Security Advisor
Locking up the Office
Office XP is a big product, one that requires close scrutiny to properly lock down.
- By Roberta Bragg
- 06/01/2003
Some good friends from far away are coming for a visit. As I look around
my home, I'm getting mildly panicked. I guess I've got my work cut out
for me. True friends that they are, they've already accepted me as I am,
and I'm sure they'll accept the house as it is. But I'd like for them
to be able to enter without feeling they need a shovel or backhoe to find
a place to sit.
All this "seeing-my-dwelling-as-an-outsider-might" has gotten
me thinking about our networks and how the nameless and dreaded "enemy"
might see parts of them as cluttered hodgepodges that barely hide unguarded
jewels. I also think about how some Internet worm might take a legitimate
path through your most excellent defenses to gnaw at the desktops in your
networks' soft inside. Just as I need to turn my good intentions about
cleaning and organizing my house into reality, we all need to pay more
attention to the defense we provide for the data and systems that lie
within our networks—and those that travel outside of them. Like
housework, this type of work isn't sexy. It carries no recognition from
peers; you'll gain no visibility from management. Like housework, though,
it's got to be done. Like Heloise, I'll lend a hand.
Toward that effort, this column discusses security for Microsoft Office
XP. Please note: Office XP is a large suite of applications, so I can't
talk about all of them this month. In addition, there are earlier versions
of Office and not all the information mentioned below will be applicable
or usable in these versions. There are also distinct security issues that
apply to different applications in the suite. I could spend several columns
talking about Outlook, and FrontPage certainly deserves its own space.
However, this month's discussion will be Office XP security features and
necessary security steps common to Word, Excel and PowerPoint.
Your goal in securing Office XP should be two part. The most visible
one, of course, is to protect data in Office XP-created files. In addition,
though, you need to consider the possibility that Office XP might be an
attack vector or that users may inadvertently use some Office XP feature
and put their system and/or data, or the security and availability of
the network, at risk. These issues can be addressed by considering the
Office XP features that help keep your data secure, steps to secure the
Office XP environment, and keeping Office XP updated with service packs
and hotfixes.
Securing Data
First-level protection for Office XP data files is the same as
that for other files—they can be protected by limiting their access.
This can be accomplished via sound security polices for network and computer
system access, including excellent perimeter controls, onboard firewalls,
strong passwords, system hardening, file system permissions and possibly
via the Encrypting File System (EFS). These topics have been addressed
in previous columns and are well documented in the Microsoft Certified
Professional Magazine archives, in Windows pro-duct documentation and
online at www.microsoft.com.
There are two methods to protect Word, Excel and PowerPoint documents.
Using encryption is one way; the other is through validating document
origination via digital signature. Encryption gives a choice of multiple
algorithms, as seen in Figure 1.
 |
| Figure 1. A host of encryption algorithms is
available from the Advanced button of the Security property page. |
To access document security options, select the Security tab from the
Tools | Options pages, as Figure 2 shows. Options include:
- Protecting elements within documents such as a range of Excel cells.
- Blocking access to document text, while allowing comments and tracked
changes (Word).
- Requiring passwords to open files (Word and PowerPoint).
- Requiring passwords for file modification (Word and PowerPoint). This
mode will allow the file to be opened as a read-only document. This
is useful when a document should be shared, but not modified, by those
who can read it.
- Recommending that the file be opened in read-only mode. This offers
no real security but allows a user to prevent accidental modification
by warning individuals when they open the file.
 |
| Figure 2. The Security tab is the starting point
for most Office XP security options. |
Note: When Office documents are marked for
protection, they're encrypted and, therefore, not indexed by either Find
Fast or the Office Server Extension. This little bit of obscurity can
be helpful in preventing curious malingerers from discovering, say, documents
titled "2003 budget" or some such obviously juicy topics.
The encryption key used to protect Office documents is the user-assigned
password. We've all heard about the weak protection afforded by Office's
password-based encryption schemes in the past. The main complaint was
that the password was stored where readily available tools could retrieve
it. Passwords aren't stored in clear text in Office XP, nor are they "crackable"
via known tools. You don't have control over what the user uses for a
password, though. A weak password or one not securely stored will make
data more vulnerable to an attack. And, of course, if the user forgets
the password, the data is lost.
If enterprise-strength protection is required, a better choice may be
EFS. However, do not promote the use of EFS for file encryption unless
a strategy for using EFS and archiving EFS keys is in place.
Note: A programmer can use Visual Basic for
Applications to encode passwords for use in opening a document. Don't
allow this. Hard-coding passwords into programs or scripts is always a
bad idea. An attacker merely has to obtain the script to discover the
password.
Instructions for applying these types of protection vary between Office
products, so be sure to check each program's documentation.
Protecting Private Information
Knowing a document's author or who made tracking changes or comments
is important for some internal usage. Distributing that information widely
may not be the best course of action. Personal information can be removed
when the document is saved. Three options on the Security tab are related
to privacy:
- Remove personal information from this file on save (Word, Excel,
PowerPoint)—this strips file properties (author, manager,
company, last saved by), names associated with comments or tracked changes
(names are changed to "author"), the routing slip, e-mail
message header (generated with the e-mail button), and versioning information
(the Saved By name is changed to "author"). All these changes
reduce editor visibility.
- Warn before printing, saving or sending a file containing tracked
changes or comments (Word)—this gives a warning, which must
be approved before the action can continue.
- Store random number to improve merge accuracy (Word)—Enabled
by default, this allows Word to keep track of related documents. Because
these numbers might be used to demonstrate a relationship between documents,
you can choose not to store these numbers. Doing so, however, may negatively
affect the results of a merge.
| Hidden
Gem: Protect Document |
| I just love creeping through the documentation
on the Microsoft Web site and trying out new features
in the products. It’s somewhat akin to finding
lost treasures when cleaning out closets: You end up
spending time playing old games, trying on feather boas,
exposing interesting objects, and wondering what in
the heck that was ever used for.
 |
| Protect document data from modification
while allowing review by using the “Protect
Document” settings. |
Sometimes, though, you find a very useful tool. The
Protect Document button on the Security tab in Tools
| Options is one such tool. It’s one of those
non-obvious things I wish I’d known about earlier.
From this dialog box, select items you wish to allow
someone else to modify on your document. Using this
option can prevent changes to any text in your document,
while allowing the right to use comments, tracked changes
or form data. This way, you won’t ever lose the
original document text.
I like using reviewer’s comments. With this option
protecting my document, reviewers can make all the comments
they want, but can’t change or add to my original
text. This helps ensure that future reviewers can add
comments to circulating documents without changing the
text.
Try out this feature. |
|
|
Macro Management
ActiveX controls may be simple OLE or COM objects such as a text
or dialog box. Scripts can be written to control how the object works,
and the controls can be easily distributed across the Web. This is how
many plug-ins work to bring us formatted documents, Flash Web animations
and other elements. In addition, you can use simple Visual Basic for Application
scripts or macros to automate legitimate Office actions such as entering
a multi-line address or inserting a table with a specific size and borders.
Macros can be a simple recording of keystrokes made from Tools | Macro
| Record New Macro or can be entered directly in the Visual Basic editor
that comes with Office. Like any feature, these productivity enhancers
can be used for evil, also. Most of you remember the first macro virus—Melissa—which
infected Word documents and e-mailed itself around the world. Your antivirus
products protect you from Melissa and other "known" macro viruses,
but they can't protect you from unknown viruses and worms. Use antivirus
products and update them frequently. Also use the built-in protective
mechanisms in Office.
Just as you must protect Internet Explorer from possible control-based
attacks, you need a strategy to protect Office. Like IE, you must make
security settings choices and/or empower users by training them to question
the safety of a control.
Note: It's important to realize that macro
security settings in Office don't affect Internet Explorer (IE), nor do
settings in IE affect whether or not a control will run in Office. In
order to control the possible execution of malicious macros or controls
on desktop systems that run in Office and IE, you must configure both
products.
Preserve macro security to control the execution of macros and ActiveX
controls and, thus, prevent possible harm via malicious scripts or controls
in Office documents.
By default, macro security is set to High in Office XP; all Microsoft
wizards, macros, add-ins and controls are trusted (see Figure 3). However,
these settings are easily configurable. To change the setting, click the
macro Security button from the Security tab. Macro security levels can
also be set in Group Policy or Systems Policy. The advantage, of course,
is that these settings can be used to enforce macro security. Properly
set, policy-based macro security won't allow users to change them. Set
the macro Systems or Group Policy on computers; setting a user policy
will allow the user to change settings.
 |
| Figure 3. The default setting for macro security
is High, automatically disabling unsigned macros. |
What happens when an attempt is made to run a macro depends on the security
setting, whether the macro or control is signed, and whether the signature
is valid and the certificate good. The three possible settings are:
- High—Insist that only approved controls and macros
are used. Require confirmation that controls are signed by trusted sources.
Trusted sources can be external organizations or your own. Trusted sources
are registered (listed) in, and can be removed from, the Trusted Sources
tab in macro security. (Once a source is trusted, it's trusted in all
Office applications, but not in IE.) Note that, by default, all Microsoft
controls, macros and wizards are signed and trusted.
- Medium—The action taken will depend. If the source
is trusted and the signature valid, the macro will run. However, other
cases will require the user to approve execution. Users must be trained
not to click "OK" when presented with this choice.
- Low—No protection. All macros will run without prompting.
Regardless of the macro security settings, if antivirus software that
works with Office XP is installed, any macros in a file will be scanned
before the file is opened. Also, regardless of settings, if the currently
logged on user authored the macro, it'll run. If administrators don't
lock settings, a user can change them. See the section on Group Policy
Office settings to learn how to lock macro security.
| Table 1. Macro
Security Action |
| Macro
Condition |
High
|
Medium |
Low |
Unsigned macro |
Disabled |
User prompted
to enable or disable. |
All
macros treated equally. No prompt or signature validation.
Macros are enabled. |
Signed: Trusted
source with valid signature |
Enabled, file
opened |
Enabled, file
opened. |
Signed: Unknown author,
valid signature |
User can approve, if security
settings aren’t locked |
User prompted to enable
or disable; can trust developer and Certification Authority. |
Signed: Trusted or unknown
source, invalid signature |
Disabled: User warned
of possible virus |
Disabled: User warned
of possible virus. |
Signed: Public key missing,
or encryption invalid |
Disabled. User warned
that validation isn’t possible |
User warned that validation
isn’t possible. Allowed to enable or disable. |
Signed: Certificate
expired or revoked |
Disabled.
User warned |
User warned
about expired or revoked certificate. Allowed to enable
or disable. |
|
|
Whom Do You Trust?
A Trusted Source is a developer trusted to produce safe controls
(i.e., controls that won't do damage). The only way to "trust"
these developers is by obtaining a copy of the digital certificate they
use to sign their controls.
Unsigned controls, even if produced by someone trusted, can't become
trusted sources in your Office environment. You can't directly enter a
trusted source in the Trusted Source dialog box of the macro security
settings (see Figure 4); Trusted Sources can only be added by accepting
the certificate of a signed control when presented. A policy that dictates
enterprise definition of trusted sources is best. Therefore, you must
provide a list of trusted sources for Office users and install them. To
set Trusted Sources for Office users in your enterprise:
- In Office, open the file or load the add-in containing the macros
whose developer you want to add.
- In the Security Warning box select "Always trust macros from
this source."
- Continue steps 1 and 2 until you've accepted one item from each developer
you wish to trust.
- To transfer this trusted source list to many users, use the Office
Profile Wizard to develop a profile used during Office installation
or the Office Custom Maintenance Wizard to mo-dify current installations.
These tools and instructions for using them are available with the Microsoft
Office XP Resource Kit. (The Resource Kit documentation is online, and
tools can be downloaded for free.)
Please note that you can create a self-signed certificate and use it
to sign macros and controls you create yourself (done through the selfcert.exe
tool, which comes on the Office CD). However, this certificate will be
good only on your copy of Office when you're running it; you can't use
a self-signed certificate to sign macros for use by others. If you need
to provide signed macros, you'll have to obtain a code-signing certificate
from a Certification Authority.
 |
| Figure 4. The "Trusted Sources" list
contains developers whose controls won't damage your network. |
| Guillotine
Visual Basic for Applications? |
| There are those who argue
that Visual Basic for Applications is a sinful perpetrator,
a predator’s lair ready and available to support
the existence of malicious activity within innocent
Office documents. They say rip it out, remove it and,
thus, reduce the possibility it will be used to attack
you.
There is, actually, a sound security principle
that supports their view. That principle says reduce
the attack surface; if you don’t use something,
don’t install it. I’d hazard a guess that
there are thousands of Office users who’ve never
written a macro or used one of the Microsoft provided
macro-based tools, as well as hundreds of IT environments
where the use of macros or controls in Office applications
isn’t part of the plan. In these environments,
it only makes sense to remove VBA. In fact, it may make
sense in some areas of any company to install Office
without installing VBA.
However, you should note that there are
useful productivity features (including tools on the
Web) provided by Microsoft in the form of wizards and
add-ins that won’t be available if VBA is removed.
Also, Access can’t be installed and will be removed
if VBA is removed. As always, you need to test each
Office application to determine the impact of removing
VBA. If you find that not installing VBA isn’t
a good solution in your environment, you can use a Group
or System Policy to disable VBA for selected computers.
During Office installation, you can choose
to not install VBA. You can always install it later,
should you discover a need for it. |
|
|
Administrative Control Using Group or Systems
Policy
The really exciting capabilities for Office security are available
by using Systems Policy (Windows NT 4.0) or Group Policy (Windows 2000
and higher). To do so, you must obtain and load the specialized ADM files
for Office. These come on a CD-ROM with the Office Resource Kit. You can
also download them for free from www.microsoft.com/office/ork/xp/appndx/appc00.htm
(look for the file orktools.exe).
To use the files in Group Policy, open the Group Policy Object (GPO)
and navigate to the Administrative Templates section. When you right-click
on this node and choose Add/Remove Templates, you can select the ADM file
in the dialog box. To use the files in Systems Policy, open the Systems
Policy Editor and load the ADM file into the editor from the Options |
Policy Templates menu. In either case, you must then review the choices
and select them appropriately.
Remember that your situation may require a different security approach;
my recommendations here are for standard Office installations where many
special features aren't required.
Templates also exist for individual Office applications. Excel, Access,
FrontPage, Outlook, PowerPoint and Publisher have their own templates
that can be loaded for user configuration. Hundreds of settings are available;
the majority of them have to do with how Office applications work, not
how to secure the applications. The Office "How" settings can
be important in your environment, as they influence the standard look
and feel of Office.
However, within the application templates are also the means for establishing
control over the security settings discussed earlier. In addition, the
ability to control what a user can do within Office lies in the template
settings for disabling menu items and shortcut keys. If, for example,
you want to ensure that users don't see Tools menu commands for using
macros, you can disable them by checking these menu elements in the Disable
Items in User Interface | Predefined | Disable command bar buttons and
menu items. Figure 5 illustrates this option. Remember, though, that disabling
these menu items doesn't prevent macros from running or users from using
other means to create or obtain macros.
 |
| Figure 5. You can use Group Policy Objects to
keep users from using, or even seeing, the macro creation tool. |
Another template entry allows disabling of shortcut keys. Finally, you
can disable any command bar menu-item element in Office products by entering
its Control ID into the companion policy, "Disable Items in User
Interface, Custom | Disable command bar buttons and menu items."