Chapter 23: Office 2003 Security Environment

Download CD Content

Security was a major focus in the development of Microsoft Office 2003. More emphasis was placed on eliminating security flaws than in any previous release of the Microsoft Office System, which helped to produce our most robust level of security to date. However, administrative and user-level security vulnerabilities can still be exposed by improper configuration of settings and by user methods. This chapter addresses specific security issues an administrator should take into consideration when deploying or maintaining an Office configuration in a corporate setting. Along with this information are suggestions and recommendations for how to limit exposure to attacks and how to manage the security of a deployed installation through security-related policies.

Overview of Office Security

Establishing the most secure computing environment possible requires limiting the vulnerability of applications and data to malicious attacks. Unfortunately, closing all the possible holes in an organization’s security is difficult, maybe impossible. Therefore, one of the best methods of establishing a more security-enhanced environment is to limit the number of possible avenues of attack.

The methods discussed in this chapter of the Microsoft Office 2003 Editions Resource Kit should help the administrator implement procedures to help limit direct assaults on data from external and internal attacks. Part of implementing these methods is training users on how to protect themselves and the company from attack. This training usually builds user awareness of the issue of security and ownership of the data they are trying to protect.

Knowledgeable users who know how to implement security and are aware of the possible threats are the first line of defense against unauthorized access to content; by the same token, untrained users can expose an organization to unauthorized or malicious use of its data. Establishing a corporate policy for how files are distributed and handled helps mitigate security vulnerabilities caused by untrained users.

Microsoft Office 2003 provides new methods and features for helping to manage application and document security. Understanding how to use and set the following security-related features in Microsoft Office can help establish a more secure environment:

• Macro security

• Certificate revocation

• Trusted sources

• Microsoft ActiveX controls

• Password and encryption protection

• Privacy options

• Rights Management (Information Rights Management)

Microsoft Visual Basic for Applications (VBA) is also an aspect of security that administrators should be aware of. VBA can be used for malicious use and therefore can be disabled if need be. However, disabling VBA has a number of effects on Office functionality that should be understood before it is disabled.

Each of the areas above is discussed in subsequent sections of this chapter or is addressed in other referenced content. It is highly recommended that you review these components and features prior to deploying Office to determine whether you need to make changes to suit your business needs.

The majority of these security-related settings are controlled through the Custom Installation Wizard or Custom Maintenance Wizard, or by using policies. At deployment, the Specify Office Security Settings page of the Custom Installation Wizard is used to set the various security options for macro and ActiveX controls. Security settings for macros (and almost any executable program or file run within an Office application) can be changed to High, Medium, or Low by using this page. The default level for macro security in Office is High. Changing Office feature installation states does not affect the macro security settings unless an administrator specifically sets the security settings to a level other than High using this page. However, it is also possible to control these settings by using a policy or by copying an Office configuration from one computer to another using the Office Profile Wizard.