that did not likely contain malicious content, but it was not acceptable for high-risk external documents that passed through the Internet and could contain malicious content. Unfortunately, users did not usually distinguish between high-risk and low-risk files and treated both files the same way — that is, they accepted the risk and enabled the ActiveX controls and macros.
To overcome the problems described earlier, the overall security model for the 2007 Office system was designed with the following four key principles:
Make application functionality secure by default.
Avoid asking questions that users might not be able to answer.
Maintain user productivity by mitigating threats without limiting application functionality.
Provide a flexible security model that can be modified to suit specific situations.
Together, these principles provide a foundation for the security goals of the 2007 Office system — maximize protection and productivity, and minimize TCO.
Secure by default
One of the primary principles of the 2007 Office system security model remains unchanged from previous Microsoft Office releases: keep the system and the data secure by default. This principle encompasses the fact that some features, although useful, have an inherently high probability of attack (for example, macros). In many cases, these features have been configured so that protection is paramount and functionality is secondary.
For example, documents and e-mail messages often contain links to images that are stored on a remote computer. This makes it easy to update images and it makes documents and e-mail messages smaller, putting less demand on disk space and network bandwidth. But spammers and malicious attackers can use linked images to confirm that e-mail addresses are valid or to obtain a computer’s IP address. To deal with this, linked images are blocked by default in the 2007 Office system, but users can still open e-mail messages and documents containing linked images, giving users full access to the text. Thus, both protection and productivity are maximized.
Avoid asking questions
Although previous security models relied on users to evaluate risks and mitigate potential security threats, the 2007 Office system adopts the principle that users should not have to respond to questions that they might not be able to answer. This principle changes the way that users and applications deal with security threats. First, the number of questions and the frequency of questions that users must respond to are reduced. Second, in instances in which a security threat has elevated risk and user feedback is absolutely necessary, the warning messages provide the details users need to make a decision. Third, in instances in which user feedback is required, the user feedback is requested at a time and in a context that makes more sense to users.
For example, users no longer need to respond to a security prompt each time they open a document that contains macros from an untrusted or unknown source. Although macros from untrusted or unknown sources are disabled by default, the notification process does not require users to make a security decision before working on the document. Instead, macro notifications are contained in a notification bar that appears at the top of the document. Users can click the notification bar to read the notification and enable macros. In addition, the notification now provides information about what the risk is, why the risk is a threat to security, and what users can do to mitigate the threat.
Maintain user productivity
Maintaining user productivity is another important principle in the 2007 Office system security model. In the past, if users tried to open a document that contained a potential security threat, such as a macro or an ActiveX control, users could not work in the file until they responded to a security warning. Now, users can immediately access document contents and work in documents as soon as the document is opened. Users are prompted for input only when user intervention is necessary to maintain a secure working environment.
For example, a new security feature called Trusted Locations enables you to differentiate low-risk documents from high-risk documents, and thereby maximize productivity. Examples of low-risk documents are documents from colleagues or business partners. Examples of high-risk documents are documents from unknown people or documents that pass through an unsecured Internet connection.
Documents that are stored in a trusted location are deemed secure, and all of the content in a trusted document is enabled. Users do not have to respond to any security warnings and they do not have to enable any content in a trusted document to get work done. In this case, productivity is not impaired.
Documents that are not stored in a trusted location are considered to be high-risk, and all of the content in an untrusted document is disabled by default. Users can open and work on a high-risk document, but they must respond to the notification to enable the high-risk content in the document. In this case, productivity is only affected when users want to enable high-risk content in the document.
Provide a flexible security model
This final principle is that the default security model is not suitable for every computing environment or for every user. Despite the first three principles, there are instances in which users will be prevented from accessing low-risk content unless they respond to a security notification or warning. To better realize the goals of the first three principles, the 2007 Office system provides a suite of security settings that enable you to modify the default security model.
What's new and what's changed
Using the four principles described earlier, a new security model was developed for the 2007 Office system. The new security model includes new features, new settings, and new functionality. In addition, the new security model can affect the way users respond to risk in their individual work environments, and change the way administrators mitigate and manage security threats throughout an organization. The primary changes in the new security model include:
The user interface These changes help users better view and configure security settings, and respond to security warnings and notifications.
Administrative settings and features These changes help IT professionals design and implement secure desktop configurations that better mitigate security threats.
Default functionality These changes help boost user productivity while helping to protect corporate resources and mitigate security threats.
Changes to the user interface
Three changes have been made to the user interface for the 2007 Office system. First, most application-specific security and privacy settings now appear in a single location called the Trust Center. Second, some document protection settings now appear with other document preparation settings, such as Save and Print. Third, most security warnings and notifications now appear in a new notification area called the Message Bar. These user interface changes enhance the user experience by helping users find, view, and configure security settings and by helping users stay productive in the face of security threats.
Trust Center
The Trust Center is a central console that enables users to view and configure security settings and privacy options. The following figure illustrates the Trust Center.
Users can configure the following settings in the Trust Center:
Trusted Publishers and Trusted Locations These settings are used to specify safe content.
ActiveX controls**, add-**ins, and macros These settings are used to control the behavior of high-risk content, such as ActiveX controls, add-ins, and macros.
Message Bar and privacy options These settings are used to control notification behavior and the way an application handles personal or private information.
For Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, and Microsoft Office Word 2007, users can access the Trust Center by clicking the Microsoft Office Button and then clicking Program Options, where Program is the program you are running. For Microsoft Office InfoPath 2007, Microsoft Office Outlook 2007, Microsoft Office Publisher 2007, and Microsoft Office Visio 2007, users can click Trust Center on the Tools menu.
Document protection controls
Although the Trust Center contains most application-specific security and privacy settings, some document-specific security settings have been intentionally left out of the Trust Center: most notably, document protection settings that enable users to encrypt a document. Because document protection settings tend to be used when a user saves or sends a document, the settings are located with other document preparation settings. Users can access the document preparation settings by clicking the Microsoft Office Button, and then clicking Prepare.
Message Bar
The Message Bar is a new user interface feature that provides users with notifications and warnings when they open a document that contains potentially harmful content. The following figure shows the Message Bar.
Note
In Office Outlook 2007 and Office Publisher 2007, security alerts appear in dialog boxes, not in the Message Bar.
The Message Bar informs users that some functionality in a document is blocked. In some ways, the Message Bar replaces the warnings that appeared whenever a user opened an untrusted document that contained macros. In the past, the warnings prevented users from accessing the document until they responded to the warnings and either enabled or disabled the macros. With the Message Bar, on the other hand, the document opens and users can work in the document without responding to the Message Bar prompt. Untrusted ActiveX controls, macros, and other potentially harmful content are disabled until users click the Message Bar and respond to a notification or warning. The following figure shows the warning that users receive when they click the Message Bar.
New and enhanced settings and features
The 2007 Office system contains new and enhanced settings and features, including:
A new group of settings known as Trusted Locations settings.
A new group of settings known as block file format settings.
Changes in the way ActiveX controls, add-ins, and macros are managed.
The following sections describe the new and enhanced settings and features.
Trusted Locations settings
Trusted Locations settings enable you to differentiate safe documents from unsafe documents. When you specify a trusted location, such as a folder on a user's hard disk, and a user opens a document that is saved in that trusted location, all content in the document is enabled and initialized, including ActiveX controls, external links, and macros. In addition, no prompts or warnings appear in the Message Bar or in the user interface when a document is opened from a trusted location.
To mitigate the risk of someone creating a trusted location for malicious purposes, and thereby running harmful code, the default settings in the 2007 Office system do not allow you to designate remote folders as trusted locations. By default, trusted locations can only exist locally on a user's hard disk. Furthermore, trusted locations can be easily revoked in the event of a security attack. Additionally, the 2007 Office system permanently prevents you from designating certain high-risk folders as trusted locations, such as the Office Outlook 2007 cache for attachments, the Temp folder, and other folders where documents are sometimes temporarily stored.
Settings for ActiveX controls, add-ins, and macros
In the 2007 Office system, you can manage the behavior of ActiveX controls, add-ins, and macros by configuring global settings or application-specific settings. In the past, you could mitigate security threats from macros by choosing one of only four global settings: Low, Medium, High, and Very High. Each of these settings corresponded to a progressively more restrictive situation. The Low setting allowed users to run all macros, the High setting allowed users to run only macros that were signed by a trusted publisher. In addition, there were no global or application-specific settings for managing ActiveX controls (other than making changes to the registry), and there were no application-specific security settings for managing add-ins.
