Security overview for Office 2010
Applies to: Office 2010
Topic Last Modified: 2011-07-12
New security controls in Microsoft Office 2010 make it easier for IT professionals to build a robust defense against threats while maintaining information worker productivity. You can learn about the new security controls available in Office 2010 in this article.
Four of the new controls help harden and reduce the attack surface and help mitigate exploits. These new controls include the following:
Data Execution Prevention (DEP) support for Office applications A hardware and software technology that helps harden the attack surface by helping to protect against malicious code exploits.
Office File Validation A software component that helps reduce the attack surface by identifying files that do not follow a valid file format definition.
Expanded file block settings Settings managed in the Trust Center and through Group Policy that help reduce the attack surface by providing more specific control over the file types that an application can access.
Protected View A feature that helps mitigate attacks by enabling users to preview untrusted or potentially harmful files in a sandbox environment.
In addition to these new controls, Office 2010 provides several security improvements that further harden the attack surface by helping to ensure the integrity and confidentiality of data. These security enhancements include the following:
Cryptographic agility
Trusted time stamping support for digital signatures
Domain-based password complexity checking and enforcement
Encryption-strengthening enhancements
Improvements to the Encrypt with Password feature
Integrity checking of encrypted files
Office 2010 also provides several security improvements that have a direct affect on information worker productivity. Improvements in the Message Bar user interface, Trust Center user interface settings, and a trust model that persists users’ trust decisions are some examples of the new features that help make security decisions and actions less intrusive to information workers. In addition, many of the new and enhanced security controls can be managed through Group Policy settings. This makes it easier for you to enforce and maintain the organization’s security architecture.
In this article:
Layered defense is key
Helping users make better security decisions
Giving the administrator full control
Migrating security and privacy settings from Office 2003
Layered defense is key
Defense in depth, a central tenet of any effective security architecture, is a security strategy that implements multiple overlapping layers of defense against unauthorized users and malicious code. In mid-sized and large organizations, the layers of defense typically include the following:
Perimeter network protection, such as firewalls and proxy servers
Physical security measures, such as restricted data centers and server rooms
Desktop security tools, such as personal firewalls, virus scanning programs, and spyware-detection programs
A defense-in-depth strategy helps ensure that security threats are met with multiple and redundant security controls. For example, if a worm breaches the perimeter firewall and gains access to the internal network, it still has to pass through the virus-scanning program and the personal firewall to damage a desktop computer. A similar mechanism is built into the security architecture of Office 2010.
A four-layer approach
The security architecture of Office 2010 helps you extend the defense-in-depth strategy beyond desktop security tools by providing countermeasures for a layered defense. When implemented, these countermeasures take effect the moment a user attempts to open a file by using an Office 2010 application, and they continue to provide multiple layers of defense until the file is open and ready for editing. The following figure shows the four defensive layers that are built into the Office 2010 security architecture. It also shows some countermeasures that you can implement for each layer.
.gif "Four layers of security defense")
Hardening the attack surface
This defensive layer helps harden the attack surface of Office 2010 applications by using a countermeasure known as Data Execution Prevention (DEP). DEP helps prevent buffer overflow exploits by identifying files that attempt to run code from a part of memory reserved only for data. By default, DEP is enabled in Office 2010. You can manage DEP settings in the Trust Center or through Group Policy settings.
Reducing the attack surface
This defensive layer helps reduce the attack surface of Office 2010 applications by limiting the kinds of files that applications can open and by preventing applications from running certain kinds of code that is embedded in files. To do this, Office applications use the following three countermeasures:
Office File Validation This software component scans files for format differences and based on the implemented setting can prevent a file from being opened for editing if the format is not valid. A file that contains a file format exploit against an Office 2010 application is one example of a file that is not valid. By default, Office File Validation is enabled and is primarily managed through Group Policy settings.
File block settings Introduced in the 2007 Microsoft Office system to help reduce the attack surface, these settings enable you to prevent applications from opening and saving certain file types. In addition, you can specify what will occur if you allow a file type to be opened. For example, you can specify whether a file type is opened in Protected View and whether editing is allowed. Several new file block settings have been added in Office 2010. You can manage file block settings in the Trust Center and through Group Policy settings.
Office ActiveX kill bit This new Office 2010 feature enables you to prevent specific ActiveX controls from running in Office 2010 applications without affecting how those controls run in Microsoft Internet Explorer. By default, Office ActiveX kill bit is not configured. However, you can configure this countermeasure by modifying the registry.
Mitigating exploits
This defensive layer helps mitigate exploits by opening potentially harmful files in an isolated sandbox environment. This sandbox environment, known as Protected View, enables users to preview files before they open them for editing in an application. By default, Protected View is enabled. However, you can turn it off and manage it in the Trust Center and through Group Policy settings.
Improving the user experience
This defensive layer mitigates exploits by reducing the number of security decisions users make and by improving the way users make security decisions. For example, documents that are considered untrustworthy are automatically opened in Protected View without any user feedback. Users can read and close these documents without making any security decisions, which in most cases means that they can effectively finish their work without being confronted with security prompts. If a user wants to edit a document that is in Protected View they can select the option to allow editing. Once editing is allowed, the document will not be opened in Protected View again. If the document contains active content, such as ActiveX controls and macros, a Message Bar appears that prompts the user whether to enable the active content. Once active content is enabled, the user will not be prompted again with the Message Bar for active content. You can configure Message Bar settings and Trusted Documents settings in the Trust Center and through Group Policy settings.
Enhanced hardening countermeasures
In addition to the countermeasures described in the previous section, Office 2010 provides several new and enhanced countermeasures for further hardening of the attack surface. These countermeasures help harden the attack surface by protecting the integrity and confidentiality of data.
Integrity countermeasures
Integrity settings help you mitigate threats to the integrity of business data and business processes. Malicious users attack the integrity of these assets by corrupting documents, presentations, and spreadsheets. For example, a malicious user might attack the integrity of business data or business processes by replacing a file with a similar file that contains corrupted data or information. Two countermeasures have been improved and enhanced — digital signatures and integrity checking of encrypted files — to help you mitigate integrity threats.
Digital signature improvements
Trusted time stamping is now supported in digital signatures, which makes Office documents compatible with the W3C XML Advanced Electronic Signatures (XAdES) standard. Trusted time stamping helps ensure that digital signatures remain valid and legally defensible even if the certificate that is used to sign the document expires. Trusted time stamping support is available only in Microsoft Excel 2010, Microsoft Access 2010, Microsoft PowerPoint 2010, and Microsoft Word 2010. To take advantage of this feature, you must use a time-stamping authority.
In addition to time stamping support, Office 2010 includes several improvements in the user interface that make managing and implementing digital signatures easier for users. You can also configure and manage trusted time stamping through several new Group Policy settings.
Integrity checking of encrypted files
Administrators can now decide whether to implement a hash-based message authentication code (HMAC) when a file is encrypted, which can help determine whether someone has tampered with a file. The HMAC is fully compliant with Windows Cryptographic API: Next Generation (CNG), enabling administrators to configure the cryptographic provider, hash, and context that are used to generate the HMAC. These parameters are configurable through Group Policy settings.
Confidentiality countermeasures
Confidentiality settings help you mitigate threats to information that you do not want disclosed either publicly or privately, such as e-mail correspondence, project planning information, design specifications, financial information, customer data, and personal and private information. Several countermeasures have been improved and enhanced to help you mitigate confidentiality threats.
Cryptographic enhancements
Several Office 2010 applications are now cryptographically agile and support CNG, which means that administrators can specify any cryptographic algorithm for encrypting and signing documents. In addition, several Office 2010 applications now support Suite B cryptography.
Encrypt with Password improvements
The Encrypt with Password feature is now compliant with the ISO/IEC 29500 and ISO/IEC 10118-3:2004 requirements. This feature is also interoperable between Office 2010 and the 2007 Office system with Service Pack 2 (SP2), but only if the host operating systems support the same cryptographic providers. In addition, Office 2010 includes several changes in the user interface that make the Encrypt with Password feature easier for users to understand and implement.
Password complexity checking and enforcement
Passwords used by the Encrypt with Password feature can now be checked for length and complexity, and enforced by domain-based password policies. This applies only to passwords that are created by using the Encrypt with Password feature. You can use several new Group Policy settings to manage password complexity checking and enforcement.
Encryption enhancements
The encryption mechanism is enhanced, which helps ensure that the encryption/decryption key is never stored as plain text in a file. In general, these encryption enhancements are transparent to users and administrators.
Helping users make better security decisions
One of the benefits of a layered defense is its stepwise ability to weaken and slow security attacks, which gives you more time to identify attack vectors and deploy alternative countermeasures (if needed). Another benefit of a layered defense is its intrinsic ability to reduce the number of security decisions users have to make. In its default security configuration, Office 2010 makes most of the security decisions, not the user. As a result, users have fewer opportunities to make inaccurate security decisions and are more productive.
The following figure shows a high-level view of the main security controls that are implemented when a user opens a file in Excel 2010, PowerPoint 2010, or Word 2010. Security controls that require no user input are yellow; security controls that require user input are light blue. The figure shows the default behavior of Office 2010. You can change this default behavior to suit the organization’s security requirements and architecture. Also, this figure does not show all of the security controls that can be implemented, such as DEP, encryption, or Information Rights Management.
.gif "Trust decisions flowchart")
As shown in the previous figure, documents must pass through several defensive layers before users are required to make a security decision. If users do not have to edit a document, they can read the document in Protected View and then close it without making any security decisions. Several key features make this efficient workflow possible.
Improved trust model When users attempt to open a file, Office 2010 evaluates the file’s trust state. By default, trusted files bypass most security checks and are opened for editing without requiring any security decisions by the user. Untrusted files must undergo the security checks that make up the layered defense. Documents that are considered untrustworthy are automatically opened in Protected View without any user feedback. If a user wants to edit a document that is in Protected View, the user can select the option to allow editing. Once editing is allowed, the document will not be opened in Protected View again. If the document contains active content, such as ActiveX controls and macros, a Message Bar appears that prompts the user whether to enable the active content. Once active content is enabled, the user will not be prompted again with the Message Bar for active content. In the 2007 Office system you can use the trusted locations and trusted publishers features to designate trusted files and trusted content. In Office 2010, you can also use a new feature known as Trusted Documents. Trusted Documents lets users designate a file as trusted after viewing the file in Protected View. When a user designates a file as being trusted, the trust decision persists with the file so that the user does not have to make the trust decision again the next time that they open the file.
Note
Trusted files do not bypass antivirus checking or ActiveX kill-bit checking. If a file is trusted, it is scanned by the local antivirus scanning program (if available) and any ActiveX controls that have a kill-bit set are disabled.
Transparent countermeasures Several of the new countermeasures in Office 2010 are invisible to the user and require no user interaction. For example, Office 2010 applications evaluate untrusted files for file format differences by using a new technology known as Office File Validation. This technology runs autonomously when a user opens an untrusted file. If no potential file format differences are detected, users have no indication that this technology scanned the file.
Note
In some cases, the Office File Validation feature might ask a user for permission to send file scan information to Microsoft to help improve the feature’s ability to detect exploits. You can prevent these prompts from occurring by configuring Group Policy settings.
Sandbox previewing environment Untrusted files are opened in a sandbox previewing environment known as Protected View. Users can read files in this sandbox environment, and they can copy content to the clipboard. However, they cannot print files or edit them. In most cases, previewing a document is sufficient for users and they can close the file without answering any security questions. For example, even if a file contains an untrusted Visual Basic for Applications (VBA) macro, a user does not have to enable the VBA macro to preview the content in Protected View.
In most cases, the default security configuration in Office 2010 is a suitable defense-in-depth solution, which provides multiple layers of defense without impinging too much on user productivity. However, some organizations might have to modify the default security configuration to meet more strict security requirements or to reduce security and provide more flexibility to users. For example, if the organization consists mostly of expert users who do not have to preview files in sandbox environment, you can disable Protected View. We do not recommend this (and it might be very risky), but it helps reduce the number of security decisions users make. Likewise, if the organization requires a locked-down security environment, you can modify the security settings so that all untrusted documents must be opened in Protected View and can never leave Protected View. This might provide more protection, but it also hinders a user’s ability to edit a file. Regardless of the organization’s particular security requirements, the multilayered countermeasures in Office 2010 let you effectively balance security and productivity; that is, you can increase or decrease the frequency and the kind of security decisions users have to make without completely compromising the security architecture.
Giving the administrator full control
Most large and mid-sized organizations use some centralized management tool, such as domain-based Group Policy settings, to deploy and manage their security configurations. Using domain-based Group Policy settings helps ensure that the computers in the organization have a consistent configuration and enables you to enforce the security configuration — two requirements of an effective security strategy. To that end, Office 2010 provides an expanded suite of Group Policy settings to help you effectively deploy and manage the security configuration.
The following table shows the different ways that you can manage the new security controls in Office 2010. It also shows which applications support the new security features.
| Security feature | Configurable in the Trust Center? | Configurable through Group Policy settings? | Applies to which applications? |
|---|---|---|---|
Data Execution Prevention |
Yes |
Yes |
|
Office File Validation |
No |
Yes |
|
File block settings |
Yes |
Yes |
|
Office ActiveX kill bit |
No |
No (must be configured in the registry) |
|
Protected View |
Yes |
Yes |
|
Trusted Documents |
Yes |
Yes |
|
Encryption (cryptographic agility) settings |
No |
Yes |
|
Time stamping of digital signatures |
No |
Yes |
|
Integrity checking of encrypted files |
No |
Yes |
|
Password complexity and enforcement |
No |
Yes |
|
Migrating security and privacy settings from Office 2003
Office 2010 contains many security features that can help protect documents and help make desktops more secure. Some of these security features were introduced in the 2007 Office system, and have been enhanced in Office 2010. Other security features are new to Office 2010. If you are migrating to Office 2010 from Microsoft Office 2003 or an earlier version of Office, it might be helpful to understand when various Office 2010 security and privacy features were introduced.
The following table shows the main security and privacy features that were added or enhanced in the 2007 Office system and Office 2010.
| Security feature | Description | Feature status in the 2007 Office system | Feature status in Office 2010 | For more information see… |
|---|---|---|---|---|
Trust Center |
A central console in the user interface that enables users to view and configure security settings and privacy options. |
Introduced in the 2007 Office system |
Enhanced and expanded settings in Office 2010 |
|
Message Bar |
A user interface element that gives users notifications and warnings when they open a document that contains potentially harmful content. |
Introduced in the 2007 Office system |
Enhanced the message bar user interface in Office 2010 |
|
Trusted Locations |
A security feature that enables you to differentiate safe and unsafe documents. |
Introduced in the 2007 Office system |
No significant changes in Office 2010 |
|
File block settings |
A suite of security settings that enable you to prevent users from opening or saving certain kinds of files. |
Introduced in the 2007 Office system |
Enhanced and expanded settings in Office 2010 |
|
Document Inspector |
A privacy tool that can help users remove personal information and hidden information from a document. |
Introduced in the 2007 Office system |
Enhanced the user interface in Office 2010 |
|
Global and application-specific settings for ActiveX controls |
Enables you to disable all ActiveX controls, configure ActiveX control initialization, and configure ActiveX control prompts. |
Introduced in the 2007 Office system |
No significant functional changes in Office 2010 |
|
Enhanced global and application-specific settings for VBA macros |
Enables you to disable VBA and configure macro warnings settings. |
Introduced in the 2007 Office system |
No significant functional changes in Office 2010 |
|
Application-specific settings for add-ins |
Enables you to disable add-ins, require that add-ins are signed by a trusted publisher, and configure add-in warnings. |
Introduced in the 2007 Office system |
No significant functional changes in Office 2010 |
|
Data Execution Prevention (DEP) |
A hardware and software technology that helps harden the attack surface by preventing viruses and worms that exploit buffer overflow vulnerabilities. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Office File Validation |
A countermeasure that scans files for format differences and prevents files from being opened for editing if the format is not valid. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Office ActiveX kill bit |
An Office feature that administrators can use to prevent specific ActiveX controls from running within Office applications. |
Available in 2007 Office system applications as an Internet Explorer ActiveX kill bit |
Introduced in Office 2010 as an Office ActiveX kill bit |
Plan security settings for ActiveX controls for Office 2010 Plan COM object categorization for Office 2010 How to stop an ActiveX control from running in Internet Explorer |
Protected View |
An Office feature that helps mitigate attacks by enabling users to preview untrusted or potentially harmful files in a sandbox environment. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Trusted Documents |
A security tool that enables users to designate safe documents. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Trusted time stamping of digital signatures |
Helps ensure that digital signatures remain valid and legally defensible even if the certificate that you used to sign the document expires. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Integrity checking of encrypted files |
Enables you to implement a hash-based message authentication code (HMAC) when a file is encrypted. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Password complexity checking and enforcement |
Enables you to check and enforce passwords for length and complexity by using domain-based password policies. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |
|
Cryptographic agility |
Enables you to specify cryptographic settings for encrypting documents. |
Not available in 2007 Office system applications |
Introduced in Office 2010 |