With all of this in mind, Microsoft has published a guide to help enterprises do more to bolster the security of their near ubiquitous office suite. The Microsoft Office Security Guide provides details on the best ways to manage the security for most of its applications – Access 2007, Excel 2007, InfoPath 2007, Outlook 2007, PowerPoint 2007, and Word 2007, running on Vista and XP Service Pack 2 environments.
For starters, the guide helps put a handle on new security features in Office 2007, such as the Trust Center and Message Bar. The Trust Center is the central office security console that makes it possible for you to see and set application and file security and privacy settings, while the Message Bar tells end users if certain functions of a document are disabled, such as when untrusted ActiveX controls, macros, and other potentially harmful content are disabled. Just as Outlook is designed to alert end users to potentially malicious content within emails, Microsoft Office 2007 applications now have a better capability here as well, and this guide helps you determine and set the policies to block external content – pictures, links, digital media – as documents are accessed. Now, whenever your users try to access files with forbidden content, they'll get a security alert telling them why they can't.
Even more importantly, the guide provides you a way to manage the risks associated with all of your Microsoft Office applications. For instance, you can measure document risks as defined by the Common Vulnerability Scoring System (CVSS), which is by measuring confidentiality, integrity and availability impact settings of each of your files. Now, many document availability settings can be set to enhance how macros, program add-ins, and external links function within a file is just one example.
The new Document Inspector tool makes it possible for security teams and end users to control the privacy of documents. The Document Inspector strips away metadata that may not be appropriate for outsiders, such as revisions, comments and custom XML tags, as well as other forms of potentially sensitive data.
The guide comes also provides pre-set policies, or Group Policy Objects (GPOs), for two different classes of risk posture. The first is for what Microsoft describes as an Enterprise Client (EC) environment, which details security settings applicable for environments where functionality and security need to be in balance – which is appropriate for most organizations.
The second setting is called Specialized Security Limited Functionality (SSLF). And as the name suggests, SSLF is geared toward highly secure environments, such as government agencies, and highly sensitive corporate workgroups, such as research and development departments – those rare places where security trumps functionality and ease of use. While both of these corporate or workgroup security policies are pre-defined, you can create GPOs of your own or customize the ones provided.
This guide also provides Common Configuration Enumeration (CCE) IDs to track your security settings. The CCE List is endorsed through the CCE Working Group from major operating system, security, and research organizations, and is maintained by The MITRE Corporation. CCE is quite helpful when it comes to identifying system security configurations and quickly correlate configuration data culled from many of your data stores and system tools. These CCE Identifiers can be used to cross-correlate configurations from best-practices established by the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), NSA and Defense Information Systems Agency (DISA).
With all of the attention that attackers are giving to cracking productivity applications, it's a good time for all security pros to take a look at the security posture of their endpoint applications. This guide, made available by Microsoft, provides more than 250 security settings that can help you protect a handful of the most widely used applications in your organization. It's definitely worth a look.
- Amol Sarwate is director of Qualys' vulnerability research lab