Threats and Countermeasures

Published: November 11, 2007

This guide is a component of the 2007 Microsoft Office Security Guide. It provides detailed vulnerability, countermeasure, and impact information about security-related Group Policy settings for the 2007 Microsoft® Office release as well as setting recommendations for two different security environments: Enterprise Client (EC) and Specialized Security Limited Functionality (SSLF). It is designed to help you make more informed decisions by providing relevant information about each of the settings.

This guide also contains Common Configuration Enumeration (CCE) IDs for all the settings. CCE provides identifiers to system configurations to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. With respect to the Security Content Automation Protocol (SCAP), CCE is primarily used to identify security related configuration issues. For example, CCE IDs could be used to associate checks in configuration assessment tools with statements in configuration best-practice documents. For more information about CCE, visit the CCE Web site.

The majority of settings are User Policy settings, which are listed in the first section. A much smaller section that provides information about Computer Policy settings follows the first section.

The Applies to: information for every setting in this guide indicates the Group Policy location or locations that contain the setting, as determined by the administrative template files. Each setting applies to one or more 2007 Office applications. If a setting is said to apply to the Microsoft Office 2007 System, it does not necessarily mean that the setting applies to all 2007 Office applications, although it might apply to more than one.


The SA-SC team would like to acknowledge and thank the group of people who produced 2007 Microsoft Office Security Guide: Threats and Countermeasures. The following individuals were either directly responsible or made a substantial contribution to the writing, development, and testing of this guide.

Content Developers

Bill Gruber – Microsoft

Paul Henry – Wadeware LLC

Paul Slater – Wadeware LLC

Development Lead

Ross Carter – Microsoft


John Cobb – Wadeware LLC

Jennifer Kerns – Wadeware LLC

Steve Wacker – Wadeware LLC

Product Managers

Alain Meeus – Microsoft

Jim Stuart – Microsoft

Program Manager

Flicka Enloe – Microsoft

Release Manager

Karina Larson – Microsoft


Alan Myrvold – Microsoft

Alessio Roic – Microsoft

Alex Vandurme – NCIRC/NATO

Amanda Hartin – Microsoft

Amani Ahmed – Microsoft

Ambrose Treacy – Microsoft

Anurag Jain – Microsoft

Benjamin Gay – Microsoft

Brad Albrecht – Microsoft

Bryan Staats – Microsoft

Chase Carpenter – Microsoft

Dave Kesterson – Microsoft

David Vanophalvens – NCIRC/NATO

Dheeraj Sarpangal – Microsoft

Ed McGinn – Microsoft

Emily Kao Messmer – Microsoft

Eugene Siu – Microsoft

Harshal Doshi – Microsoft

Howie Dickerman – Microsoft

Jeremy Pankratz – Microsoft

Joshua Edwards – Microsoft

Korean Government

Kurt Dillard – Microsoft

Maithili Dandige – Microsoft

Mark Simos – Microsoft

Naresh Krishna Kumar Kulothungan – Infosys Technologies Ltd

Norman Vadnais – Independent

Padgett Peterson – Lockheed Martin

Patrick Smith – Microsoft

Patty Nicholson – Microsoft

Paul Prekeges – Microsoft

Raf Cox – Microsoft

Ryan Gregg – Microsoft

Stacia Snapp – Microsoft

Su-Piao Bill Wu – Microsoft

Tim Getsch – Microsoft

Tom Garity – Independent

Travis Ratnam – Microsoft

Travis Rhodes – Microsoft

Tristan Davis – Microsoft

Waqas Nazir – V-Empower Inc.

Yuriko Kobayashi – Microsoft

Zeyad Rajabi – Microsoft

In addition, the United States Department of Commerce National Institute of Standards and Technology (NIST) participated in the review of this Microsoft security guide and provided comments that were incorporated into the published version.

Test Manager

Gaurav Singh Bora – Microsoft


Harish Ananthapadmaanabhan – Infosys Technologies Ltd.

IndiraDevi Chandran – Infosys Technologies Ltd.

RaxitKumar Gajjar – Infosys Technologies Ltd.

Sumit Parikh – Infosys Technologies Ltd.

This accelerator is part of a larger series of tools and guidance from Solution Accelerators.


Get the 2007 Microsoft Office Security Guide

Get the GPOAccelerator

Update Notifications

Sign up to learn about updates and new releases


Send us your comments or suggestions