Protecting Office Documents
A chief concern of most businesses is to protect files and data against malicious attacks, such as tampering, espionage, and intentional destruction. If your work environment subjects your files to such threats, you should review the options that can help protect your data. The Custom Installation Wizard and Custom Maintenance Wizard allow the setting of some security options, but other options must be selected by each user in order to set the protection method, such as the use of passwords.
The following list presents the key features of security in Microsoft Office:
- Security settings for macros, trusted
sources, and ActiveX® controls
- Password and encryption protection
- Privacy options
- Removing Visual Basic® for Applications (VBA)
Note Security settings for Microsoft Outlook® 2002 are numerous and require specialized knowledge of mail servers, network servers, and links to external mail providers to properly configure Outlook for use by organizations. Administrators are advised to read "Outlook Security" in Chapter 22, "Messaging".
Office security settings
Microsoft Office provides methods for managing application and document security. Understanding how to set the following security-related features can help you establish a secure environment for users' applications and data:
- Macro security
- Certificate revocation
- Trusted sources
- ActiveX controls
Setting security properly helps limit the vulnerability of applications and data to malicious attacks. An additional security measure is the ability to require passwords for users who want access to document content in some applications.
All applications listed on the Specify Office Security Settings page of the Custom Installation Wizard and Custom Maintenance Wizard are available to receive security settings for macros, trusted sources, and ActiveX controls. Security settings can be changed to High, Medium, or Low, or remain at the default level.
Note There is an issue administrators should consider when they use a transform to install different editions of Office or stand-alone versions of Office applications. If an administrator creates a transform for installing Microsoft Word in a staged deployment, the Specify Office Security Settings page allows an administrator the option of setting the default security level for Microsoft Excel (whether or not Excel is already installed on the user's computer) while also providing the option to customize stand-alone Word. If Excel is not installed, the security setting is ignored.
Macro security
Macro security is used to control the use of automatic or manual code embedded within a template associated with a document, or saved as part of the document itself. Setting macro security levels enables applications to:
- Run macros automatically when trusted
- Run macros only after user approval
(prompted)
- Block macros because they are not trusted
- Run all macros without security enabled
Each of these security levels can be set by administrators and distributed to some or all users in an organization by using either the Custom Installation Wizard, Custom Maintenance Wizard, Office Profile Wizard, or the System Policy Editor.
Setting macro security levels in Office applications
Macro security for Microsoft Word, Excel, Microsoft Outlook, Microsoft Publisher, and Microsoft PowerPoint® can be set to High, Medium, or Low through the Macro Security dialog of the user interface. It is highly recommended to select High or Medium. Setting the security level to Low allows a macro or VBA program to run without the knowledge of the user.
You can only set the macro security level for Access with a policy setting or on the Specify Office Security Settings page of either the Custom Installation Wizard or the Custom Maintenance Wizard.
The basic definition of High, Medium, and Low security levels are:
Default installation settings for security can be controlled by using the Specify Office Security Settings page of either the Custom Installation Wizard or the Custom Maintenance Wizard.
To set the security level in Word, Excel, Outlook, or PowerPoint
- On the Tools menu, point to Macro, and then click Security.
- Click the Security Level tab and select a security level.
Note You can also gain access to the security dialog from the Tools | Options | Security tab; then click the Macro Security… button.
Signing a macro
You can use Selfcert.exe to sign macros or templates you create for use within your organization. Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office10 folder and are not available with the Office Resource Kit.
There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High. Setting security to Low and then running the macro does not register the certificate in the trusted sources list. Security must be set to Medium or High before any certificates are posted to the list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed but cannot be run because it does not have a secure enough certificate. You must use a certificate issued by a Certificate Authority such as VeriSign® for a High security enabled environment.
One approach to deploying a macro in a High security environment is to send the source code (text) for the macro to users, instruct them how to paste it into a VBA editor, and then use Selfcert.exe the certify the code using their own local certificate.
Certificate revocation
By default, the certificate revocation check setting of Microsoft Internet Explorer is disabled. Because Office inherits this setting, Office will not check for certificate revocation. Administrators can turn the feature on; however, it can take a considerable amount of time to analyze whether a certificate has been revoked, because Internet Explorer has to check a database on the Internet. To enable this setting, select the Check for publisher's certificate revocation check box in the Advanced tab in the Internet Options dialog under the Security section of the tree view control.
Microsoft Outlook 2002 also uses certificate revocation for evaluating the certificate attached to any received files. For more information on the certificate revocation list (CRL) policy and policies associated with cryptography for Outlook, see Working with Difficult Policies.
Trusted sources
Using trusted sources is a means of cataloging and allowing signed executables to run on users' computers. With this feature enabled, users can choose whether to allow executable code or programs to run from sources that can be identified or trusted.
Administrators have the option of turning the trusted sources feature off or enabling a list of trusted sources as a default. If this feature is selected, any future installable code (add-ins, applets, executables, etc.) is automatically copied to, or run from, the user's computer.
The trusted sources feature requires that a special embedded certificate be applied to an executable. This certificate includes a digital signature that identifies the source, providing assurance to the user because of the rigorous method required to apply a certificate and digital signature to an executable.
A digital signature is like a seal of approval. The signature ensures code is from the source listed in the certificate used to sign the code, and ensures the code has not been tampered with since the creators of the certificate signed it. A digital signature requires developers or creators of code to identify themselves and attach their name to the digital signature. In this way a digital signature can be used to prove that the data or code is really from the user or source that the digital signature claims it is from.
Specifying trusted sources in Office applications
Note Office and Internet Explorer use separate trusted source lists within the registry. Therefore, accepting the certificate of an ActiveX program or Java applet in Internet Explorer does not mean it was accepted by Office and vice versa. For example, if you accept the certificate of an ActiveX control within Word, it is accepted for all Office applications, but not Internet Explorer.
When users open a document that contains digitally signed macros, they are prompted to choose whether to trust the source if the digital certificate has not previously been trusted and the security for their application is set to High or Medium. If they choose to trust the source, any document with a macro with that same digital certificate automatically runs the macro. If they accept to trust the digital signature from that source for all future macros, programs, or applets, any time a new macro, program, or applet is asked to run on the computer, the source is trusted and the macro, program, or applet is run automatically (without prompting), regardless of the security level set for the application.
You have the option to trust all currently installed add-ins and templates on a computer so that all files installed along with Microsoft Office or added to the Office templates folder are trusted even though the files are not signed.
Note There is no direct way to preload the trusted source list. You must accept each certificate on a test computer by opening a document with a signed macro, running the applet from the Web, or running the compiled executable. Then use the Office Profile Wizard to capture the add-in and registry settings associated with the add-in.
To specify trusted sources in Word, Excel, Outlook, or PowerPoint
- On the Tools menu, point to Macro, and then click Security.
- To view or remove trusted sources, click the Trusted Sources tab.
- To trust all add-ins and templates currently installed on the computer, select the Trust all installed add-ins and templates check box.
Though the Security dialog is available from Word, PowerPoint, Outlook, and Excel, it is not available in Access.
Adding trusted sources
You can add trusted sources by accepting the request to trust an applet or program the first time it attempts to run. Macro security must be set at Medium or High to force this request.
It is possible to add Microsoft to the list of trusted sources without accepting a request to trust the source by setting the Add Microsoft to list of trusted sources check box to checked in the Specify Office Security Settings page of the Custom Installation Wizard or the Custom Maintenance Wizard.
Administrators can block users from adding to the list of trusted sources by enforcing a policy. To block users from making any changes to the trusted source list, use the default computer policy profile and set the Microsoft Office XP | Security Settings policy of each application to checked (for example, Word: Trust all installed add-ins and templates). Unlike the setting of security options through the Custom Installation Wizard or Custom Maintenance Wizard, the use of a system policy forces the implementation of administrative settings on a user's computer each time the user logs on, resetting any changes the user may have made during a session with the application.
Regarding policy settings, if a list of trusted sources is added to the HKCU node of the registry, users can add trusted sources through the user interface of an application. However, if the list of trusted sources is stored in the HKLM node of the registry, then users cannot add to their list of trusted sources.
Presetting trusted sources for all users
To preset trusted sources on a user's computer, you use the Office Profile Wizard to save your security settings from a test computer where the sources are currently trusted. On a computer with Office XP installed, open Office documents with macros signed by the sources you want to trust so that the Office application can enter the certificates trust data into the registry. Choose to trust the sources as you open each document. Then, run Internet Explorer and open all the Web sites that contain applets you want users to have, and accept the certificates associated with the applets. Because Office and Internet Explorer use two separate trusted source lists, you must in both Office applications and Internet Explorer to load the registry entries so you can propagate the changes with the Profile Wizard. If you have any special executables that work along with Office applications, run them and accept their digital certificates as well (if the executables are signed).
After you have saved the configurations you want in a profile settings file (OPS file), use the Custom Installation Wizard to include your OPS file in a transform on the administrative installation point. When users run Office Setup from the administrative installation point with this transform, the trusted sources you specified are set as trusted sources on users' computers. You can also apply an OPS file separately. For more information about applying a profile settings file (OPS file), see Using the Office Profile Wizard.
Tip You can create a system policy to preset Macro Security Levels and to enable the Trust all installed add-ins and templates in each Office application. Review the list of Office applications you can set policies for in the Default Computer profile by using the Office10.adm policy template (Office XP | Security Settings). There are also security settings you can enable for users within the Default User profile; however, you will need to examine each Office application node of the policy tree you have added ADM template files for in the System Policy Editor to know which settings can be configured.
To implement trusted sources, you can use:
- The Custom Installation Wizard and the
Office Profile Wizard to preset security levels and trusted
sources.
- The System Policy Editor to preset
security levels and specify whether to trust installed add-ins and
templates.
- The Custom Maintenance Wizard or the Profile Wizard to change the installed macro security configurations of Office applications.
You can also use a virus-scanning program in combination with security levels of Microsoft Office applications to reduce the probability of a macro virus infection introduced through a trusted source.
ActiveX
An ActiveX control is essentially a simple OLE or COM object. It is a self-registering program or control; that is, it adds registry entries for itself automatically at start up. An ActiveX control can be as simple as a text box and as complex as an entire dialog. ActiveX controls are used extensively with Web sites. Therefore, ActiveX is synonymous with Java, Netscape plug-ins, and scripting. However, the advantage of ActiveX over these other programming options is that ActiveX controls can also be used in applications written in different programming languages, including all of the Microsoft programming and database languages.
ActiveX controls facilitate distribution of specialized controls over networks and integration of those controls within Web browsers. This includes the ability of the control to identify itself to applications that use ActiveX controls.
ActiveX controls can be scripted from Web pages. This means you can create (or buy) an ActiveX control to provide a control for a user interface or graphics device interface (GDI) element. Once created, you can use a scripting language such as Visual Basic Scripting Edition (VBScript) or JavaScript™ to use the control. Your script instructs the control how to work.
ActiveX security settings
Two extra security settings exist for use with ActiveX controls:
- Initialize using control defaults
User will be warned. This setting disables the ability of the control to use and save persistent data. It forces the control to run using the default settings, thereby reducing the probability of an errant setting causing a problem for the user. If this setting is enabled, the user is always warned that default settings are enabled for the control and any persistent data the control would normally store with the hosted document is discarded when this setting is activated and the document is being closed.
Use of these settings, along with the <do not configure> setting in the Custom Installation Wizard or Custom Maintenance Wizard, provides users control over how the unsafe ActiveX controls run on their computers.
ActiveX and other programming options
If you have tried using Java or Visual Basic to draw on the screen using DirectX®, you know you cannot do it. The virtual machine environment created for these languages is not allowed access to the system's services — protecting the computer on which an applet is run from inadvertently downloading a virus that reads from or writes to the hard disk. To gain access to basic system services, create an ActiveX control using the Win32® API and C++.
Code signing
Because ActiveX allows access to basic system services, you need a special method to download a control for use without worrying it might be a malicious program. This method is provided by Authenticode, which allows an ActiveX developer the ability to digitally vouch for their code. This is known as code signing. Code signing allows users the ability to identify the author of any ActiveX control before allowing it to execute.
If you've used unsigned or unmarked ActiveX controls with Microsoft applications, you may have seen dialog boxes informing you that a control is not signed, the control is not safe for initializing, or the control is not safe for scripting. Or, if you set your security level at high rather than medium, the control did not load or display at all.
ActiveX controls that can automatically be download over the Internet can do anything a regular program can do — including deletion of files or registry entries. Java addresses this problem by severely limiting what a Java applet can do. Java cannot, for instance, gain access to the computer's file system. ActiveX controls take a different approach: they demand positive identification of the author of the control, verification that the control was not modified since it was code signed, and confirmation that it is a safe control. Because of this approach, ActiveX controls can use the full power of the operating system safely.
If a user attempts to load an unregistered ActiveX control, the application checks to see if the control has been digitally signed.
If the application is set to use:
Once the control is registered on the user's system, the control no longer invokes code-signing dialog boxes. After a control is installed, it is considered safe even if it was not signed originally.
Signing an ActiveX control
To sign a control, you'll need to obtain a
certificate from a Certificate Authority such as VeriSign. Find
directions for signing controls from VeriSign at http://digitalid.verisign.com. This link points to a server not under the control of Microsoft; therefore, it may change between the time this information is published and when you attempt to use it.
Determining if an ActiveX control is safe
Since the digital signing of an ActiveX control stays with the file, ActiveX controls marked as safe must be safe in all possible conditions. So a control marked as safe must be written to protect itself from any unpredictable results a script author might unintentionally create when scripting the control. While it is easy for a programmer to make a specific control safe, it is impossible to guarantee that the control is always safe when used with scripting created by another author.
If a control is marked as safe for initializing, the programmer who created it is claiming that no matter what values are used to initialize the control, it will not do anything to damage a user's system or compromise the user's security.
The developer of an ActiveX control should take extra care to ensure that a control is in fact safe before it is marked as safe. For instance, each ActiveX control should be verified that it:
- Does not manipulate the file system.
- Does not manipulate the registry (except
to register and unregister itself).
- Does not over-index arrays or otherwise
manipulate memory incorrectly, thereby causing a memory leak or
corrupt memory region.
- Validates and corrects all input,
including initialization, method parameters, and property set
functions.
- Does not misuse any data about, or
provided by, the user.
- Was tested in a variety of circumstances.
Password and encryption protection for Excel, Word, and PowerPoint files
Several features are available in Microsoft Excel, Microsoft Word, and Microsoft PowerPoint to protect files through passwords or encryption. These file-level security measures are in addition to any operating system-level security already set, such as permissions to a folder, a specific file, or an entire drive.
File encryption is one of the best ways to protect a document. When saved, the file is scrambled with an encryption code, making the contents of the document unreadable. However, this requires setting a password and remembering that password.
Setting password protection can be partially programmatically automated through VBA or can be disabled in situations where you do not want it available to users through a policy setting. However, hard-coding a password into a program is not a recommended practice and can lead to weakened security.
For example, the SaveAs method in VBA has four arguments it can use — LockComments, Password, WritePassword, or ReadOnlyRecommended. These arguments can allow a programmer to save a document with a password.
As a part of all good security and
encryption methods, using strong password methods provides
additional benefit to any attempted security attacks. Documentation
regarding the implementation of strong password methods is available
from http://www.microsoft.com/NTServer/security/deployment/planguide/password.asp.
Microsoft Access does not provide the same method of password and file encryption methods available with Excel, Word, and PowerPoint. For security, encryption, and password schemes for Microsoft Access, see "Secure a Microsoft Access project" and "Administering and Securing an Application - Securing a Database" from the Contents pane of Microsoft Access Help.
Note To use encrypted documents in collaboration, you must clear the Encrypt document properties check box in the Encryption Type dialog (Tools | Options | Security | Advanced…). Clearing this check box is required because the routing information within the document must be unencrypted, thereby allowing the routing handling programs to use the routing data.
Protecting Excel workbooks
Microsoft Excel supports three levels of workbook file protection. The user who creates a workbook has read/write permission to a workbook and can control the level of protection. The three levels are:
- Read-only recommended protection
Excel prompts the user to open the workbook in a read-only state. If the user clicks No at the prompt, Excel opens the workbook with read/write permission, unless the workbook has other password protection enabled.
Excel encrypts password-protected workbooks by using encryption routines. Because protected workbooks are encrypted, they are not indexed by Find Fast or by the Microsoft Office Server Extensions (OSE) search feature. Encryption is provided by various cryptographic methods available from the Advanced button on the Security dialog (File | Save As menu option). Default encryption can also be set for users by using a system policy.
In addition to protecting an entire workbook, you can also protect specific elements from unauthorized changes. This method is not as secure as using a password to protect the entire workbook because Excel does not use encryption when you protect only specific elements.
For example, hidden cells on a protected worksheet can be viewed if a user copies across a range on the protected worksheet that includes the hidden cells, opens a new workbook, pastes, and then uses the Unhide command to display the cells.
Tip To ensure the strongest security on a workbook, use a password to protect the entire workbook.
You can protect the following elements of a workbook:
- Protect Sheet
This allows the creator of the workbook the ability to protect a worksheet and the contents of locked cells. It also allows the creator of the file the option of restricting the following formatting capabilities by other users of the file:
- Select locked cells
- Select unlocked cells
- Format cells
- Format columns
- Format rows
- Insert columns
- Insert rows
- Insert hyperlinks
- Delete columns
- Delete rows
- Sort
- Use AutoFilter
- Use PivotTable® reports
- Edit objects
- Edit scenarios
- Allow Users to Edit Ranges
This provides the creator of a workbook the ability to let other users make changes to specific ranges in a worksheet. This method uses network security permissions so the creator can select a User ID of an individual and provide specific access rights to data within a range of a worksheet.
- Cells or formulas on a worksheet, or items on a chart sheet
Contents of protected cells on a worksheet cannot be edited. Protected items on a chart sheet cannot be modified (right-click on the cell of interest, select Format Cells…, then click the Protection tab). Use of this feature on a protected cell requires the worksheet it is part of to be protected.
Tip You can also hide a formula so only the result of the formula appears in the cell.
Caution If a user assigns password protection to a workbook and then forgets the password, it is impossible to perform the following activities:
- Open the workbook
- Gain access to the workbook's data from
another workbook through a link
- Remove protection from the workbook
- Recover data from the workbook
You should advise users to keep a list of passwords and corresponding workbook, worksheet, and chart sheet names in a safe place.
Protecting Word documents
Microsoft Word supports three levels of document protection. The user who creates a document has read/write permission to a document and controls the protection level. These protection methods are accessed by selecting File | Save as | Tools | Security. The three levels of document protection are:
Word encrypts password-protected documents by using encryption routines. Because protected documents are encrypted, they are not indexed by Find Fast or by the Microsoft Office Server Extensions (OSE) search feature. Encryption is provided by various cryptographic methods available from the Advanced button on the Security dialog (File | Save As menu option). Default encryption can also be set for users by using a system policy.
In addition to protecting an entire document, you can also protect specific elements from unauthorized changes. This method is not as secure as using a password to protect the entire document because Word does not use encryption when you protect only select elements. For example, field codes can be viewed in a text editor such as Notepad even if forms or sections of a document are protected.
Specific elements you can protect in a document are:
To protect tracked changes in a Word document
- Open the document in Word.
- Select the Protect Document menu option (Tools menu).
- Select Tracked changes.
- Add a password to the Password text box.
- Save the document.
After setting any of these elements to protected status in the document, you can unprotect them at any time. To do so, select the Unprotect menu option (Tools menu) and provide the password used to set the protection.
Caution If a user assigns password protection to a document and then forgets the password, it is impossible to perform the following activities:
- Open the document
- Gain access to the documents data from
another document with a link
- Remove protection from the document
- Recover data from the document
Advise users to keep a list of passwords and corresponding document names in a safe place.
Protecting PowerPoint presentations
Microsoft PowerPoint supports three levels of presentation file protection. The user who creates a presentation has read/write permission to a presentation and controls the protection level. The three levels of presentation protection are:
PowerPoint encrypts password-protected presentations by using encryption routines. Because protected presentations are encrypted, they are not indexed by Find Fast or by the Microsoft Office Server Extensions (OSE) search feature. Encryption is provided by various cryptographic methods available from the Advanced button on the Security dialog (File | Save As menu option). Default encryption can also be set for users by using a system policy.
Optionally, you can encrypt document properties, too. To do so, click the Advanced… button and set the Encrypt document properties check box to checked. This prevents people from opening the presentation using a text editor and viewing any clear text (ASCII text) in the presentation.
