Working with Document Security

The 2007 Microsoft Office system introduces a new XML-based file format with new security features for protecting your document content. The Microsoft Office system now supports separate formats for different types of files: the "x" format (for example, docx), a secure file format that cannot contain macros or ActiveX controls, and the "m" format (for example, docm), which is a format that can contain active content. When you attempt to save a document containing macros as a Microsoft Office file with an "x" extension, the application will warn you that the macros will be removed and suggests saving the file as a macro-enabled file type instead.

When a document is opened that contains potentially unsafe content, such as an ActiveX control or a macro that has not been digitally signed, the default in the Microsoft Office system is to disable the content. Microsoft Office will display the Message Bar with a security alert identifying the content that has been disabled and providing options to enable the content and open the Trust Center. The Trust Center provides access to settings that control the behavior of macros, ActiveX controls (shown in Figure 9-15), and other content controls. The Trust Center can also be accessed directly via the Options button under the File menu.

image from book
Figure 9-15: Trust Center settings

Using Document Inspector

One of the final steps in the document preparation and publishing process is to remove any personal or private information from the file before it is released. In some cases, this is information, such as comments and revision marks, that results from the collaboration process. In other cases, this is information that might have been hidden temporarily and then forgotten about. Hidden information in the document might not necessarily constitute a security risk, but it might not be information you want to distribute in the final version of the document. Word 2007 introduces a tool called the Document Inspector, which can identify and purge unwanted information.

The Document Inspector can find and remove the types of information listed Table 9-3.

Table 9-3: Content Removed by Document Inspector
Open table as spreadsheet




Comments and annotations

Word, Excel, PowerPoint

Side comments added to the page or ink annotations inserted using a pen tool

Revisions and version information


History information logged when the Track Changes feature is enabled or comments are inserted

Document properties and personal information

Word, Excel, PowerPoint

Metadata stored in the document (such as title, subject, and author), as well as personal information (such as e-mail headers, routing slips, and template names)

Custom XML data

Word, Excel, PowerPoint

Custom XML data that might have been inserted into the file

Headers and footers (including watermarks)

Word, Excel

Information in headers and footers that might be hidden

Hidden text and invisible content


Text that might have been formatted as hidden but could be revealed by another user

Hidden rows and columns


Rows and columns that have beenr hidden

Hidden worksheets


Worksheets that have been hidden

Invisible on-slide content


Objects that have been set to be invisible

Off-slide content


Objects that have been moved off the visible slide area

Presentation notes


Information in the Notes section of the slides

To use the Document Inspector, complete the following steps:

  1. From the File menu, select Prepare, and then click Inspect Document.

  2. Clear the check boxes next to any items you don't want the inspector to scan for, and then click Inspect.

  3. A results page will display the types of items found and a Remove All button next to each type of item to clear it from the document.

Using Digital Signatures

Word 2007 and Excel 2007 applications introduce enhanced support for digital signatures applied to the contents of a document. Digital signatures can be used in place of physical signatures to allow you to provide verifiable approval for a document without the need to print and fax it. Following is a list of the major benefits of digital signatures:

  • Authenticity Assures that the identity of the author is valid

  • Integrity Assures that the content has not been modified since it was digitally signed

  • Nonrepudiation Assures that authors cannot later deny their use of a digital signature

Enabling Support for Digital Signatures

The first step in working with digital signatures in your documents is to establish your credentials through a digital certificate. Although you can create a self-issued certificate and sign documents with it, this approach will only help you make sure no one has tampered with your own documents.

To validate the authenticity of another user's digital signature, you must have access to the same certificate authority (CA). A CA is an organization that issues and revokes digital certificates and that can be used to validate a certificate as authentic. A CA can be a third-party company that provides certificates to users in your organization or it can be an internal IT group that generates the certificates.

Whether or not you need to use certificates from an outside company depends on who you will be exchanging documents with. If only users within your organization will be signing and validating documents, an internal certificate authority will be able to validate every transaction. However, if documents will be transferred to users in other companies or organizations and the digital signatures need to be validated, you might need a third-party certificate that can be validated by an external authority.

Using a Signature Line

With the digital signature feature in the Microsoft Office system, you can now create a signature line in a document where you want someone to sign and then send the document to the person, who can then sign it digitally. When a user signs a document digitally, she uses a digital signature to encode the file so that others can validate when and by whom the document was signed. A user also can either enter her name or use a graphical image with her hand-written signature in it to display in the document. Digital signature placeholders can be inserted into both Word 2007 and Excel 2007 files, but they cannot be used in PowerPoint 2007 or Access 2007 files. However, any user with a digital certificate can sign a Word 2007, Excel 2007, or PowerPoint 2007 file without using a signature placeholder. In these cases, the entire document is digitally signed.

Creating a Digital Signature Placeholder

To insert a placeholder into a document to receive a digital signature, follow these steps:

  1. Click the line in the file where you want the signature to appear.

  2. Click the Insert menu.

  3. In the Text group on the Ribbon, click the Signature Line button.

  4. Type the signer's information (using the suggested information that follows) in the Signature Setup dialog box, as shown in Figure 9-16:


    Suggested Signer Type the intended signer's name.


    Suggested Signer's Title Type the intended signer's official position in relation to the document being signed.


    Suggested Signer's E-mail Address Type the intended signer's unique e-mail address.


    Instructions To The Signer Type any additional instructions.


    Allow The Signer To Add Comments In The Sign Dialog Select this option to provide an area for the signer to enter comments when he signs.


    Show Sign Date In Signature Line Select this option to display the date signed as part of the signature line.

  5. Click OK.

image from book
Figure 9-16: Inserting a signature placeholder

Digitally Signing a Document with a Placeholder

To digitally sign a document that has a Signature Line placeholder, complete the following steps:

  1. Double-click the Signature Line to open the Sign dialog box, as shown in Figure 9-17.

  2. Type the signer's name, or select a prepared hand signature image to use by clicking Select Image, which will let you browse for an image file on your hard disk.

  3. Click the Change button to select the digital signature to use to sign the document, then click OK.

  4. Enter a purpose for signing the document (optional).

  5. Click Sign.

image from book
Figure 9-17: Signing a document

Digitally Signing a Document Without a Placeholder

To digitally sign a document without a Signature Line placeholder, complete the following steps:

  1. Click the Office menu.

  2. Select Prepare, and then click Add A Digital Signature.

  3. Click the Change button to select the digital signature to use to sign the document, then click OK.

  4. Enter a purpose for signing the document (optional).

  5. Click Sign.

Viewing Digital Signatures

To view digital signatures in a document, complete the following steps:

  1. Click the Office menu.

  2. Select Prepare, and then click View Signatures

  3. In the Signatures pane, click the drop-down menu for a signature and select Signature Details.

Item-Level Permissions

SharePoint Server 2007 introduces the ability for you to set item-level security on documents in document libraries. You can individually secure documents so that only specific users and groups can read or edit them.


By default, the item-level permissions of documents inherit from the permissions settings of the document library. Setting permissions on an individual file breaks the permissions inheritance.

In general, you might find it easier to manage large numbers of documents by creating several document libraries, each with unique library-level permissions, and then placing documents into the appropriate library to assign them permissions. By default, the permissions of libraries and documents can be assigned by the Site Owner, but any user who is assigned Full Control over the library can set permissions on individual documents within it.

To set permissions on a document in a library, complete the following steps:

  1. Browse to the document library.

  2. Click the drop-down list on a document, and select Manage Permissions.

  3. Click the Actions menu, and select Edit Permissions.

  4. Click OK to break the permissions inheritance.

  5. Select the check box next to any users or groups from the parent library that you do not want to have permissions on this document. Then click the Actions menu, and select Remove User Permissions.

  6. Select the check box for any other users or groups for which you want to change permissions, click the Actions menu, and select Edit User Permissions.

  7. Click the New menu, select Add Users to add users, and grant them permissions.

Rights Management Services

The item-level permissions supported by SharePoint Server 2007 assist in securing documents that reside in document libraries, but what if you need even greater control over what users can do with documents? For example, anyone who has the right to read a Word document in SharePoint generally has the right to print the document. In addition, after a user has downloaded the document from SharePoint, you no longer have any control over it. If you want to apply more specific controls to documents and ensure that these controls are enforced anywhere the document resides, you need to implement Rights Management Services (RMS).

RMS is designed to protect Microsoft Office documents used within your organization from unauthorized use, and it applies to documents both inside and outside of SharePoint. RMS goes beyond SharePoint protections by encrypting the document and applying the security restrictions directly to it so that even if the document is removed from the SharePoint server or the network, the security restrictions are retained. Essentially, after the file is encrypted using RMS, only users authorized by the RMS server can access the document. All others users are blocked, and even if they attempt to open the file in another application they will see only the illegible encrypted version.

RMS is designed for organizations that need to persist data protection with the documents themselves to protect sensitive information, such as product design plans, medical records, credit card lists, and personal client data (such as Social Security numbers). RMS allows organizations to protect data through a set of usage rights and conditions that are applied to the document and protect any binary format of the file so that the usage rights apply to the document regardless of how it is transmitted.

RMS permissions are administered through the definition and application of Rights Policy templates. A Rights Policy template describes the specific permissions and conditions that will be assigned to users of a given type of content. A user with permissions to apply RMS policies then secures a document by assigning a Rights Policy template to it. The rights policy assigned to a document becomes part of the publishing license for that information, which also includes the list of users who can access the content. The following is a list of the rights that can be assigned to a Rights Policy template:

  • Full Control

  • View Rights

  • Export (Save As)

  • Save

  • View

  • Print

  • Extract

  • Edit

  • Allow Macros

  • Forward

  • Reply

  • Reply All

Microsoft Office Sharepoint Server 2007 Administrator's Companion
MicrosoftВ® Office SharePointВ® Server 2007 Administrators Companion
ISBN: 0735622825
EAN: 2147483647
Year: 2004
Pages: 299

Similar book on Amazon
Microsoft Office SharePoint Server 2007 Best Practices
Microsoft Office SharePoint Server 2007 Best Practices
Microsoft SharePoint 2010 Administrator's Companion
Microsoft SharePoint 2010 Administrator's Companion
Professional SharePoint 2010 Administration
Professional SharePoint 2010 Administration
Inside Microsoft  Office SharePoint  Server 2007
Inside Microsoft Office SharePoint Server 2007 © 2008-2017.
If you may any questions please contact us: