Turn Off Functionality
Far too often, applications come with all the bells and whistles turned oneverything including the kitchen sink is installed by default. Just take a look at the default toolbars in Microsoft Word. There are more than 50 icons on there! Having used Word for over 10 years , we still do not know what all of them do. Getting rid of functionality that you do not need is a good step toward securing applications.
There have been many examples of problems with optional components of applications. For instance, in September 2003 Microsoft had to release a security update for a flaw in the WordPerfect converter in Office. If you did not need the WordPerfect converter, it should not have been installed. The key rule here is not to install anything you do not need. Creating a standard desktop environment that contains only the functionality your users can and should use is the general rule to follow. Many applications, the Microsoft Office suite included, come with administrative installation options that enable you to customize what is installed.
There are also opportunities to turn off functionality. Some applications allow central control over components of the application. For instance, the Office applications can be managed using IntelliMirrorthe functionality within Active Directory that installs applications on systems. By creating a custom Windows Installer Transform file that includes a predefined Office profile, you can control the default behavior of your Office applications. These files can be deployed using IntelliMirror in Active Directory, ensuring that the Office applications are configured the way you want them from the start. Figure 13-2 shows the Office Profile Wizard from the Office Resource Kit (ORK).
Figure 13-2. The Office Profile Wizard in the Office 2003 Resource Kit.
To create transforms for Office, you need an Enterprise edition license for Office along with the ORK, which you can get at http://office.microsoft.com/en-us/FX011417911033.aspx. Although the ORK is free, the software license is obviously not. However, the additional control you can obtain this way may justify the cost of the license. It only takes five licenses to get the media. For more information on how to deploy Office, refer to the Solution Accelerator for Business Desktop Deployment at http://www.microsoft.com/technet/desktopdeployment/bddoverview.mspx.
Of particular note when it comes to application security is macros. Many applications are themselves application platforms. It is quite common for word processors, for instance, to have some kind of automation functionality through macros. In the case of the Microsoft Office suite, this programmability has been taken to a level bordering absurdity. You could practically write an operating system in Microsoft Excel! Macro viruses were quick to take advantage not only of this incredible functionality but also of users' propensity to open documents from anyone (remember the dancing pigs?) and click Yes on dialogs. It was not until recent versions of Office that the default security settings on macros started approaching reasonable default levels. Of course, users can reconfigure these settings at will, even if they are LUA.
Fortunately, you can configure the macro-level settings using Group Policy. This is done using administrative templates. Administrative templates, or ADM templates, are basically text files that allow you to configure settings in the HKEY_CURRENT_USER Registry hive via Group Policy. If you used the Policy Editor tool in Windows NT 4.0, the format of ADM templates will be familiar to you; it is basically the same format. You can import ADM templates into a Group Policy by right-clicking Administrative Templates under either Computer Configuration or User Configuration and selecting Add/Remove Templates. Templates added under Computer Configuration are primarily designed to modify non-security- related settings under HKEY_LOCAL_MACHINE. The main templates of interest from a security perspective are those that you add under User Configuration because these are the ones that can modify settings under HKEY_CURRENT_USER. This mechanism provides the only way in Group Policy to customize settings under that Registry hive in a centralized fashion.
You can write your own custom ADM templates. The file itself is just a text file formatted in a particular way. The syntax is described in the platform SDK under the topic Template File Format (Setup and System Administration Policies and Profiles System Policies Using the System Policy Editor Template File Format). You can also obtain templates from other sources. The Office Resource Kit as well as the Windows XP Security Guide (http://www.microsoft.com/security/guidance) both come with several templates for adding security settings.
We highly recommend that you configure the macro-level settings to High. This allows signed macros only to run. Of course, a macro virus author could probably sign the virus and get a user to click the "Trust this certificate" dialog, but that becomes a user configuration problem. At least by forcing only signed macros to run we have done the best we can.