Caution If a user assigns password protection to a presentation and then forgets the password, it is impossible to perform the following activities:
- Open the presentation
- Gain access to the presentation data from
another presentation through a link
- Remove protection from the presentation
- Recover data from the presentation
Advise users to keep a list of passwords in a safe place.
Password and encryption options
Password and encryption options have been moved to the new Security tab within the Tools | Options dialog. They can still be accessed from the File Save | Tools | Security option.
There are also new hot keys for these options. The groups and controls are:
File encryption options for this document
- Password to open
- Advanced…
File sharing options for this document
- Password to modify
- Read-only
recommended
- Digital signatures…
- Protect Document…
Note The use of the term Digital signatures is not the same as when used with code signing or certificates attached to executable code. In this instance, a Digital signature is the unique identifying element of an individual's mark on a document, like a legal and binding signature at the bottom of a page. When attached to a document, workbook, or presentation, it implies the user has signed the document and has validated its contents.
Privacy options
- Remove personal information from this
file on save
- Warn before printing, saving, or sending
a file that contains tracked changes or comments
- Store random number to improve merge accuracy
Macro security
Protect Document dialog
Within the File sharing options for this document section of the Security tab is a button to access the Protect Document dialog. This button provides the same functionality as the Tools | Protect Document menu option and the File | Save As | Tools | Security | Protect document button.
Privacy options
Privacy options help reduce the visibility of an author or editor of content in a file by removing all references in the document. Author and editor references are attached to tracking changes or comments and can identify who made a change or added a comment. The privacy features of Office can replace these references by adding a generic user name to each comment or tracking change.
Word 2002 uses three options to protect access to private information. The check boxes are grouped under Privacy options in the Security dialog. Not all Office applications take advantage of these features.
The first privacy check box, Remove personal information from this file on save, sets a document property. If a user has a document with comments and saves it, the author identifier for the current comments are removed.
The second privacy check box, Warn before printing, saving or sending a file that contains tracked changes or comments, sets a global property. The setting, which is off by default, causes a dialog to appear whenever a request to save, print, or e-mail a document containing markup (change tracking or comments) is issued.
The third privacy check box, Store random number to improve accuracy, sets a global property. The setting, which is on by default, determines whether the file to save will receive a stamp with the RSID number for a particular editing session. The RSID number is a harmless pseudo-random number that reveals no information about a document's authorship or origin. Word uses the RSID information, if present, to enhance the results of merging two versions of a document; but the RSID information is not required for a merge to succeed.
Removing Visual Basic for Applications
Visual Basic for Applications (VBA) is considered a security risk by some administrators. The risk, however, is not with VBA itself but with the problems that can be caused when VBA is intentionally used by individuals to disrupt or sabotage work.
For this reason, several companies have requested a version of Office that does not include VBA. To accommodate this request, Visual Basic for Applications has been made an installable feature of Office — that is, it can be removed by changing its installation state.
Note Removing VBA does not protect against malicious programs that are written using another programming language and that are of a compiled format (EXE). It also does not remove the possibility of script-based executables from accomplishing the same goal.
Setting the install option for VBA to Not Available or Not Available, Hidden, Locked in the Set Feature Installation States page of the Custom Installation Wizard and Custom Maintenance Wizard turns off VBA; any other installation option turns on VBA.
Turning VBA off presents significant issues:
- Microsoft Access 2002 cannot be installed
to a user's computer and is removed if it is already installed
when VBA is turned off.
- Office Tools on the Web will not run.
- Macros will not run.
- All add-ins dependent on VBA will not run.
Turning off VBA keeps programs dependent on VBA from running, and it also turns off most add-ins and all macros within all applications for all users. It is highly recommended not to turn off VBA. Instead use the security features of Office to limit the potential for malicious attacks and possible damage to computer hardware or software. For more information, see the Set Feature Installation States page of the Custom Installation Wizard and select Help for further information.
In general, setting maximum-security settings for applications in Office protects against malicious attacks in all forms and allows organizations to retain VBA as an installed feature.
Changes to the File|Save As|Tools menu
The Word 2000 Save As dialog included a method of gaining access to the Save tab properties dialog. In Word 2002 this has changed. Instead of finding it through the Tools | General Options menu, it is now in the Tools | Save Options menu.
|
microsoft.com Home