ActiveX controls settings
Several new settings exist for controlling the behavior of ActiveX controls. You can select the following options:
Disable all ActiveX controls Prevents all ActiveX controls from loading and does not notify users that ActiveX controls are disabled. The only exception is ActiveX controls that are contained in a document in a trusted location.
Configure ActiveX control initialization Specifies how ActiveX controls are loaded based on the Safe for Initialization (SFI) and Unsafe for Initialization (UFI) parameters. In the past, you configured this setting by making changes to the registry. Now, you configure this setting by using Administrative Templates (.adm files) or through the Office Configuration Tool (OCT).
Configure ActiveX prompts Specifies how users are prompted when ActiveX controls are loaded. You can configure this setting so that users are either prompted or not prompted when an ActiveX control attempts to load.
Add-in settings
The 2007 Office system does not have a Trust all installed add-ins and templates setting. Instead, several new settings exist for controlling the behavior of add-ins, including:
Disable all application add-ins Prevents all add-ins from running. Users are not notified that the add-ins are disabled.
Require that application add-ins are signed by a trusted publisher Checks for a digital signature on the file that contains the add-in. If the publisher has not been trusted, the program does not load the add-in, and the Message Bar displays a notification that the add-in has been disabled.
Disable Message Bar Notification for unsigned application add-ins Only relevant if you are requiring that add-ins have a digital signature. In some situations, the file that contains the add-in might be unsigned. In these cases, add-ins signed by a trusted publisher are enabled, but unsigned add-ins are disabled without providing users with any notification.
Macros
Several new settings exist for controlling the behavior of macros. The settings enable you to control macros in the following ways:
Disable Visual Basic for Applications Disables Visual Basic for Applications for all Office applications.
Configure macro warning settings Specifies the conditions under which users are notified about macros. The following four options are available:
Always provide notification about macros.
Always provide notification for digitally signed macros only.
Do not provide notification and disable all macros.
Do not perform any security checks and allow all macros to run.
Force encrypted macros to be scanned in Microsoft Office Open XML Formats documents Specifies that macro security checks are performed in encrypted files that use the new Office Open XML Formats. This setting cannot be configured in the graphical user interface; you can configure it only by using Administrative Templates (.adm files) or by using the OCT. In addition, this setting is enabled by default: that is, encrypted macros in Office Open XML Formats documents are scanned by default.
The following table summarizes how various combinations of security settings in Microsoft Office 2003 compare to the new security settings in the 2007 Office system.
Office 2003 setting | 2007 Office system setting |
---|---|
Very High (Enabled) Trust all installed add-ins and templates. (Enabled) |
No warnings for all macros but disable all macros. (Enabled) |
Very High (Enabled) Trust all installed add-ins and templates. (Disabled) |
No warnings for all macros but disable all macros. (Enabled) Disable all add-ins. (Enabled) |
High (Enabled) Trust all installed add-ins and templates. (Enabled) |
Warn for digitally signed macros only. (Enabled) |
High (Enabled) Trust all installed add-ins and templates. (Disabled) |
Warn for digitally signed macros only. (Enabled) Require that all add-ins be signed by a trusted publisher. (Enabled) Disable notifications for unsigned add-ins. (Enabled) Disable all trusted locations, only files signed by trusted publishers will be trusted. (Enabled) |
Medium (Enabled) Trust all installed add-ins and templates. (Enabled) |
Do not configure any security settings in the 2007 Office system. By default, users are notified when a document contains a macro, and add-ins and templates are trusted. |
Medium (Enabled) Trust all installed add-ins and templates. (Disabled) |
Require that all add-ins be signed by a trusted publisher. (Enabled) Disable all trusted locations. (Enabled) |
Low (Enabled) |
No security check for macros. (Enabled) |
Block file format settings
Several new settings enable you to prevent users from opening or saving certain types of files in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007. These settings are useful if you want to force your organization to use specific file formats or you want to mitigate zero-day attacks and exploits until you implement a fix. By using the block file format settings you can:
Mitigate zero-day attacks and exploits until you implement a fix.
Prevent users from opening or saving specific file types.
Prevent users from opening files that are compatible with previous versions of Office Excel 2007, Office PowerPoint 2007, and Office Word 2007.
Prevent users from opening documents through external converters.
Prevent users from opening pre-release (beta) versions of files.
