Office File Validation for Office 2003 and Office 2007
更新日: 2011年7月
適用対象: Office Resource Kit
トピックの最終更新日: 2011-10-06
Office File Validation, a Microsoft Office 2010 security feature, is now available for both Office 2003 and Office 2007. Office File Validation helps prevent file format attacks by scanning Office binary file formats before they are opened in Microsoft Excel 2010, PowerPoint 2010, or Word 2010.
We strongly recommend that Office File Validation be applied to all computers that use Office 2003 and Office 2007. However, Office File Validation, in combination with Protected View, offers an even better security experience. Protected View is a new security feature that is available only in Office 2010. It helps mitigate exploits to your computer by opening files in a restricted sandbox environment. There, they can be examined before they are opened for editing in Excel 2010, PowerPoint 2010, or Word 2010.
About Office File Validation
Office File Validation helps detect and prevent a kind of exploit known as a file format attack or file fuzzing attack. File format attacks exploit the integrity of a file, and they occur when someone intentionally modifies the structure of a file to add malicious code. Usually the malicious code is run remotely and is used to elevate the privilege of restricted accounts on the computer. As a result, attackers could gain access to a computer that they did not previously have access to. This could enable an attacker to read sensitive information on the computer’s hard disk drive or install malware, such as a worm or a key logging program. The Office File Validation feature helps prevent file format attacks by scanning and validating files before they are opened and then notifying the user if the file may have been compromised.
To validate files, Office File Validation compares a file’s structure to a predefined file schema, which is a set of rules that determine what a readable file resembles. The file does not pass validation if Office File Validation determines that a file’s structure does not follow all rules that are described in the schema.
To run Office File Validation on either Office 2003 or Office 2007 you must first apply the Office File Validation files to the computers that are running either Office 2003 or Office 2007.
重要 |
---|
If you plan on using the Office File Validation (OFV) Add-in for Excel 2003 and have workbooks that are stored in a network location, you should read the following article, Excel 2003 Office File Validation (OFV) opens workbooks slower across the network, and determine which of the three available methods best supports your organizational needs. |
Obtain Office File Validation
Two groups of files must be applied to Office 2003 or Office 2007 before you can use Office File Validation.
One is the (.msp) files that specifically target the application architecture, which would then be aware of Office File Validation. These files are version specific and application specific. For example, there is a WinWord2003.msp file and a WinWord2007.msp file that enable Word for Office File Validation. In addition, there is an MSO.msp file that must be applied to the computers that are running either Office 2003 or Office 2007, regardless of which applications are being updated for Office File Validation.
The other group is included in the update file (.msi), OFV.msi, which provides the definition files for Office File Validation. This file is not version specific. You install the same file, regardless of whether you are using Office 2003 or Office 2007.
The files that enable Office File Validation in either Office 2003 or Office 2007 are a combination of the application specific .msp files, MSO.msp and OFV.msi. You can obtain the necessary files from either the Microsoft Download Center or through Microsoft Update.
Microsoft Download Center
You can download the files from the following location Office File Validation for Office 2003 and Office 2007 on the Microsoft Download Center. After you download the files, you distribute and apply the updates to the targeted computers. For more information, see Install Office File Validation later in this article.
Microsoft Update
Several months after the initial release of Office File Validation for Office 2003 and Office 2007, you will be able to use Microsoft Update to obtain the necessary files for Office File Validation through Automatic Updates.
Install Office File Validation
重要 |
---|
Before you install the files for Office File Validation for either Office 2003 or Office 2007 you must first ensure that all recommended updates for Office programs are installed. See Microsoft Update for recommended updates. |
After you obtain the Office File Validation files for Office 2003 or Office 2007, you can deploy and install files as you usually install other .msp and .msi files within your organization. For additional guidance you can see the TechNet article Distribute product updates for Office 2010 on how to apply Office updates.
Default Behavior
The default behavior for Office File Validation is to notify the user of a file failed validation. The user sees the following error message: “Office File Validation detected a problem while trying to open this file. Opening it may be dangerous” and then has the option of loading the file or not. If you want to change the default behavior to prevent users from opening a file that has failed validation, you have to create a registry key and set the appropriate value. If you do this, the user receives the following error message when a file does not pass validation: “Office has detected a problem with this file. To help protect your computer this file cannot be opened.” The user cannot subsequently open the file.
Registry Settings
To change the default behavior of Office File Validation and prevent users from opening a file that has failed validation you must create the following registry key and assign it a value of “1” for Office 2003:
HKCU\Software\Policies\Microsoft\Office\11.0\<application>\Security\FileValidation, where <application> represents the specific Office application for which Office File Validation is installed, such as Word, Excel, and PowerPoint. For example, if Office File Validation is installed for Word, Excel, and PowerPoint, you see three separate registry key entries, one for each application.
To prevent users from opening a file that has failed validation you must create the following registry key and assign it a value of “1” for Office 2007:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\<application>\Security\FileValidation, where <application> represents the specific Office application for which Office File Validation is installed, such as Word, Excel, and PowerPoint. For example, if Office File Validation is installed for Word, Excel, andPowerPoint, you see three separate registry key entries, one for each application.
All necessary parameters for configuring the registry key are listed as follows:
Value: InvalidFileUIOPtions
Type: REG_DWORD
Default: 0
Description: When Office File Validation fails
0 = Notify user file failed. Give user the option to load the file or not
1 = Notify user file failed. No option to load the file
To prevent Office File Validation from validating files you must create the following registry key and assign it a value of “0” for the specified application in Office 2003 or Office 2007:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\<11.0 or 12.0>\<application>\Security\FileValidation, where <11.0 or 12.0> represents the version of Office and where <application> represents the specific Office application for which Office File Validation is installed, such as Word, Excel, and PowerPoint.
All necessary parameters for configuring the registry key are listed as follows:
Value: EnableOnLoad
Type: REG_DWORD
Default: 2
Description: Disable Office File Validation
0 = Don’t validate
1 = Validate
2 = Validate unless called via object model
To control the behavior of Office File Validation within Excel when there are Pivot Tables inside an Excel document you must create the following registry key and assign it a value for the desired behavior:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\<11.0 or 12.0>\Excel\Security\FileValidation, where <11.0 or 12.0> represents the version of Office.
All necessary parameters for configuring the registry key are listed as follows:
Value: PivotOptions
Type: REG_DWORD
Default: 1
Description: How Excel Handles Files with Pivot Tables
0 = Never validate
1 = Validate if used during load
2 = Always validate
Known Issues
For a list of known issues with Office File Validation for Office 2003 and Office 2007 see KB article 2501584.