Security Settings in Office XP

Previous page
Table of content
Next page

Security Settings in Office XP

Office XP provides several methods for managing application and document security. A basic understanding of how the Office XP security features work can help you create a secure environment for your users applications and data. The primary areas for Office XP security are ActiveX and macros security.

Configuring ActiveX and Macros Security

Office XP enables you to configure security for ActiveX controls and macros that are signed using Microsoft Authenticode. Office XP verifies that the control or macro code remains unchanged after being signed with a digital certificate. Signing controls and macros also provides assurance that they originated from the signer.

ActiveX controls are used to add dynamic or interactive content and functionality to Office XP documents. When the ActiveX security controls are active or when a user attempts to load an unregistered ActiveX control, the Office XP application checks to see whether the control has been digitally signed.

Macros are used to complete a series of application commands and instructions that are grouped together as a single command to accomplish a task automatically. Many of the viruses that are active on the Internet today attempt to exploit the macro features of Microsoft Office applications. Thus, you must consider the level of macro security configured on your network.

Signing macros allows you to exercise control over the macros users can run. You can specify that unsigned macros may or may not run. You can also control which certificates will be trusted by Office XP for signing macros. Because the digital certificates that you create yourself are not issued by a formal Certification Authority (CA), macro projects signed by using such a certificate are referred to as self-signed projects. Certificates you create yourself are considered unauthenticated and generate warning messages if the security level is set to High or Medium.

You can configure how Office XP applications handle ActiveX controls and macros by configuring the level of macro security in Office XP. Three levels of macro security exist:

  • High Security

    ActiveX controls not signed by a trusted authority will not run.

  • Medium Security

    Users are prompted to accept or reject the digital signature of the control. If the signature is accepted, the control is loaded and run.

  • Low Security

    Digital signatures are ignored and the ActiveX controls are run without user intervention. You should configure this setting only if you have specific technical reasons for doing so.

    After the control is registered on the user s system, the control no longer displays code-signing dialog boxes asking the user whether the control should be allowed to run. Once a control is installed, it is considered safe, even if it did not have a digital signature when it was installed.

The Office XP Trusted Sources feature enables you to specify that executables must be digitally signed to run on users computers and that only executables from a list of trusted providers can be executed. Using the Trusted Sources feature requires that a digital certificate be used to sign each executable. The digital signature identifies the source, providing assurance to the user that the code is safe to run.

With Office XP, you can turn the Trusted Sources feature off or create a list of trusted sources as a default. When the use of trusted sources is enabled, any installable code (such as COM add-ins, applets, and executables) is automatically copied to, or run from, the user s computer on the condition that the signature on the code indicates that it came from a trusted source.

You can configure Office XP and Office 2000 security settings on Windows 2000 and Windows XP computers by using Group Policy. To add the Administrative Template files for Office XP or Office 2000 to Group Policy, follow the instructions in 307732: How to Add a Windows 2000 ADM Template to a Group Policy Snap-In in Office XP. (You can access this article by going to http://support.microsoft.com and entering the article number in the Search The Knowledge Base text box.) Figure 10-4 shows the computer-related security settings in Group Policy for Office XP.

figure 10-4 computer-related security settings for office xp in group policy

Figure 10-4. Computer-related security settings for Office XP in Group Policy

Configuring Security for Outlook 2002

Arguably, the biggest security threats to most computers are e-mail viruses and Web viruses. Although user education and antivirus software are the best defenses against these viruses, you can also configure the security in Outlook 2002 to help prevent these threats. Default settings for security can be created during deployment by using the Custom Installation Wizard (CIW). After the deployment, the security settings can be maintained and updated by using the Custom Maintenance Wizard (CMW). However, the CIW and CMW do not provide any policy enforcement. For policy enforcement, you can use Group Policy.

Attachment Security

Code attached to e-mail messages can contain worms or viruses. After one machine is infected with a worm or virus, the nature of networked e-mail systems allows these rogue applications to propagate themselves rapidly. To protect against virus infection, Outlook checks the file type of each message attachment against an internally maintained list of attachment file types. Administrators can also specify a list in a Microsoft Exchange public folder so that specific Outlook clients in an organization have a custom list. Each file type on the list is assigned one of these levels:

  • Level 1

    File types, such as .bat, .exe, .vbs, and .js, are blocked by Outlook, and users cannot view or execute the attachment. A message is displayed to the user, letting her know about the blocked attachments. In addition, when you send an attachment that has a Level 1 file type extension, a message displays to warn you that Outlook recipients might not be able to access this type of attachment.

  • Level 2

    This level applies to all other file types. Level 2 attachments let you see the icon for the attachment. When you double-click this icon, you are prompted to save the attachment to your hard disk, but you cannot run the file directly from its location. After you have saved the attachment, you can decide how to handle it.

Protecting HTML Messages

To protect against viruses that might be contained in HTML messages you receive, you can use the default security zone in Outlook 2002: Restricted Sites. When you use this security zone, scripts in HTML-formatted e-mail messages will not run and ActiveX controls will be deactivated. You also should consider turning off JavaScript to protect against malicious exploits that are based on JavaScript. However, note that doing so can reduce some mail functionality when you are reading mail sent by users or organizations that depend on embedded JavaScript. You can turn off JavaScript by customizing the security options in the Restricted Sites zone by disabling JavaScript or by prompting users to choose Active Scripting.


Previous page
Table of content
Next page
Microsoft Windows Security Resource Kit
Microsoft Windows Security Resource Kit
ISBN: 0735621748
EAN: 2147483647
Year: 2003
Pages: 189
Authors: Ben Smith, Brian Komar
BUY ON AMAZON
Systematic Software Testing (Artech House Computer Library)
Visual C# 2005 How to Program (2nd Edition)
Mapping Hacks: Tips & Tools for Electronic Cartography
Ruby Cookbook (Cookbooks (OReilly))
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
DNS & BIND Cookbook
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy