Locking up the Office

Office XP is a big product, one that requires close scrutiny to properly lock down.

Some good friends from far away are coming for a visit. As I look around my home, I'm getting mildly panicked. I guess I've got my work cut out for me. True friends that they are, they've already accepted me as I am, and I'm sure they'll accept the house as it is. But I'd like for them to be able to enter without feeling they need a shovel or backhoe to find a place to sit.

All this "seeing-my-dwelling-as-an-outsider-might" has gotten me thinking about our networks and how the nameless and dreaded "enemy" might see parts of them as cluttered hodgepodges that barely hide unguarded jewels. I also think about how some Internet worm might take a legitimate path through your most excellent defenses to gnaw at the desktops in your networks' soft inside. Just as I need to turn my good intentions about cleaning and organizing my house into reality, we all need to pay more attention to the defense we provide for the data and systems that lie within our networks—and those that travel outside of them. Like housework, this type of work isn't sexy. It carries no recognition from peers; you'll gain no visibility from management. Like housework, though, it's got to be done. Like Heloise, I'll lend a hand.

Toward that effort, this column discusses security for Microsoft Office XP. Please note: Office XP is a large suite of applications, so I can't talk about all of them this month. In addition, there are earlier versions of Office and not all the information mentioned below will be applicable or usable in these versions. There are also distinct security issues that apply to different applications in the suite. I could spend several columns talking about Outlook, and FrontPage certainly deserves its own space. However, this month's discussion will be Office XP security features and necessary security steps common to Word, Excel and PowerPoint.

Your goal in securing Office XP should be two part. The most visible one, of course, is to protect data in Office XP-created files. In addition, though, you need to consider the possibility that Office XP might be an attack vector or that users may inadvertently use some Office XP feature and put their system and/or data, or the security and availability of the network, at risk. These issues can be addressed by considering the Office XP features that help keep your data secure, steps to secure the Office XP environment, and keeping Office XP updated with service packs and hotfixes.

Securing Data
First-level protection for Office XP data files is the same as that for other files—they can be protected by limiting their access. This can be accomplished via sound security polices for network and computer system access, including excellent perimeter controls, onboard firewalls, strong passwords, system hardening, file system permissions and possibly via the Encrypting File System (EFS). These topics have been addressed in previous columns and are well documented in the Microsoft Certified Professional Magazine archives, in Windows pro-duct documentation and online at www.microsoft.com.

There are two methods to protect Word, Excel and PowerPoint documents. Using encryption is one way; the other is through validating document origination via digital signature. Encryption gives a choice of multiple algorithms, as seen in Figure 1.

Encryption algorithms
Figure 1. A host of encryption algorithms is available from the Advanced button of the Security property page.

To access document security options, select the Security tab from the Tools | Options pages, as Figure 2 shows. Options include:

  • Protecting elements within documents such as a range of Excel cells.
  • Blocking access to document text, while allowing comments and tracked changes (Word).
  • Requiring passwords to open files (Word and PowerPoint).
  • Requiring passwords for file modification (Word and PowerPoint). This mode will allow the file to be opened as a read-only document. This is useful when a document should be shared, but not modified, by those who can read it.
  • Recommending that the file be opened in read-only mode. This offers no real security but allows a user to prevent accidental modification by warning individuals when they open the file.
Office XP Security options
Figure 2. The Security tab is the starting point for most Office XP security options.

Note: When Office documents are marked for protection, they're encrypted and, therefore, not indexed by either Find Fast or the Office Server Extension. This little bit of obscurity can be helpful in preventing curious malingerers from discovering, say, documents titled "2003 budget" or some such obviously juicy topics.

The encryption key used to protect Office documents is the user-assigned password. We've all heard about the weak protection afforded by Office's password-based encryption schemes in the past. The main complaint was that the password was stored where readily available tools could retrieve it. Passwords aren't stored in clear text in Office XP, nor are they "crackable" via known tools. You don't have control over what the user uses for a password, though. A weak password or one not securely stored will make data more vulnerable to an attack. And, of course, if the user forgets the password, the data is lost.

If enterprise-strength protection is required, a better choice may be EFS. However, do not promote the use of EFS for file encryption unless a strategy for using EFS and archiving EFS keys is in place.

Note: A programmer can use Visual Basic for Applications to encode passwords for use in opening a document. Don't allow this. Hard-coding passwords into programs or scripts is always a bad idea. An attacker merely has to obtain the script to discover the password.

Instructions for applying these types of protection vary between Office products, so be sure to check each program's documentation.

Protecting Private Information
Knowing a document's author or who made tracking changes or comments is important for some internal usage. Distributing that information widely may not be the best course of action. Personal information can be removed when the document is saved. Three options on the Security tab are related to privacy:

  • Remove personal information from this file on save (Word, Excel, PowerPoint)—this strips file properties (author, manager, company, last saved by), names associated with comments or tracked changes (names are changed to "author"), the routing slip, e-mail message header (generated with the e-mail button), and versioning information (the Saved By name is changed to "author"). All these changes reduce editor visibility.
  • Warn before printing, saving or sending a file containing tracked changes or comments (Word)—this gives a warning, which must be approved before the action can continue.
  • Store random number to improve merge accuracy (Word)—Enabled by default, this allows Word to keep track of related documents. Because these numbers might be used to demonstrate a relationship between documents, you can choose not to store these numbers. Doing so, however, may negatively affect the results of a merge.
Hidden Gem: Protect Document

I just love creeping through the documentation on the Microsoft Web site and trying out new features in the products. It’s somewhat akin to finding lost treasures when cleaning out closets: You end up spending time playing old games, trying on feather boas, exposing interesting objects, and wondering what in the heck that was ever used for.

Protect Document settings
Protect document data from modification while allowing review by using the “Protect Document” settings.

Sometimes, though, you find a very useful tool. The Protect Document button on the Security tab in Tools | Options is one such tool. It’s one of those non-obvious things I wish I’d known about earlier. From this dialog box, select items you wish to allow someone else to modify on your document. Using this option can prevent changes to any text in your document, while allowing the right to use comments, tracked changes or form data. This way, you won’t ever lose the original document text.

I like using reviewer’s comments. With this option protecting my document, reviewers can make all the comments they want, but can’t change or add to my original text. This helps ensure that future reviewers can add comments to circulating documents without changing the text.

Try out this feature.


Macro Management
ActiveX controls may be simple OLE or COM objects such as a text or dialog box. Scripts can be written to control how the object works, and the controls can be easily distributed across the Web. This is how many plug-ins work to bring us formatted documents, Flash Web animations and other elements. In addition, you can use simple Visual Basic for Application scripts or macros to automate legitimate Office actions such as entering a multi-line address or inserting a table with a specific size and borders. Macros can be a simple recording of keystrokes made from Tools | Macro | Record New Macro or can be entered directly in the Visual Basic editor that comes with Office. Like any feature, these productivity enhancers can be used for evil, also. Most of you remember the first macro virus—Melissa—which infected Word documents and e-mailed itself around the world. Your antivirus products protect you from Melissa and other "known" macro viruses, but they can't protect you from unknown viruses and worms. Use antivirus products and update them frequently. Also use the built-in protective mechanisms in Office.

Just as you must protect Internet Explorer from possible control-based attacks, you need a strategy to protect Office. Like IE, you must make security settings choices and/or empower users by training them to question the safety of a control.

Note: It's important to realize that macro security settings in Office don't affect Internet Explorer (IE), nor do settings in IE affect whether or not a control will run in Office. In order to control the possible execution of malicious macros or controls on desktop systems that run in Office and IE, you must configure both products.

Preserve macro security to control the execution of macros and ActiveX controls and, thus, prevent possible harm via malicious scripts or controls in Office documents.

By default, macro security is set to High in Office XP; all Microsoft wizards, macros, add-ins and controls are trusted (see Figure 3). However, these settings are easily configurable. To change the setting, click the macro Security button from the Security tab. Macro security levels can also be set in Group Policy or Systems Policy. The advantage, of course, is that these settings can be used to enforce macro security. Properly set, policy-based macro security won't allow users to change them. Set the macro Systems or Group Policy on computers; setting a user policy will allow the user to change settings.

Disabling unsigned macros
Figure 3. The default setting for macro security is High, automatically disabling unsigned macros.

What happens when an attempt is made to run a macro depends on the security setting, whether the macro or control is signed, and whether the signature is valid and the certificate good. The three possible settings are:

  • High—Insist that only approved controls and macros are used. Require confirmation that controls are signed by trusted sources. Trusted sources can be external organizations or your own. Trusted sources are registered (listed) in, and can be removed from, the Trusted Sources tab in macro security. (Once a source is trusted, it's trusted in all Office applications, but not in IE.) Note that, by default, all Microsoft controls, macros and wizards are signed and trusted.
  • Medium—The action taken will depend. If the source is trusted and the signature valid, the macro will run. However, other cases will require the user to approve execution. Users must be trained not to click "OK" when presented with this choice.
  • Low—No protection. All macros will run without prompting.
    Regardless of the macro security settings, if antivirus software that works with Office XP is installed, any macros in a file will be scanned before the file is opened. Also, regardless of settings, if the currently logged on user authored the macro, it'll run. If administrators don't lock settings, a user can change them. See the section on Group Policy Office settings to learn how to lock macro security.
Table 1. Macro Security Action
Macro Condition High Medium Low
Unsigned macro
Disabled
User prompted to enable or disable.
All macros treated equally. No prompt or signature validation. Macros are enabled.
Signed: Trusted source with valid signature
Enabled, file opened
Enabled, file opened.
Signed: Unknown author, valid signature
User can approve, if security settings aren’t locked
User prompted to enable or disable; can trust developer and Certification Authority.
Signed: Trusted or unknown source, invalid signature
Disabled: User warned of possible virus
Disabled: User warned of possible virus.
Signed: Public key missing, or encryption invalid
Disabled. User warned that validation isn’t possible
User warned that validation isn’t possible. Allowed to enable or disable.
Signed: Certificate expired or revoked
Disabled. User warned
User warned about expired or revoked certificate. Allowed to enable or disable.

Whom Do You Trust?
A Trusted Source is a developer trusted to produce safe controls (i.e., controls that won't do damage). The only way to "trust" these developers is by obtaining a copy of the digital certificate they use to sign their controls.

Unsigned controls, even if produced by someone trusted, can't become trusted sources in your Office environment. You can't directly enter a trusted source in the Trusted Source dialog box of the macro security settings (see Figure 4); Trusted Sources can only be added by accepting the certificate of a signed control when presented. A policy that dictates enterprise definition of trusted sources is best. Therefore, you must provide a list of trusted sources for Office users and install them. To set Trusted Sources for Office users in your enterprise:

  1. In Office, open the file or load the add-in containing the macros whose developer you want to add.
  2. In the Security Warning box select "Always trust macros from this source."
  3. Continue steps 1 and 2 until you've accepted one item from each developer you wish to trust.
  4. To transfer this trusted source list to many users, use the Office Profile Wizard to develop a profile used during Office installation or the Office Custom Maintenance Wizard to mo-dify current installations. These tools and instructions for using them are available with the Microsoft Office XP Resource Kit. (The Resource Kit documentation is online, and tools can be downloaded for free.)

Please note that you can create a self-signed certificate and use it to sign macros and controls you create yourself (done through the selfcert.exe tool, which comes on the Office CD). However, this certificate will be good only on your copy of Office when you're running it; you can't use a self-signed certificate to sign macros for use by others. If you need to provide signed macros, you'll have to obtain a code-signing certificate from a Certification Authority.

Trusted Sources list
Figure 4. The "Trusted Sources" list contains developers whose controls won't damage your network.

 

Guillotine Visual Basic for Applications?

There are those who argue that Visual Basic for Applications is a sinful perpetrator, a predator’s lair ready and available to support the existence of malicious activity within innocent Office documents. They say rip it out, remove it and, thus, reduce the possibility it will be used to attack you.

There is, actually, a sound security principle that supports their view. That principle says reduce the attack surface; if you don’t use something, don’t install it. I’d hazard a guess that there are thousands of Office users who’ve never written a macro or used one of the Microsoft provided macro-based tools, as well as hundreds of IT environments where the use of macros or controls in Office applications isn’t part of the plan. In these environments, it only makes sense to remove VBA. In fact, it may make sense in some areas of any company to install Office without installing VBA.

However, you should note that there are useful productivity features (including tools on the Web) provided by Microsoft in the form of wizards and add-ins that won’t be available if VBA is removed. Also, Access can’t be installed and will be removed if VBA is removed. As always, you need to test each Office application to determine the impact of removing VBA. If you find that not installing VBA isn’t a good solution in your environment, you can use a Group or System Policy to disable VBA for selected computers.

During Office installation, you can choose to not install VBA. You can always install it later, should you discover a need for it.


Administrative Control Using Group or Systems Policy
The really exciting capabilities for Office security are available by using Systems Policy (Windows NT 4.0) or Group Policy (Windows 2000 and higher). To do so, you must obtain and load the specialized ADM files for Office. These come on a CD-ROM with the Office Resource Kit. You can also download them for free from www.microsoft.com/office/ork/xp/appndx/appc00.htm (look for the file orktools.exe).

To use the files in Group Policy, open the Group Policy Object (GPO) and navigate to the Administrative Templates section. When you right-click on this node and choose Add/Remove Templates, you can select the ADM file in the dialog box. To use the files in Systems Policy, open the Systems Policy Editor and load the ADM file into the editor from the Options | Policy Templates menu. In either case, you must then review the choices and select them appropriately.

Remember that your situation may require a different security approach; my recommendations here are for standard Office installations where many special features aren't required.

Templates also exist for individual Office applications. Excel, Access, FrontPage, Outlook, PowerPoint and Publisher have their own templates that can be loaded for user configuration. Hundreds of settings are available; the majority of them have to do with how Office applications work, not how to secure the applications. The Office "How" settings can be important in your environment, as they influence the standard look and feel of Office.

However, within the application templates are also the means for establishing control over the security settings discussed earlier. In addition, the ability to control what a user can do within Office lies in the template settings for disabling menu items and shortcut keys. If, for example, you want to ensure that users don't see Tools menu commands for using macros, you can disable them by checking these menu elements in the Disable Items in User Interface | Predefined | Disable command bar buttons and menu items. Figure 5 illustrates this option. Remember, though, that disabling these menu items doesn't prevent macros from running or users from using other means to create or obtain macros.

Hiding macro creation tool
Figure 5. You can use Group Policy Objects to keep users from using, or even seeing, the macro creation tool.

Another template entry allows disabling of shortcut keys. Finally, you can disable any command bar menu-item element in Office products by entering its Control ID into the companion policy, "Disable Items in User Interface, Custom | Disable command bar buttons and menu items."

Featured