Understand security threats and countermeasures for Office 2010
Applies to: Office 2010
Topic Last Modified: 2011-08-05
A secure desktop configuration is an important part of any organization's defense-in-depth strategy. But before you can plan for a secure desktop configuration that includes Microsoft Office 2010, you must understand which security risks and threats are relevant to Office 2010, and then determine which of those security risks and threats pose a risk to the organization's business assets or business processes. You also have to determine which privacy risks and threats pose a risk to users' personal and private information.
In this article:
Information security risks
Threats to desktop productivity applications
Default countermeasures in Office 2010
Information security risks
Most IT professionals and IT security specialists categorize information security risks into three broad categories:
Confidentiality risks These risks represent threats to an organization’s intellectual property from unauthorized users and malicious code that attempt to access what is said, written, and created in an organization.
Integrity risks These risks represent threats to your business resources from unauthorized users and malicious code that attempt to corrupt the business data on which your organization relies. Integrity risks jeopardize any business asset that contains critical information for an organization, such as database servers, data files, and e-mail servers.
Availability risks These risks represent threats to business processes by unauthorized users and malicious code that attempt to disrupt the way that you do business and how information workers complete their work. Business intelligence processes, application features and capabilities, and document workflow processes can all be threatened by availability risks.
To help ensure that your organization is protected from all three of these risk categories, a defense-in-depth security strategy is recommended; that is, a security strategy that includes multiple overlapping layers of defense against unauthorized users and malicious code. Layers typically include the following:
Perimeter network protection, such as firewalls and proxy servers.
Physical security measures, such as physically secure data centers and server rooms.
Desktop security tools, such as personal firewalls, virus scanning programs, and spyware detection.
If Office 2010 is part of an organization’s environment, the defense-in-depth strategy must also include the mitigation mechanisms that are provided with Office 2010. These mitigation mechanisms include many technologies, settings, and features. By using these mechanisms, you can help mitigate threats to Office 2010 applications and help protect the intellectual property, business resources, and business processes that are at the heart of the business.
By default, the Office 2010 security model helps an organization mitigate all three kinds of risk. However, every organization has different infrastructure capabilities, different productivity demands, and different desktop security requirements. To determine exactly how the organization can mitigate these business risks, you have to evaluate the threats and threat agents that exploit these risks.
Threats to desktop productivity applications
The security model for Office 2010 helps you mitigate five kinds of productivity software security threats. Each of these threat types include several threat agents, which can be exploited by various security attacks. The following illustration shows the security threats and examples of the most common threat agents.
Most organizations face some potential risk from five kinds of security threats. However, most organizations deal with unique combinations of threat agents and potential security attacks or exploits.
Active content threats
Active content threats are common desktop security threats. Typical threat agents include ActiveX controls, add-ins, and VBA macros. These threat agents can be exploited by programmers who write malicious code or create malicious programs, which then run on users' computers. Active content threats pose a potential risk to any size organization, especially organizations that let users do the following:
Run ActiveX controls, add-ins, or VBA macros.
Open e-mail attachments.
Share documents across a public network, such as the Internet.
Open documents from sources outside the organization, such as clients, vendors, or partners.
Unauthorized access threats
Unauthorized access threats occur when unauthorized users attempt to gain access to information. Potential targets of unauthorized users include the following:
Document files If unauthorized users gain access to document files, they can delete, replace, or corrupt the files. For example, a malicious programmer might use a file format attack to exploit an unauthorized access threat in a document.
Information within documents This information includes text, graphics, comments, revisions, annotations, custom XML data, hidden text, watermarks and header and footer information. When unauthorized users access the information within documents, they might access sensitive data, such as company confidential data, and personal or private information about users. They can also alter, corrupt, or delete information, and they can use their access to add active content to documents saved in trusted locations.
Metadata Information associated with documents, including document properties such as author name, organization name, document editing time, or document version number. Unauthorized users who gain access to metadata might access sensitive personal or company data. They can also corrupt or remove metadata.
Most organizations face unauthorized access threats, although many organizations do not take sufficient measures to mitigate them because they perceive the threat to be minimal or consider the administrative cost for mitigating the threat excessive. These perceptions could lead to unsafe practices and circumstances such as the following:
The organization's network security architecture cannot prevent an intruder or attacker from gaining access to your internal network, which increases the risk that an intruder or attacker might gain access to your organization's documents.
The organization lets users send, receive, or share proprietary documents over the Internet, including financial data, project plans, presentations, or drawings.
The organization does not prevent users from connecting portable computers to public networks, which increases the risk that an unidentifiable attacker might gain access to the documents that are saved on those portable computers.
The organization does not prevent users from taking documents that contain proprietary information out of the office.
There is a chance that an unauthorized attacker or intruder can gain access to documents that contain proprietary information.
External content threats
External content threats include any threat agent that links a document to another document, a database, or a Web site across an intranet or a public network, such as the Internet. External content threats are exploited through the following threat agents:
Hyperlinks An attacker typically exploits this threat agent by creating hyperlinks to documents that are not trusted or Web sites that contain malicious code or content.
Data connections An attacker typically exploits this threat agent by creating data connections to data sources or databases, and then by using such connections to maliciously manipulate or extract data.
Web beacons A typical scenario for exploiting this threat agent is for an attacker to embed an invisible link to a remote image in an e-mail message. When a user opens the message, the link becomes active and downloads the remote image. In the process, user information can be sent to the remote computer, such as the user's e-mail address and the IP address of their computer.
Packager objects An attacker can exploit this threat agent by having an embedded object run malicious code.
External threats pose a risk if the organization:
Gives users unrestricted access to public networks, such as the Internet.
Does not prevent users from receiving e-mail messages that contain embedded images and HTML.
Does not prevent users from using data connections in spreadsheets or other documents.
These threats can exist when an application or a document programmatically uses the functionality of a Web browser, such as Microsoft Internet Explorer. Browser threats pose a risk to applications and documents because any threats that exist for the browser also exist for the application or document that hosts the browser. Browser threats include many threat agents, and can be exploited through various security attacks. Examples of these threat agents include ActiveX control installation, file downloads, MIME sniffing, zone elevation, and add-on installation.
Browser threats pose a risk if your organization:
Allows users to run ActiveX controls, add-ins, or macros that use browser functionality.
Develops and distributes Office solutions that use browser functionality.
Zero-day exploit threats
Zero-day exploits can be launched when a security vulnerability is found that has not yet been addressed by a software update, such as a Microsoft security bulletin or service pack. Zero-day exploits can take several forms, including the following:
Remote code execution
Elevation of privilege
Malicious programmers and users can exploit security vulnerabilities through various security attacks. Until a security bulletin or a service pack is released to respond to the security vulnerability, the vulnerability can pose a potential threat to your organization.
Default countermeasures in Office 2010
Office 2010 provides many countermeasures that help mitigate threats to your business assets and business processes. A countermeasure is a security feature or a security control that mitigates one or more security threats. You can usually change the behavior of countermeasures by configuring settings in the Office Customization Tool (OCT) or through Group Policy by using the Office 2010 Administrative Templates.
Many of the countermeasures in Office 2010 mitigate a specific kind of threat in one particular application. For example, Microsoft InfoPath 2010 includes a countermeasure that warns users about the possible presence of Web beacons in forms. You can change the behavior of this countermeasure by configuring the Beaconing UI for forms opened in InfoPath setting in the OCT or through Group Policy.
Other countermeasures mitigate broader kinds of threats that are common to several applications. For example, the Protected View feature enables users to view the content of untrusted documents, presentations, and workbooks without enabling unsafe content or malicious code to harm the computer. This countermeasure is used by Microsoft Excel 2010, Microsoft PowerPoint 2010, Microsoft Word 2010, and Microsoft Outlook 2010 when you preview attachments for Excel 2010, PowerPoint 2010, Microsoft Visio 2010, and Word 2010. You can change its behavior by configuring several settings in the OCT or through Group Policy.
The following sections describe the most frequently used countermeasures in Office 2010.
ActiveX control settings
You can use ActiveX control settings to disable ActiveX controls and change the way ActiveX controls are loaded into Office 2010 applications. By default, trusted ActiveX controls are loaded in safe mode with persistent values and users are not notified that the ActiveX controls loaded. Untrusted ActiveX controls load differently depending on how the ActiveX control is marked and whether a VBA project exists in the file together with the ActiveX control. The default behavior of untrusted ActiveX controls is as follows:
If an ActiveX control is marked Safe for Initialization (SFI) and it is contained in a document that does not contain a VBA project, the ActiveX control is loaded in safe mode with persistent values. The Message Bar does not appear and users are not notified about the presence of the ActiveX control. All ActiveX controls in the document must be marked SFI for this behavior to occur.
If an ActiveX control is marked Unsafe for Initialization (UFI) and it is contained in a document that does not contain a VBA project, users are notified in the Message Bar that ActiveX controls are disabled. However, users can click the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all ActiveX controls (those marked UFI and SFI) are loaded in safe mode with persistent values.
If an ActiveX control marked UFI or SFI is contained in a document that also contains a VBA project, users are notified in the Message Bar that ActiveX controls are disabled. However, users can click the Message Bar to enable ActiveX controls. If a user enables ActiveX controls, all ActiveX controls (those marked SFI and UFI) are loaded in safe mode with persistent values.
If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot be loaded in any circumstance. The Message Bar does not appear and users are not notified about the presence of the ActiveX control.
To change the default behavior of ActiveX controls, see Plan security settings for ActiveX controls for Office 2010.
You can use add-in settings to disable add-ins, require add-ins be signed by a trusted publisher, and disable notifications for add-ins. By default, installed and registered add-ins can run without requiring user intervention or warning. To change this default behavior, see Plan security settings for add-ins for Office 2010.
Cryptography and encryption settings
These settings will be available when Office 2010 is officially released.
Data Execution Prevention settings
You can use Data Execution Prevention (DEP) settings to disable DEP in Office 2010 applications. DEP is a hardware and software countermeasure that helps prevent malicious code from running. By default, DEP is enabled in Office 2010 applications and we recommend that you do not change this default setting.
Digital signature settings
These settings will be available when Office 2010 is officially released.
External content settings
You can use external content settings to change the way Office 2010 applications access external content. External content is any kind of content that is accessed remotely, such as data connections and workbook links, hyperlinks to Web sites and documents, and links to images and media. By default, when a user opens a file that contains links to external content, the Message Bar notifies the user that the links are disabled. Users can enable the links by clicking the Message Bar. We recommend that you do not change these default settings.
File Block settings
You can use File Block settings to prevent specific file types from being opened or saved. You can also use these settings to prevent or force certain file types from opening in Protected View. By default, Excel 2010, PowerPoint 2010, and Word 2010 force several kinds of files to open only in Protected View. Users cannot open these file types for editing.
Office File Validation settings
You can use Office File Validation settings to disable the Office File Validation feature and change how the Office File Validation feature handles files that do not pass validation. You can also use these settings to prevent the Office File Validation feature from prompting users to send validation information to Microsoft. By default, the Office File Validation feature is enabled. Files that do not pass validation are opened in Protected View and users can edit files after they are opened in Protected View. For more information about Office File Validation settings, see Plan Office File Validation settings for Office 2010.
Password complexity settings
You can use password complexity settings to enforce password length and complexity for passwords that are used with the Encrypt with Password feature. Password complexity settings let you enforce password length and complexity at the domain level if the organization has established password complexity rules through domain-based Group Policy, or at a local level if the organization has not implemented domain-based password complexity Group Policy. By default, Office 2010 applications do not check password length or complexity when a user encrypts a file by using the Encrypt with Password feature.
You can use privacy options to prevent the Welcome to Microsoft Office 2010 dialog box from appearing the first time that a user starts Office 2010. This dialog box lets users enroll in various Internet-based services that help protect and improve Office 2010 applications. You can also use privacy options to enable the Internet-based services that appear in the Welcome to Microsoft Office 2010 dialog box. By default, the Welcome to Microsoft Office 2010 dialog box appears when a user starts Office 2010 for the first time, and users can enable the recommended Internet-based services, enable a subset of these services, or make no configuration changes. If a user makes no configuration changes, the following default settings take effect:
Office 2010 applications do not connect to Office.com for updated Help content.
Office 2010 applications do not download small programs that help diagnose problems and error message information is not sent to Microsoft.
Users are not enrolled in the Customer Experience Improvement Program.
When users implement a search query from the Help system, information about which Office 2010 applications are installed is not sent to Microsoft to improve Office.com search results.
To change this default behavior, or to suppress the Welcome to Microsoft Office 2010 dialog box, see Plan privacy options for Office 2010.
Protected View settings
You can use Protected View settings to prevent files from opening in Protected View and force files to open in Protected View. You can also specify whether you want scripts and programs that run in Session 0 to open in Protected View. By default, Protected View is enabled and all untrusted files open in Protected View. Scripts and programs running in Session 0 do not open in Protected View. For more information about Protected View settings, see Plan Protected View settings for Office 2010.
You can also use File Block settings to prevent or force specific file types from opening in Protected View.
Trusted Documents settings
You can use Trusted Documents settings to disable the Trusted Documents feature and prevent users from trusting documents that are stored on network shares. Trusted documents bypass most security checks when they are opened and all active content is enabled (antivirus checking and ActiveX kill-bit checking are the two checks that cannot be bypassed). By default, the Trusted Documents feature is enabled, which means users can designate safe files as trusted documents. In addition, users can designate files on network shares as trusted documents. We recommend that you do not change these default settings.
Trusted Locations settings
You can use Trusted Locations settings to designate safe locations for files. Files that are stored in trusted locations bypass most security checks when they are opened and all content in the file is enabled (antivirus checking and ActiveX kill-bit checking are the two checks that cannot be bypassed). By default, several locations are designated as trusted locations. Also, trusted locations that are on a network, such as shared folders, are disabled. To change this default behavior, and find out which locations are designated as trusted locations by default, see Plan Trusted Locations settings for Office 2010.
Trusted Publishers settings
You can use Trusted Publishers settings to designate certain kinds of active content as being safe, such as ActiveX controls, add-ins, and VBA macros. When a publisher signs active content with a digital certificate, and you add the publisher’s digital certificate to the Trusted Publishers list, the active content is considered trusted. By default, there are no publishers on the Trusted Publishers list. You must add publishers to the Trusted Publishers list to implement this security feature. To implement the Trusted Publishers feature, see Plan Trusted Publishers settings for Office 2010.
VBA macro settings
You can use VBA macro settings to change the way VBA macros behave, disable VBA, and change the way VBA macros behave in applications that are started programmatically. By default, VBA is enabled and trusted VBA macros are allowed to run without notification. Trusted VBA macros include VBA macros that are signed by a trusted publisher, stored in a trusted document, or stored in a document that is in a trusted location. Untrusted VBA macros are disabled, but a notification in the Message Bar lets users enable untrusted VBA macros. In addition, VBA macros are allowed to run in applications that are started programmatically.
To change this default behavior, see Plan security settings for VBA macros for Office 2010.