Microsoft Makes Office 2007 More Secure

The 2007 Office Security Guide provides prescriptive Group Policy setting and security configuration recommendations.

BARCELONA—Microsoft is releasing the 2007 Office Security Guide, which gives IT administrators guidance for configuring the settings in Microsoft Office 2007 so that it can be deployed and managed more securely.

The guide, which Microsoft says provides prescriptive Group Policy setting and security configuration recommendations to strengthen the security of computers running the 2007 Microsoft Office release on Windows Vista or Windows XP in domain-based environments, can be found here.

It is the result of a years worth of work with customers, partners and government agencies, and follows a public beta release this summer, Josh Edwards, technical product manager for Microsoft Office, told eWEEK in an interview here at the TechEd IT Forum conference.

The guide essentially consists of three parts. The first is an introduction to security, the architecture and how it is implemented, while the second gives an extensive look at the 300 chosen administrative controls and settings, including what they are, how they get configured, and the threats they mitigate. It also provides a large spreadsheet of all these security settings and what is configured on and out of the box, as well as for every other scenario.


Some reviewers have found Office 2007 off-putting. Click here to read more.

The third component is the GPO Accelerator tool, a script that creates Group Policy Objects to deploy security settings for the 2007 Microsoft Office release on Windows Vista and Windows XP in Active Directory environments.

Customers can use the tool to roll out the two baseline configurations—enterprise client and specialized security with limited functionality—as is or use it to customize them.

"Either way they are starting out from a point where most of the work is already done, and they are tweaking things unique to their environment. This is the tool that allows customers to configure all of that," Edwards said.

He said that customers and partners "told us they wanted additional administrator controls, and so we tested and documented the 300 that are most focused on security."


Read more here about the tool Microsoft released to help protect Office 2003 from malware attacks.

This was also in response to the evolution in the security environment away from attacks focused on the operating system to those directed at the application layer, he said, adding that the guide was designed to show administrators all of the security features Microsoft had built into Office 2007, and give users a means of dynamically adjusting those.

The idea is that if, going forward, the threat landscape changes, customers will be able to immediately configure and change those settings to mitigate that particular type of threat, Edwards said.

He said one of the things that had been closely examined was the impact that these settings and configurations could have on productivity.

"The enterprise client scenario was designed to balance security and usability needs, so there certainly could be an impact there. But all of these settings have been extensively tested and documented and we were able to find out, during the course of that testing process, which add-ins were no longer functional under that configuration," he said.

All of that information was provided in the guide, which gives administrators advance notice of the potential problems that could arise with the applications they ran under those configurations, he said, noting that there would be some applications that did not conform to any of the scenarios that had been tested.

"I certainly cant say that it is completely comprehensive and that we have covered every scenario," he said. "But we have ensured that if users do configure their settings and use Office in these ways, they have the ability to control the security around that and take action without having to break productivity if those particular features are important to them."


To read more about why Microsoft Office was under siege, click here.

The specialized-security, limited-functionality scenario was geared towards government intelligence, defense and other high-security environments where customers were optimizing for security and willing to sacrifice a degree of productivity and/or functionality, he said.

While the guidance could be useful "at a high level" to customers who have not yet deployed Office 2007, the problem was that many of the settings that were being used to configure this latest guidance did not exist in previous versions, Edwards said.


Check out eWEEK.coms for Microsoft and Windows news, views and analysis.