Document Inspector
Document Inspector is a new privacy tool that can help users remove personal information and hidden information from a document. Document inspector is available by default in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007, although each program uses a different set of Inspector modules to remove different types of content. For example, Office Excel 2007 has an Inspector module that enables users to remove hidden worksheets. Conversely, Office Word 2007 does not have that Inspector module because it is not relevant to Office Word 2007 documents.
Users can specify the type of content they want to remove from files, including:
Comments, revision marks from tracked changes, versions, and ink annotations.
Document properties and personal information (metadata).
Headers, footers, and watermarks.
Hidden text.
Hidden rows, columns, and worksheets.
Invisible content.
Off-slide content.
Presentation notes.
Document server properties.
Custom XML data.
You can enable and disable Inspector modules, but there are no administrative settings that enable you to manage the way each Inspector module behaves. However, you can programmatically create custom Inspector modules.
New default behavior and functionality
Several default security settings have changed in the 2007 Office system. The following sections describe new default settings.
Documents always open
When users attempt to open a document that contains potentially harmful content, such as untrusted ActiveX controls and macros or links to untrusted external data sources, the document is always allowed to open. However, the untrusted content is not allowed to run and users are notified that some content has been blocked.
External content is always blocked
Users are always prevented from accessing external content. This includes external content that is accessed through data connections, hyperlinks, images, and linked media. When users open a document that contains external content, the document opens and users can work in the document, but the external content is disabled (not accessible), and a notification appears in the Message Bar that informs users that some content has been blocked. If a user clicks the Message Bar, a dialog box appears asking whether the user wants to enable the external content.
Note
Documents in trusted locations have all external content enabled.
ActiveX controls are allowed to run under certain circumstances
There are four possible default behaviors for ActiveX controls. The default behavior depends on the characteristics of the ActiveX control itself and the characteristics of the document that contains the ActiveX control.
If an ActiveX control has a kill-bit set in the registry, the control is not loaded and cannot be loaded in any circumstances. A kill bit is a feature that prevents controls that have a known exploit from being loaded.
If an ActiveX control is contained in a document that does not contain a VBA project, and the ActiveX control is marked as Safe for Initialization (SFI), the ActiveX control is loaded with minimal restrictions. The Message Bar does not appear, and users do not get any notifications about the presence of ActiveX controls in their documents. The ActiveX controls in the document must all be marked as SFI to not generate a notification.
If an ActiveX control is contained in a document that does not contain a VBA project, and the ActiveX control is marked as Unsafe for Initialization (UFI), users are notified in the Message Bar that an ActiveX control has been disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user wants to enable the ActiveX control. If the user enables the ActiveX control, all ActiveX controls (those marked SFI and UFI) are loaded with minimal restrictions.
If an ActiveX control is contained in a document that also contains a VBA project, a notification appears in the Message Bar informing users that an ActiveX control has been disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user wants to enable the ActiveX control. If the user enables the ActiveX control, all ActiveX controls (those marked SFI and UFI) are loaded with minimal restrictions.
Note
If an ActiveX control is contained in a document that is saved in a trusted location, the ActiveX control is enabled by default and users are not prompted to enable the ActiveX control.
Installed and registered add-ins are allowed to run
By default, any add-in that is installed and registered is allowed to run without user intervention or warning. Installed and registered add-ins can include:
Component Object Model (COM) add-ins.
Smart tags.
Automation add-ins.
RealTimeData (RTD) servers.
Application add-ins (for example, .wll, .xll, and .xlam files).
XML expansion packs.
XML style sheets.
This default behavior is equivalent to selecting the Trust all installed add-ins and templates setting, which exists in earlier versions of the Microsoft Office system.
Only trusted macros are allowed to run
By default, trusted macros are allowed to run. This includes macros in documents that are saved in a trusted location, and macros that meet the following criteria:
The macro is signed by the developer with a digital signature.
The digital signature is valid.
This digital signature is current (not expired).
The certificate associated with the digital signature was issued by a reputable certification authority (CA).
The developer who signed the macro is a trusted publisher.
Macros that are not trusted are not allowed to run until a user clicks the Message Bar and chooses to enable the macro. In the past, unsigned macros were disabled and users did not have an option to enable them. This behavior is different in the 2007 Office system. Users are now notified when a document contains an unsigned macro, and they can enable the macro if they want to.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit.