AM102222941033

Security for the 2007 Office System
Microsoft Corporation
Published: December 2008
Author: Office IT and Servers User Assistance (o12ITdx@microsoft.com)
Abstract
This book provides prescriptive information for planning and deploying security and privacy
settings for the 2007 Microsoft Office system. This includes evaluating threats to laptops and
desktops that are running the 2007 Office release, evaluating default security and privacy
settings, and planning and configuring security settings to mitigate threats. It also includes
information for planning, configuring, and deploying cryptography and virus prevention scenarios
in Microsoft Office Outlook 2007. The audience for this book includes IT generalists, security
specialists, IT operations, help desk, and deployment staff, network architects and planners, IT
messaging administrators, and consultants.
The content in this book is a copy of selected content in the 2007 Office Resource Kit technical
library (http://go.microsoft.com/fwlink/?LinkID=84741&clcid=0x409) as of the publication date
above. For the most current content, see the technical library on the Web.
2
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook,
PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
ii
Contents
Security for the 2007 Office System.........................................................................................1
Abstract..............................................................................................................................1
Contents...................................................................................................................................iii
I. Planning for Security.............................................................................................................1
A. Understanding Security in the 2007 Office System..............................................................1
Overview of security in the 2007 Office system........................................................................1

Underlying security principles...................................................................................................1
Secure by default...............................................................................................................2
Avoid asking questions.......................................................................................................2
Maintain user productivity..................................................................................................3
Provide a flexible security model........................................................................................3
What's new and what's changed..............................................................................................4
Changes to the user interface............................................................................................4
New and enhanced settings and features..........................................................................7
New default behavior and functionality.............................................................................11
Overview of security planning for the 2007 Office system......................................................14

The security planning process................................................................................................14
Step 1: Choose a deployment tool for security settings and privacy options....................15
Step 2: Evaluate security and privacy threats..................................................................16
Step 3: Evaluate default security settings and privacy options.........................................16
Step 4: Plan security settings and privacy options...........................................................16
Creating a functional specification..........................................................................................17
Choose a deployment tool for security settings and privacy options in the 2007 Office system
............................................................................................................................................18
Office Customization Tool.......................................................................................................18
Requirements and limitations...........................................................................................19
Common scenarios..........................................................................................................20
Group Policy Administrative Templates...................................................................................20
Requirements and limitations...........................................................................................21
Common scenarios..........................................................................................................21
Choosing a tool.......................................................................................................................22
Evaluate security and privacy threats for the 2007 Office system..........................................24
Overview of security threats...................................................................................................25
Code and application threats..................................................................................................26
Document threats...................................................................................................................26
External threats......................................................................................................................27
iii
Internet Explorer threats.........................................................................................................28
Privacy threats........................................................................................................................28
Security vulnerabilities............................................................................................................29
B. Planning 2007 Office System Security Settings.................................................................30
Evaluate default security settings and privacy options for the 2007 Office system.................31
Evaluate default security settings for code and application threats........................................31
Default settings for ActiveX controls.................................................................................32
Default settings for add-ins...............................................................................................33
Default settings for trusted locations................................................................................33
Default settings for trusted publishers..............................................................................36
Default settings for macros...............................................................................................36
Evaluate default security settings for document threats.........................................................37
Evaluate default security settings for external threats............................................................38
Evaluate default security settings for Internet Explorer threats...............................................39
Evaluate default privacy options.............................................................................................40
Evaluate default security settings for security vulnerabilities..................................................41
Plan trusted locations and trusted publishers settings for the 2007 Office system.................42
Plan for trusted locations........................................................................................................42
Disabling trusted locations...............................................................................................43
Implementing trusted locations.........................................................................................43
Plan for trusted publishers......................................................................................................49
Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system...52
Plan security settings for ActiveX controls..............................................................................52
Disable ActiveX controls in all documents........................................................................52
Allow all ActiveX controls to initialize and run without notification....................................54
Modify the way ActiveX controls are initialized based on SFI and UFI parameters..........57
Plan security settings for add-ins............................................................................................59
Disable add-ins on a per-application basis.......................................................................59
Require that add-ins are signed by a trusted publisher....................................................61
Disable notifications for unsigned add-ins........................................................................63
Plan security settings for macros............................................................................................65
Change the default security settings for macros..............................................................66
Control the way VBA behaves..........................................................................................70
Change the way macros behave in applications that are started programmatically through
Automation....................................................................................................................71
Prevent encrypted macros from being scanned for viruses.............................................73
Plan document protection settings in the 2007 Office system................................................76

Change encryption settings for Excel 2007, PowerPoint 2007, and Word 2007.....................77
Change encryption settings for OneNote 2007.......................................................................78
Prevent users from encrypting sections of text.................................................................78
Strengthen password protection feature settings.............................................................79
iv
Plan external content settings in the 2007 Office system.......................................................80
Suppress hyperlink warnings..................................................................................................80
Allow linked images to download automatically in Office PowerPoint 2007............................81
Plan Internet Explorer feature control settings in the 2007 Office system...............................83
Identify applications that host Internet Explorer......................................................................83
Determine which Internet Explorer feature control settings to implement...............................85
Identify conflicts with previous versions of Office....................................................................86
Plan privacy options in the 2007 Office system......................................................................88

Maximize the protection of personal and private information in documents............................89
Suppress the first-run Privacy Options dialog box..................................................................94
Suppress the first-run Sign up for Microsoft Update dialog box..............................................97
Plan block file format settings in the 2007 Office system........................................................99

Force an organization to use the new 2007 Office file format...............................................105
Mitigating zero-day attacks...................................................................................................109
Preventing an organization from opening files that have been saved in earlier Word formats
..........................................................................................................................................109
Preventing an organization from using pre-release (beta) file formats..................................112
C. Planning Outlook 2007 Security.......................................................................................114
Use Outlook 2007 to help protect messages........................................................................115
Plan for limiting junk e-mail in Outlook 2007.........................................................................116

Overview: the Outlook Junk E-mail Filter..............................................................................116
Supported account types......................................................................................................117
Support in different versions of Exchange Server.................................................................117
Upgrading from a previous installation of Outlook before Outlook 2003...............................118
Configuring the Junk E-mail Filter user interface..................................................................118
Providing default Junk E-mail Filter lists...............................................................................119
Plan for e-mail messaging cryptography..............................................................................120

Cryptographic messaging features in Outlook......................................................................120
How Outlook implements cryptographic messaging.......................................................120
Digital IDs: A combination of public/private keys and certificates...................................121
Security labels and signed receipts......................................................................................121
Classes of encryption strengths............................................................................................122
Additional resources.............................................................................................................122
How users manage cryptographic digital IDs in Outlook 2007..............................................123

Places to store digital IDs.....................................................................................................123
Microsoft Exchange Global Address Book.....................................................................123
Internet directory service (LDAP)...................................................................................124
Windows file...................................................................................................................124
Providing digital IDs to others...............................................................................................124
v
Provide a certificate in a digitally signed e-mail message..............................................124
Obtain a certificate from a directory service...................................................................124
Importing digital IDs..............................................................................................................124
Renewing keys and certificates............................................................................................125
Plan for configuring security settings in Outlook 2007..........................................................126

Specifying how security settings are enforced in Outlook.....................................................126
Choosing between the Exchange Server security form and Group Policy security settings. 126
Scenario for using the security form...............................................................................126
Scenarios for using Group Policy security settings........................................................127
Scenarios for using security form or Group Policy security settings...............................127
Caveats to consider when customizing security settings......................................................127
Customizing options for junk e-mail and ActiveX controls....................................................127
Updated Object Model Guard...............................................................................................128
How administrator and user security settings interact in Outlook 2007................................129
Plan for Outlook 2007 security in special environments.......................................................130

Users with a hosted Exchange Server environment.............................................................130
Users with administrative rights............................................................................................130
Users with an Outlook Web Access environment.................................................................131
II. Deploying security settings...............................................................................................132
A. Configuring 2007 Office System Security Settings...........................................................132
Configure trusted locations and trusted publishers settings in the 2007 Office system........132
Before you begin..................................................................................................................132
Configure trusted locations by using the OCT......................................................................133
Disable trusted locations by using the OCT...................................................................133
Specify trusted locations by using the OCT....................................................................134
Restrict trusted locations by using the OCT...................................................................134
Delete all trusted locations created by using the OCT...................................................135
Configure trusted locations by using Group Policy...............................................................135
Disable trusted locations by using Group Policy............................................................135
Specify trusted locations by using Group Policy.............................................................136
Restrict trusted locations by using Group Policy............................................................137
Configure trusted publishers settings by using the OCT.......................................................138
Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office
system...............................................................................................................................139
Before you begin..................................................................................................................139
Configure settings for ActiveX controls.................................................................................140
Disable ActiveX controls.................................................................................................140
Change the way ActiveX controls are initialized.............................................................141
Configure settings for add-ins...............................................................................................141
Disable add-ins..............................................................................................................142
vi
Require that add-ins are signed by a trusted publisher..................................................142
Disable notifications for unsigned add-ins......................................................................143
Configure settings for macros...............................................................................................144
Configure default security settings for macros...............................................................145
Disable VBA...................................................................................................................146
Provide Automation clients programmatic access to VBA projects.................................146
Configure Automation security for macros.....................................................................147
Prevent encrypted macros from being scanned for viruses...........................................147
Configure document protection settings in the 2007 Office system......................................149

Before you begin..................................................................................................................149
Configure document protection settings by using the OCT...................................................150
Configure document protection settings by using Group Policy............................................151
Configure external content settings in the 2007 Office system.............................................154

Before you begin..................................................................................................................154
Configure hyperlink warnings settings..................................................................................154
Configure linked images settings in Office PowerPoint 2007................................................155
Configure Internet Explorer feature control settings in the 2007 Office system....................157
Before you begin..................................................................................................................157
Configure Internet Explorer feature control settings by using the OCT.................................158
Configure Internet Explorer feature control settings by using Group Policy..........................159
Configure privacy options in the 2007 Office system............................................................160

Before you begin..................................................................................................................160
Configure privacy options by using the OCT........................................................................161
Configure privacy options by using Group Policy.................................................................163
Configure block file format settings in the 2007 Office system.............................................166

Before you begin..................................................................................................................166
Configure block file format settings by using the OCT..........................................................167
Configure block file format settings by using Group Policy...................................................168
B. Configuring Outlook 2007 Security Settings.....................................................................169
Set consistent Outlook 2007 cryptography options for an organization................................170

More information about setting Outlook cryptography options..............................................172
Outlook security policy settings......................................................................................172
Security policy settings for general cryptography...........................................................178
Security policy settings for KMS-issued certificates.......................................................180
Specify the method Outlook uses to manage virus prevention features...............................181

More information about managing virus prevention settings.................................................181
Migrating to Group Policy settings..................................................................................182
Updated Object Model Guard.........................................................................................182
Customize attachment settings in Outlook 2007...................................................................183
vii
Add or remove Level 1 file types..........................................................................................185
Add or remove Level 2 file types..........................................................................................185
Additional attachment security settings................................................................................186
Customize programmatic settings in Outlook 2007..............................................................188
Customize ActiveX and custom forms security settings in Outlook 2007..............................190

Customizing how ActiveX controls behave in one-off forms.................................................190
Customizing custom forms security settings.........................................................................191
Manage trusted add-ins for Outlook 2007.............................................................................193

Working with Outlook COM add-ins......................................................................................194
Configure security for Outlook 2007 folder home pages.......................................................195

More information about Outlook folder home pages.............................................................195
Configure junk e-mail settings in Outlook 2007....................................................................196

Configuring the Junk E-mail Filter.........................................................................................196
Configuring automatic picture download...............................................................................198
More about automatic picture download........................................................................199
III. Security Technical Reference..........................................................................................200
Security policies and settings in the 2007 Office system......................................................200

Trusted locations and trusted publishers settings.................................................................200
Trusted locations settings...............................................................................................201
Trusted publishers settings............................................................................................205
ActiveX control settings........................................................................................................205
Settings for disabling ActiveX controls...........................................................................205
Settings for changing the way ActiveX controls are initialized........................................207
Add-in settings......................................................................................................................216
Settings for disabling add-ins.........................................................................................216
Settings for requiring that add-ins are signed by a trusted publisher..............................218
Settings for disabling notifications for unsigned add-ins.................................................220
VBA macro settings..............................................................................................................222
Settings for changing the default behavior of macros....................................................222
Settings for changing VBA.............................................................................................225
Settings for changing macro behavior in applications that are started programmatically
through Automation.....................................................................................................227
Settings for preventing virus-scanning programs from scanning encrypted macros......230
Document protection settings...............................................................................................231
Global document protection settings..............................................................................231
Application-specific document protection settings..........................................................232
External content settings......................................................................................................233
Hyperlink warnings settings............................................................................................233
Linked images settings...................................................................................................235
Internet Explorer feature control settings..............................................................................235
viii
Privacy options.....................................................................................................................238
Document Inspector options...........................................................................................238
Metadata protection options...........................................................................................239
Office privacy options.....................................................................................................240
Application-specific privacy options................................................................................242
Block file format settings.......................................................................................................243
Attachment file types restricted by Outlook 2007..................................................................250
ix
I. Planning for Security
A. Understanding Security in the 2007 Office

System
Overview of security in the 2007 Office

system
An organization's financial success often hinges on the productivity of its information workers and
the integrity and confidentiality of its intellectual property. In the past, satisfying these business
needs was difficult for IT professionals because protection often came at the expense of
productivity. With a redesigned security model and many new and enhanced security features,
the 2007 Microsoft Office system makes it possible for IT professionals to design desktop
configurations that mitigate security threats while maintaining information worker productivity.
Underlying security principles

Prior to the 2007 Office system, designing a secure desktop configuration was usually a
compromise between protection and productivity. On one hand, you could minimize the attack
surface of your desktop configuration by disabling potentially risky functionality such as ActiveX
controls, add-ins, and Visual Basic for Applications (VBA) macros, but the loss in functionality
usually translated into a loss in information worker productivity, which had a detrimental effect on
your organization's financial performance. On the other hand, you could maximize information
worker productivity and strengthen your organization's financial performance by allowing
information workers to freely use high-risk tools and application features, but the increase in
attack surface carried a greater risk to intellectual property and a greater total cost of ownership
(TCO) because of ongoing security attacks.
Confronted with this situation, most IT professionals chose a middle ground, which forced
information workers to make critical security decisions. If a document contained ActiveX controls
or macros from an unknown source, users were asked whether they wanted to enable the
ActiveX controls or the macros. Users were not allowed to access the document until they
answered the question. Although this was not a perfect solution, it did provide a mechanism for
mitigating security threats without intruding too much on productivity. The main problem was that
most users, when confronted with a security warning, dismissed the warning so they could
1
access the document and get their work done. This was acceptable for low-risk internal
documents that did not likely contain malicious content, but it was not acceptable for high-risk
external documents that passed through the Internet and could contain malicious content.
Unfortunately, users did not usually distinguish between high-risk and low-risk files and treated
both files the same way — that is, they accepted the risk and enabled the ActiveX controls and
macros.
To overcome the problems described earlier, the overall security model for the 2007 Office
system was designed with the following four key principles:
• Make application functionality secure by default.
• Avoid asking questions that users might not be able to answer.
• Maintain user productivity by mitigating threats without limiting application functionality.
• Provide a flexible security model that can be modified to suit specific situations.
Together, these principles provide a foundation for the security goals of the 2007 Office
system — maximize protection and productivity, and minimize TCO.
Secure by default
One of the primary principles of the 2007 Office system security model remains unchanged from
previous Microsoft Office releases: keep the system and the data secure by default. This principle
encompasses the fact that some features, although useful, have an inherently high probability of
attack (for example, macros). In many cases, these features have been configured so that
protection is paramount and functionality is secondary.
For example, documents and e-mail messages often contain links to images that are stored on a
remote computer. This makes it easy to update images and it makes documents and e-mail
messages smaller, putting less demand on disk space and network bandwidth. But spammers
and malicious attackers can use linked images to confirm that e-mail addresses are valid or to
obtain a computer’s IP address. To deal with this, linked images are blocked by default in the
2007 Office system, but users can still open e-mail messages and documents containing linked
images, giving users full access to the text. Thus, both protection and productivity are maximized.
Avoid asking questions

Although previous security models relied on users to evaluate risks and mitigate potential security
threats, the 2007 Office system adopts the principle that users should not have to respond to
questions that they might not be able to answer. This principle changes the way that users and
applications deal with security threats. First, the number of questions and the frequency of
questions that users must respond to are reduced. Second, in instances in which a security threat
has elevated risk and user feedback is absolutely necessary, the warning messages provide the
details users need to make a decision. Third, in instances in which user feedback is required, the
user feedback is requested at a time and in a context that makes more sense to users.
For example, users no longer need to respond to a security prompt each time they open a
document that contains macros from an untrusted or unknown source. Although macros from
untrusted or unknown sources are disabled by default, the notification process does not require
2
users to make a security decision before working on the document. Instead, macro notifications
are contained in a notification bar that appears at the top of the document. Users can click the
notification bar to read the notification and enable macros. In addition, the notification now
provides information about what the risk is, why the risk is a threat to security, and what users can
do to mitigate the threat.
Maintain user productivity

Maintaining user productivity is another important principle in the 2007 Office system security
model. In the past, if users tried to open a document that contained a potential security threat,
such as a macro or an ActiveX control, users could not work in the file until they responded to a
security warning. Now, users can immediately access document contents and work in documents
as soon as the document is opened. Users are prompted for input only when user intervention is
necessary to maintain a secure working environment.
For example, a new security feature called Trusted Locations enables you to differentiate low-risk
documents from high-risk documents, and thereby maximize productivity. Examples of low-risk
documents are documents from colleagues or business partners. Examples of high-risk
documents are documents from unknown people or documents that pass through an unsecured
Internet connection.
Documents that are stored in a trusted location are deemed secure, and all of the content in a
trusted document is enabled. Users do not have to respond to any security warnings and they do
not have to enable any content in a trusted document to get work done. In this case, productivity
is not impaired.
Documents that are not stored in a trusted location are considered to be high-risk, and all of the
content in an untrusted document is disabled by default. Users can open and work on a high-risk
document, but they must respond to the notification to enable the high-risk content in the
document. In this case, productivity is only affected when users want to enable high-risk content
in the document.
Provide a flexible security model

This final principle is that the default security model is not suitable for every computing
environment or for every user. Despite the first three principles, there are instances in which
users will be prevented from accessing low-risk content unless they respond to a security
notification or warning. To better realize the goals of the first three principles, the 2007 Office
system provides a suite of security settings that enable you to modify the default security model.
3
What's new and what's changed
Using the four principles described earlier, a new security model was developed for the 2007
Office system. The new security model includes new features, new settings, and new
functionality. In addition, the new security model can affect the way users respond to risk in their
individual work environments, and change the way administrators mitigate and manage security
threats throughout an organization. The primary changes in the new security model include:
• The user interface These changes help users better view and configure security
settings, and respond to security warnings and notifications.
• Administrative settings and features These changes help IT professionals design
and implement secure desktop configurations that better mitigate security threats.
• Default functionality These changes help boost user productivity while helping to
protect corporate resources and mitigate security threats.
Changes to the user interface

Three changes have been made to the user interface for the 2007 Office system. First, most
application-specific security and privacy settings now appear in a single location called the Trust
Center. Second, some document protection settings now appear with other document preparation
settings, such as Save and Print. Third, most security warnings and notifications now appear in a
new notification area called the Message Bar. These user interface changes enhance the user
experience by helping users find, view, and configure security settings and by helping users stay
productive in the face of security threats.
4
Trust Center
The Trust Center is a central console that enables users to view and configure security settings
and privacy options. The following figure illustrates the Trust Center.
Users can configure the following settings in the Trust Center:

• Trusted Publishers and Trusted Locations These settings are used to specify safe
content.
• ActiveX controls, add-ins, and macros These settings are used to control the behavior
of high-risk content, such as ActiveX controls, add-ins, and macros.
• Message Bar and privacy options These settings are used to control notification
behavior and the way an application handles personal or private information.
For Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007,
and Microsoft Office Word 2007, users can access the Trust Center by clicking the Microsoft
Office Button and then clicking Program Options, where Program is the program you are
running. For Microsoft Office InfoPath 2007, Microsoft Office Outlook 2007, Microsoft Office
Publisher 2007, and Microsoft Office Visio 2007, users can click Trust Center on the Tools
menu.
5
Document protection controls
Although the Trust Center contains most application-specific security and privacy settings, some
document-specific security settings have been intentionally left out of the Trust Center: most
notably, document protection settings that enable users to encrypt a document. Because
document protection settings tend to be used when a user saves or sends a document, the
settings are located with other document preparation settings. Users can access the document
preparation settings by clicking the Microsoft Office Button, and then clicking Prepare.
Message Bar
The Message Bar is a new user interface feature that provides users with notifications and
warnings when they open a document that contains potentially harmful content. The following
figure shows the Message Bar.
Note:
In Office Outlook 2007 and Office Publisher 2007, security alerts appear in dialog boxes,
not in the Message Bar.
The Message Bar informs users that some functionality in a document is blocked. In some ways,
the Message Bar replaces the warnings that appeared whenever a user opened an untrusted
document that contained macros. In the past, the warnings prevented users from accessing the
document until they responded to the warnings and either enabled or disabled the macros. With
the Message Bar, on the other hand, the document opens and users can work in the document
without responding to the Message Bar prompt. Untrusted ActiveX controls, macros, and other
potentially harmful content are disabled until users click the Message Bar and respond to a
notification or warning. The following figure shows the warning that users receive when they click
the Message Bar.
6
New and enhanced settings and features
The 2007 Office system contains new and enhanced settings and features, including:
• A new group of settings known as Trusted Locations settings.
• A new group of settings known as block file format settings.
• Changes in the way ActiveX controls, add-ins, and macros are managed.
The following sections describe the new and enhanced settings and features.
Trusted Locations settings

Trusted Locations settings enable you to differentiate safe documents from unsafe documents.
When you specify a trusted location, such as a folder on a user's hard disk, and a user opens a
document that is saved in that trusted location, all content in the document is enabled and
initialized, including ActiveX controls, external links, and macros. In addition, no prompts or
warnings appear in the Message Bar or in the user interface when a document is opened from a
trusted location.
To mitigate the risk of someone creating a trusted location for malicious purposes, and thereby
running harmful code, the default settings in the 2007 Office system do not allow you to designate
remote folders as trusted locations. By default, trusted locations can only exist locally on a user's
hard disk. Furthermore, trusted locations can be easily revoked in the event of a security attack.
Additionally, the 2007 Office system permanently prevents you from designating certain high-risk
folders as trusted locations, such as the Office Outlook 2007 cache for attachments, the Temp
folder, and other folders where documents are sometimes temporarily stored.
Settings for ActiveX controls, add-ins, and macros

In the 2007 Office system, you can manage the behavior of ActiveX controls, add-ins, and macros
by configuring global settings or application-specific settings. In the past, you could mitigate
7
security threats from macros by choosing one of only four global settings: Low, Medium, High,
and Very High. Each of these settings corresponded to a progressively more restrictive situation.
The Low setting allowed users to run all macros, the High setting allowed users to run only
macros that were signed by a trusted publisher. In addition, there were no global or application-
specific settings for managing ActiveX controls (other than making changes to the registry), and
there were no application-specific security settings for managing add-ins.
ActiveX controls settings

Several new settings exist for controlling the behavior of ActiveX controls. You can select the
following options:
• Disable all ActiveX controls Prevents all ActiveX controls from loading and does not
notify users that ActiveX controls are disabled. The only exception is ActiveX controls that are
contained in a document in a trusted location.
• Configure ActiveX control initialization Specifies how ActiveX controls are loaded
based on the Safe for Initialization (SFI) and Unsafe for Initialization (UFI) parameters. In the
past, you configured this setting by making changes to the registry. Now, you configure this
setting by using Administrative Templates (.adm files) or through the Office Configuration Tool
(OCT).
• Configure ActiveX prompts Specifies how users are prompted when ActiveX controls
are loaded. You can configure this setting so that users are either prompted or not prompted
when an ActiveX control attempts to load.
Add-in settings
The 2007 Office system does not have a Trust all installed add-ins and templates setting.
Instead, several new settings exist for controlling the behavior of add-ins, including:
• Disable all application add-ins Prevents all add-ins from running. Users are not
notified that the add-ins are disabled.
• Require that application add-ins are signed by a trusted publisher Checks for a
digital signature on the file that contains the add-in. If the publisher has not been trusted, the
program does not load the add-in, and the Message Bar displays a notification that the add-in
has been disabled.
• Disable Message Bar Notification for unsigned application add-ins Only relevant if
you are requiring that add-ins have a digital signature. In some situations, the file that
contains the add-in might be unsigned. In these cases, add-ins signed by a trusted publisher
are enabled, but unsigned add-ins are disabled without providing users with any notification.
8
Macros
Several new settings exist for controlling the behavior of macros. The settings enable you to
control macros in the following ways:
• Disable Visual Basic for Applications Disables Visual Basic for Applications for all
Office applications.
• Configure macro warning settings Specifies the conditions under which users are
notified about macros. The following four options are available:
• Always provide notification about macros.
• Always provide notification for digitally signed macros only.
• Do not provide notification and disable all macros.
• Do not perform any security checks and allow all macros to run.
• Force encrypted macros to be scanned in Microsoft Office Open XML Formats
documents Specifies that macro security checks are performed in encrypted files that use
the new Office Open XML Formats. This setting cannot be configured in the graphical user
interface; you can configure it only by using Administrative Templates (.adm files) or by using
the OCT. In addition, this setting is enabled by default: that is, encrypted macros in Office
Open XML Formats documents are scanned by default.
The following table summarizes how various combinations of security settings in Microsoft Office
2003 compare to the new security settings in the 2007 Office system.
Office 2003 setting 2007 Office system setting
Very High (Enabled) No warnings for all macros but disable all
Trust all installed add-ins and templates. macros. (Enabled)
(Enabled)
Very High (Enabled) No warnings for all macros but disable all
Trust all installed add-ins and templates. macros. (Enabled)
(Disabled) Disable all add-ins. (Enabled)
High (Enabled) Warn for digitally signed macros only. (Enabled)

Trust all installed add-ins and templates.
(Enabled)
High (Enabled) Warn for digitally signed macros only. (Enabled)

Trust all installed add-ins and templates. Require that all add-ins be signed by a trusted
(Disabled) publisher. (Enabled)
Disable notifications for unsigned add-ins.
(Enabled)
Disable all trusted locations, only files signed by
trusted publishers will be trusted. (Enabled)
9
Office 2003 setting 2007 Office system setting
Medium (Enabled) Do not configure any security settings in the

Trust all installed add-ins and templates. 2007 Office system. By default, users are
(Enabled) notified when a document contains a macro,
and add-ins and templates are trusted.
Medium (Enabled) Require that all add-ins be signed by a trusted

Trust all installed add-ins and templates. publisher. (Enabled)
(Disabled) Disable all trusted locations. (Enabled)
Low (Enabled) No security check for macros. (Enabled)
Block file format settings

Several new settings enable you to prevent users from opening or saving certain types of files in
Office Excel 2007, Office PowerPoint 2007, and Office Word 2007. These settings are useful if
you want to force your organization to use specific file formats or you want to mitigate zero-day
attacks and exploits until you implement a fix. By using the block file format settings you can:
• Mitigate zero-day attacks and exploits until you implement a fix.
• Prevent users from opening or saving specific file types.
• Prevent users from opening files that are compatible with previous versions of Office
Excel 2007, Office PowerPoint 2007, and Office Word 2007.
• Prevent users from opening documents through external converters.
• Prevent users from opening pre-release (beta) versions of files.
Document Inspector
Document Inspector is a new privacy tool that can help users remove personal information and
hidden information from a document. Document inspector is available by default in Office Excel
2007, Office PowerPoint 2007, and Office Word 2007, although each program uses a different set
of Inspector modules to remove different types of content. For example, Office Excel 2007 has an
Inspector module that enables users to remove hidden worksheets. Conversely, Office Word
2007 does not have that Inspector module because it is not relevant to Office Word 2007
documents.
Users can specify the type of content they want to remove from files, including:
• Comments, revision marks from tracked changes, versions, and ink annotations.
• Document properties and personal information (metadata).
• Headers, footers, and watermarks.
• Hidden text.
• Hidden rows, columns, and worksheets.
• Invisible content.
• Off-slide content.
10
• Presentation notes.
• Document server properties.
• Custom XML data.
You can enable and disable Inspector modules, but there are no administrative settings that
enable you to manage the way each Inspector module behaves. However, you can
programmatically create custom Inspector modules.
New default behavior and functionality

Several default security settings have changed in the 2007 Office system. The following sections
describe new default settings.
Documents always open

When users attempt to open a document that contains potentially harmful content, such as
untrusted ActiveX controls and macros or links to untrusted external data sources, the document
is always allowed to open. However, the untrusted content is not allowed to run and users are
notified that some content has been blocked.
External content is always blocked

Users are always prevented from accessing external content. This includes external content that
is accessed through data connections, hyperlinks, images, and linked media. When users open a
document that contains external content, the document opens and users can work in the
document, but the external content is disabled (not accessible), and a notification appears in the
Message Bar that informs users that some content has been blocked. If a user clicks the
Message Bar, a dialog box appears asking whether the user wants to enable the external content.
Note:
Documents in trusted locations have all external content enabled.
ActiveX controls are allowed to run under certain circumstances

There are four possible default behaviors for ActiveX controls. The default behavior depends on
the characteristics of the ActiveX control itself and the characteristics of the document that
contains the ActiveX control.
• If an ActiveX control has a kill-bit set in the registry, the control is not loaded and cannot
be loaded in any circumstances. A kill bit is a feature that prevents controls that have a known
exploit from being loaded.
• If an ActiveX control is contained in a document that does not contain a VBA project, and
the ActiveX control is marked as Safe for Initialization (SFI), the ActiveX control is loaded with
minimal restrictions. The Message Bar does not appear, and users do not get any
notifications about the presence of ActiveX controls in their documents. The ActiveX controls
in the document must all be marked as SFI to not generate a notification.
11
the ActiveX control is marked as Unsafe for Initialization (UFI), users are notified in the
Message Bar that an ActiveX control has been disabled. If a user clicks the Message Bar, a
dialog box appears asking whether the user wants to enable the ActiveX control. If the user
enables the ActiveX control, all ActiveX controls (those marked SFI and UFI) are loaded with
minimal restrictions.
• If an ActiveX control is contained in a document that also contains a VBA project, a
notification appears in the Message Bar informing users that an ActiveX control has been
disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user
wants to enable the ActiveX control. If the user enables the ActiveX control, all ActiveX
controls (those marked SFI and UFI) are loaded with minimal restrictions.
Note:
If an ActiveX control is contained in a document that is saved in a trusted location, the
ActiveX control is enabled by default and users are not prompted to enable the ActiveX
control.
Installed and registered add-ins are allowed to run

By default, any add-in that is installed and registered is allowed to run without user intervention or
warning. Installed and registered add-ins can include:
• Component Object Model (COM) add-ins.
• Smart tags.
• Automation add-ins.
• RealTimeData (RTD) servers.
• Application add-ins (for example, .wll, .xll, and .xlam files).
• XML expansion packs.
• XML style sheets.
This default behavior is equivalent to selecting the Trust all installed add-ins and templates
setting, which exists in earlier versions of the Microsoft Office system.
Only trusted macros are allowed to run

By default, trusted macros are allowed to run. This includes macros in documents that are saved
in a trusted location, and macros that meet the following criteria:
• The macro is signed by the developer with a digital signature.
• The digital signature is valid.
• This digital signature is current (not expired).
• The certificate associated with the digital signature was issued by a reputable certification
authority (CA).
• The developer who signed the macro is a trusted publisher.
12
Macros that are not trusted are not allowed to run until a user clicks the Message Bar and
chooses to enable the macro. In the past, unsigned macros were disabled and users did not have
an option to enable them. This behavior is different in the 2007 Office system. Users are now
notified when a document contains an unsigned macro, and they can enable the macro if they
want to.
See Also
Overview of security planning for the 2007 Office system
Planning for security and protection in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179213.aspx)
Security and protection in Outlook 2007 (http://technet.microsoft.com/en-
13
Overview of security planning for the 2007
Office system
The 2007 Microsoft Office system has many new security settings that can help you mitigate
threats to your organization's business resources and processes. In addition, the 2007 Office
system has many new privacy options that help you mitigate threats to users' private and
personal information. Determining which new settings and options are appropriate for your
organization can be a complex task involving numerous critical planning decisions. To help you
minimize the time spent planning settings and options, use the four-step security planning
process described in this article. This systematic decision-making approach is designed to help
you choose settings and options that maximize protection and productivity in your organization.
The security planning process

Security planning for the 2007 Office system is a straightforward four-step process. Each step
provides recommended guidelines and best practices that can help you plan optimal security
architecture for your organization's desktop environment. By using this process you can:
• Determine which tools you need to deploy security settings and privacy options in your
organization.
• Identify the threats that pose a risk to your organization.
• Evaluate the default settings and options that mitigate those threats.
• Determine which additional settings and options you need to deploy to minimize risks to
your organization's resources and processes.
14
The security planning process is shown in the following figure.
Step 1: Choose a deployment tool for security settings and

privacy options
This step helps you choose a deployment tool for rolling out and managing security settings and
privacy options. The tools that are discussed include:
• The Office Customization Tool (OCT), which replaces the Custom Installation Wizard and
is the main deployment tool for configuring and managing security settings.
• The 2007 Office system Administrative Templates (.adm files), which you can load into
the Group Policy Object Editor and apply to client computers as local policies or domain-
based policies.
Each tool has advantages and disadvantages, and provides different levels of control over your
desktop environment. Choosing the right tool to deploy and manage your security settings and
privacy options helps ensure that your desktop configuration remains stable.
For detailed information about step 1, see Choose a deployment tool for security settings and
privacy options in the 2007 Office system.
15
Step 2: Evaluate security and privacy threats
This step helps you understand and evaluate security and privacy threats. The 2007 Office
system provides settings and options that can help you mitigate six primary types of threats,
including:
• Code and application threats
• Document threats
• External threats
• Internet Explorer threats
• Privacy threats
• Security vulnerabilities
Understanding these threats and evaluating threats to determine which might affect your
organization are critical in the planning process because so doing enables you to design security
settings and privacy options that are relevant to your organization.
For detailed information about step 2, see Evaluate security and privacy threats for the 2007
Office system.
Step 3: Evaluate default security settings and privacy options

This step helps you evaluate the default security settings and privacy options in the 2007 Office
system. This step also helps you determine whether the default settings and options provide
adequate mitigation for the threats that you identified in step 2. By using the guidance in this step,
you can evaluate:
• Default security threat settings, including settings for code and application threats,
document threats, external threats, and Internet Explorer threats.
• Default privacy options.
• Default settings for blocking various file formats and file types.
• Default settings for trusted locations and trusted publishers.
After you complete this step, you should be able to decide whether the default settings and
options are appropriate for your organization, or whether you need to deploy additional settings
and options that are unique to your organization or your security requirements.
For detailed information about step 3, see Evaluate default security settings and privacy
options for the 2007 Office system.
Step 4: Plan security settings and privacy options

This step helps you plan security settings and privacy options. You must plan security settings
and privacy options if the default settings and options do not provide adequate protection or do
not meet your needs. This step provides recommended guidelines, best practices information,
and detailed descriptions of all settings and options. For detailed information about step 4, see
the following articles:
• Plan trusted locations and trusted publishers settings for the 2007 Office system
16
• Plan document protection settings in the 2007 Office system
• Plan Internet Explorer feature control settings in the 2007 Office system
• Plan privacy options in the 2007 Office system
• Plan block file format settings in the 2007 Office system
Creating a functional specification

The security planning process is designed to help you create a functional specification, which you
can use to help you deploy security settings and privacy options. After you complete each step in
the planning process, be sure to record your decisions in the functional specification.
Typically, a functional specification for deploying security settings includes:
• Best practices guidance for using the deployment tools.
• Overview of the security architecture, including a threat analysis.
• A list of the settings and options that are being rolled out.
• Explanations for any settings or options that differ from the default configuration.
At a minimum, the functional specification should provide all of the information an administrator
needs to configure security settings and privacy options by using the OCT and by using the 2007
Office system Administrative Template settings in the Group Policy Object Editor.
For more information about functional specifications, including information about using functional
specifications with the Microsoft Solutions Framework, see "Planning Phase" in the following
white paper: MSF Process Model v. 3.1 (http://go.microsoft.com/fwlink/?
LinkId=85569&clcid=0x409).
See Also
Overview of security in the 2007 Office system
Planning for security and protection in Outlook 2007 (http://technet.microsoft.com/en-
17
Choose a deployment tool for security
settings and privacy options in the 2007
Office system
To create an effective security plan for the 2007 Microsoft Office system, you must first identify
the tools you are going to use to configure, deploy, and manage security settings in your
organization. In some cases, a single tool is adequate for configuring, deploying, and managing
settings. In other cases, you might need to use a combination of tools — one tool for configuring
and deploying an initial configuration, and one tool for managing settings on an ongoing basis.
Choosing the right tool is a critical step in the security planning process because it helps ensure
that the security settings you planned for are actually deployed and enforced throughout your
organization. It also helps ensure that you can modify security settings after the initial rollout,
enabling you to respond to sudden security threats.
Although you can use a wide range of tools and techniques to deploy and manage desktop
applications in enterprise environments, we recommend that you use only the Office
Customization Tool (OCT) and the 2007 Office system Group Policy Administrative Templates
(.adm files) to configure, deploy, and manage security settings in the 2007 Office system. Each
tool has different requirements and limitations, and provides different features and functionality.
Choosing the correct tool requires careful evaluation of your organization's existing deployment
and management infrastructure, your organization's security architecture, and your organization's
security needs. To determine which tool is appropriate for your organization, use the best
practices and recommendations that are provided in the following sections to evaluate each tool.
Office Customization Tool

The OCT is a new graphical user interface tool that helps you create a configuration (.msp) file. A
configuration file can contain a wide variety of information, including installation instructions,
licensing information, and application settings, such as security settings and privacy options. You
can use a configuration file in the following two ways:
• In conjunction with the Setup program to customize the installation process during a
large-scale rollout.
• In conjunction with Windows Installer 3.1 to update or maintain configuration settings
during the operations phase of the software life cycle.
To use a configuration file to customize the installation process, you perform the following tasks:
1. Use the OCT graphical user interface to configure setup options and application settings.
2. Save the settings and options to an .msp file.
3. Run the Setup program on your client computers, using command-line parameters to
specify the .msp file that you want the Setup program to use.
18
To use a configuration file to update or maintain existing installations, you perform the following
tasks:
1. Use the OCT graphical user interface to configure application settings in an existing or
new .msp file.
2. Save the new application settings in the .msp file.
3. Run Windows Installer on your client computer, using command-line parameters to
specify the .msp file that you want Windows Installer to use.
For more information about using the OCT, see Office Customization Tool in the 2007 Office
system (http://technet.microsoft.com/en-us/library/cc179097.aspx) and Customize the 2007 Office
system (http://technet.microsoft.com/en-us/library/cc179132.aspx).
Requirements and limitations

Although the OCT is new, it does not require any special infrastructure enhancements. For
example, you do not need to modify your existing hardware, software, network topology, or
security architecture to use the OCT. Nevertheless, the OCT has the following requirements:
• You must use the OCT in conjunction with the Office Setup program. The OCT only
generates .msp files. It does not apply security settings to computers. You must use the
Setup program to install the 2007 Office system and apply the security settings that are saved
in the .msp files.
• You must use the Setup program that is included in the 2007 Office system because it is
the only supported installation program that can read the data in OCT-generated .msp files
and add the security settings (and other settings) to the registry.
• The computers on which you run Setup and the OCT must have Windows Installer 3.1
installed.
• You must be a member of the Administrators group on the local computer to run the OCT
and the Office Setup program.
When deciding whether to use the OCT to configure and manage security settings, you should
consider that the OCT has the following two limitations:
• You cannot lock down or enforce security settings with the OCT. The OCT configures
application settings in publicly accessible portions of the registry, such as
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0. If you use the OCT to configure or
manage security settings for the 2007 Office system, users can modify the security settings
that you deploy. These settings are considered user preferences rather than managed
settings because users can change them. If you want to enforce security settings, use Group
Policy.
• You can configure only one block file format setting with the OCT. Block file format
settings enable you to prevent users from opening or saving certain file types or file formats.
These settings are useful if you want to prevent users from using older file formats or if you
want to mitigate zero-day attacks.
19
Common scenarios
You can use the OCT and the Setup program to configure, deploy, and manage security settings
in many IT environments. The following sections describe scenarios in which the OCT and the
Setup program are particularly useful.
Unmanaged environments
The OCT is commonly used by organizations that do not centrally manage their desktop
applications or do not remotely manage their desktop environments. In these cases, you can use
the OCT and the Setup program to configure, deploy, and manage security settings without using
a remote administration tool such as Microsoft Systems Management Server 2003, or a policy-
based tool, such as Group Policy.
Initial security configurations

The OCT is commonly used to establish initial security configurations even though Group Policy
is used to lock down or enforce security settings. This helps ensure that security settings are
configured during initial rollout and before the first policy update occurs. Using the OCT to create
an initial security configuration also enables you to reset the security settings on a computer by
reapplying the initial configuration file.
Partially locked-down environments

The OCT is useful in partially locked-down environments in which a critical subset of security
settings are locked down through Group Policy, but other security settings are not locked down
and can be configured by users. In this scenario, most of the security settings are configured
during initial setup by using an OCT-generated configuration file (.msp file), and critical security
settings are deployed and managed through Group Policy after the initial setup is complete.
Group Policy Administrative Templates

The 2007 Office system includes 15 Administrative Templates, which enable you to manage
security settings through local or domain-based Group Policy. Administrative Templates are
Unicode text files that Group Policy uses to describe where registry-based policy settings are
stored in the registry. All registry-based policy settings appear and are configured in the Group
Policy Object Editor under the Administrative Templates node. Administrative Templates do not
apply policy settings; they enable you to view the policy settings in the Group Policy Object Editor.
Administrators can then create Group Policy objects (GPOs) containing the policy settings that
they want to use. For example, you might have one GPO that contains various policy settings for
managing ActiveX controls, add-ins, and macros.
The registry values used for Group Policy settings are stored under the approved registry keys for
Group Policy. Users cannot change or disable these settings. Group Policy settings that
administrators can fully manage are referred to as “true policies.” True Group Policy settings have
ACL restrictions to prevent users from changing the settings. The approved Group Policy registry
keys are:
20
For computer policy settings:
• HKEY_LOCAL_MACHINE\Software\Policies (the preferred location)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
For user policy settings:
• HKEY_CURRENT_USER\Software\Policies (the preferred location)
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
For more information about Administrative Templates, and Group Policy and OCT, see
Administrative Templates extension (http://technet.microsoft.com/en-us/library/cc759295.aspx),
and Office Customization Tool and Group Policy in Group Policy Overview
(http://technet.microsoft.com/en-us/library/cc179176.aspx). For more information about using
Administrative Templates to configure, deploy, and manage security settings, see Enforce settings
by using Group Policy in the 2007 Office system.
Requirements and limitations

If you are installing the 2007 Office system on computers that are running the Microsoft
Windows XP, Microsoft Windows Server 2003, or Windows Vista operating systems, you must
meet the following requirements to use Administrative Templates.
• You must have the Active Directory directory service deployed in your organization to
configure, deploy, and manage security settings through domain-based Group Policy settings.
• You must be a member of the Administrators group on the local computer to configure,
deploy, and manage security settings through local Group Policy settings.
When deciding whether to use Administrative Templates to configure and manage security
settings, you should consider that Administrative Templates have the following limitations:
• Group Policy does not provide a mechanism for rolling back settings to an initial
configuration. If you deploy your initial configuration settings with Group Policy and you make
subsequent changes to Group Policy settings, you must reconfigure each of your subsequent
changes to revert to your initial configuration. Disabling or deleting the Group Policy object
that contains your settings will change all settings to Not Configured.
• You cannot configure trusted publishers settings with Group Policy. You can add digital
certificates to the list of trusted publishers only with the OCT.
• If your organization is small and you are not already using Active Directory, the
administrative overhead required to understand and implement Group Policy in an Active
Directory environment might make implementing domain-based Group Policy prohibitive.
Common scenarios
Group Policy can be used to configure, deploy, and manage security settings in many IT
environments. The following sections describe scenarios in which Administrative Templates are
particularly useful.
21
Managed environments
Administrative Templates are useful in organizations that use Group Policy to manage their
desktop environments. This is true whether you have deployed Active Directory and you manage
your desktop environment with domain-based Group Policy, or you do not have Active Directory
installed but you manage your desktop environment with local Group Policy.
Locked-down environments
Administrative Templates are useful in locked-down environments in which users have little
control over their desktop configuration. In this scenario, all security settings are deployed and
managed through Group Policy. Any security settings that are configured during initial setup are
overridden by the Group Policy settings.
Implementing block file format settings

Administrative Templates are the only way to effectively implement the block file format settings,
which enable you to prevent users from opening certain file formats or file types. These settings
are useful for mitigating zero-day attacks when you know the specific file type or file format that
poses a risk to your organization. These settings are also useful for preventing users from using
older file formats or forcing users to use the same file formats.
Choosing a tool
The following table compares the features and capabilities of the two recommended tools that
you can use to configure security settings in the 2007 Office system. Use the information in the
table to evaluate each tool and determine which tool is most appropriate for your organization.
Features and capabilities Administrative Templates OCT + Setup
Requires Active Directory. Yes (domain-based Group No

Policy)
No (local Group Policy)
Requires Windows Installer 3.1. No Yes
Requires administrative Yes (local Group Policy) Yes

credentials on the client No (domain-based Group
computer. Policy)
Can be used to lock down Yes No

security settings.
Can be used to manage Yes Yes

security settings after initial
installation.
22
Features and capabilities Administrative Templates OCT + Setup
Can be used to establish initial Yes (not ideal) Yes

security configurations.
Can be used to configure block Yes (all settings) Yes (however, only one
file format settings. setting)
Can be used to add publishers No Yes

to the list of trusted publishers.
See Also
23
Evaluate security and privacy threats for the
2007 Office system
In this article:
• Overview of security threats
• Code and application threats
• Document threats
• External threats
• Internet Explorer threats
• Privacy threats
• Security vulnerabilities
A secure desktop configuration is an important part of any organization's defense-in-depth
strategy. But before you can plan for a secure desktop configuration that includes the 2007
Microsoft Office system, you need to understand which security threats are relevant to the 2007
Office system, and then identify which of those security threats pose a risk to your organization's
business assets or business processes. You also need to identify which privacy threats pose a
risk to users' personal and private information.
24
Overview of security threats
The security model for the 2007 Office system helps you mitigate six types of security threats.
Each of these security threats includes several threat agents and can be exploited by a broad
range of security attacks. The following figure shows security threats and examples of the most
common threat agents.
Most organizations face some potential risk from each of the six security threats. However, not
every organization faces the same threat agents and not every organization faces the same
security attacks or exploits. As a first step in planning a secure desktop configuration that includes
the 2007 Office system, use the guidance provided in the following sections to determine:
• Which of the six security threats are relevant.
• Which threat agents pose a potential risk.
• How attackers might exploit these threat agents.
Your organization should have several documents that can help you identify threats in your
organization, including threat models, security plans, and operations plans. In addition to the
documents that you rely on, be sure to consider the following as you evaluate security threats:
• Network security architecture (for example, perimeter network design, extranet design,
firewall design, and proxy server design).
• Physical security policies (for example, building access restrictions, document retention
policies, and laptop security policies).
• Privacy policies (for example, definitions of personal and private information).
• Authentication and authorization infrastructure (for example, how are customers,
vendors, or partners granted access to your network).
25
• Readiness plan for dealing with sudden security threats.
• Personal-use policies for e-mail and Internet access.
In addition, be sure to update your organization's existing threat model or security plan if you
identify new threats or new threat agents.
Code and application threats

Code and application threats are common desktop security threats. Typical threat agents include
ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros. These threat agents
can be exploited by programmers who write malicious code or create malicious programs, which
then run on the user's computer. Code and application threats pose a potential risk to
organizations of any size. In particular, code and application threats pose a potential risk to your
organization if your organization allows users to:
• Run macros, ActiveX controls, or add-ins.
• Receive e-mail attachments.
• Share documents across a public network, such as the Internet.
• Open documents from sources outside your organization, such as clients, vendors, or
partners.
If code and application threats pose a risk to your organization, see Evaluate default security
settings and privacy options for the 2007 Office system to determine whether you need to
change the default security settings for mitigating code and application threats.
Document threats
Document threats occur when unauthorized users attempt to gain access to your organization's
documents or the information that is contained in your organization's documents. When
unauthorized attackers or intruders gain access to a document, the results can include the loss
of:
• Confidentiality (document data is no longer proprietary).
• Integrity (document data is altered or corrupted).
• Content (document data is missing).
26
Most organizations face document threats, although many organizations choose not to mitigate
document threats because the threat is perceived to be minimal or the administrative cost for
mitigating the threat is perceived to be high. Nevertheless, document threats pose a risk to your
organization when any of the following is true:
• Your organization's network security architecture cannot keep intruders or attackers from
gaining access to your internal network, which increases the risk that intruders or attackers
might gain access to your organization's documents.
• Your organization allows users to send, receive, or share proprietary documents over the
Internet, including financial data, project plans, presentations, or drawings.
• Your organization allows users to connect laptop computers to public networks, which
increases the risk that unidentifiable attackers might gain access to the documents that are
saved on users' laptop computers.
• Your organization allows users to take documents that contain proprietary information out
of the office.
• You believe there is a chance that unauthorized attackers or intruders can gain access to
documents containing proprietary information.
If document threats pose a risk to your organization, see Evaluate default security settings and
privacy options for the 2007 Office system to determine whether you need to change the
default security settings for mitigating document threats.
External threats
External threats include any threat agent that links a document to another document, a database,
or a Web site across an intranet or a public network, such as the Internet. External threats are
exploited through the following threat agents:
• Hyperlinks Attackers typically exploit this threat agent by creating hyperlinks to
untrusted documents or Web sites that contain malicious code or content.
• Data connections Attackers typically exploit this threat agent by creating a data
connection to a data source or database, and then using that data connection to maliciously
manipulate or extract data.
• Web beacons Attackers typically exploit this threat agent by embedding an invisible link
to a remote image in an e-mail message. When a user opens the e-mail message, the link
activates and downloads the remote image. In doing so, user information can be sent to the
remote computer, such as the user's e-mail address and the IP address of the user's
computer.
• Packager objects Attackers can exploit this threat agent by having an embedded
object execute malicious code.
External threats pose a risk if your organization:
• Provides users with unrestricted access to public networks, such as the Internet.
• Allows users to receive e-mail messages containing embedded images and HTML.
• Allows users to use data connections in spreadsheets or other documents.
27
If external threats pose a risk to your organization, see Evaluate default security settings and
default security settings for mitigating external threats.
Internet Explorer threats

Internet Explorer threats can occur when an application or a document programmatically uses
Internet Explorer functionality. Internet Explorer threats pose a risk to applications and documents
because any threats that exist for Internet Explorer also exist for the application or document that
is hosting Internet Explorer. Internet Explorer threats include numerous threat agents, and can be
exploited through a wide variety of security attacks. Examples of these threat agents include
ActiveX control installation, file downloads, Multipurpose Internet Mail Extensions (MIME) sniffing,
zone elevation, and add-on installation.
Internet Explorer threats pose a risk if your organization:
• Allows users to run ActiveX controls, add-ins, or macros that use Internet Explorer
functionality.
• Develops and distributes Office solutions that invoke Internet Explorer functionality.
If your organization faces Internet Explorer threats, see Evaluate default security settings and
default security settings for mitigating Internet Explorer threats.
Privacy threats
Privacy threats include any threat agent that discloses or reveals personal or private information
without the user's consent or knowledge. Privacy threats can be exploited through several threat
agents, but the most common threat agent is hidden document data, called metadata. Metadata
enables users to record or track document properties, such as author name, organization name,
document editing time, or document version number. Metadata can be removed from a
document, but when it is not, anyone opening the document has access to the metadata.
Privacy threats can also be exploited when a document contains supplemental content that is
considered confidential or proprietary, such as comments, revisions, annotations, custom XML
data, hidden text, watermarks, and header and footer information. Unless this content is removed
from a document, anyone who has access to the document also has access to the supplemental
content.
In addition to privacy threats, there are instances in which private information can be disclosed or
revealed by enabling or using various application features or functionality. Although these
features and functionality are not considered threat agents, they can reveal or disclose personal
or private information that your organization deems confidential or proprietary.
For more information about privacy, see the "Privacy Statement for the 2007 Microsoft Office
System," which you can access from the Trust Center by clicking Privacy Options, and then
clicking Read our privacy statement.
28
Most organizations face privacy threats or want to actively manage the disclosure of private or
personal information. See Evaluate default security settings and privacy options for the 2007
Office system to determine whether you need to change the default privacy options or whether
you need to change the default security settings for mitigating privacy threats.
Security vulnerabilities
A security vulnerability is a special type of security threat that is addressed by a software update,
such as a Microsoft security bulletin or a service pack. Security vulnerabilities can include a wide
range of threat agents, such as:
• Remote code execution
• Elevation of privilege
• Information disclosure
Malicious programmers and malicious users can exploit security vulnerabilities through various
security attacks. Until a security bulletin or a service pack is released to respond to the security
vulnerability, the vulnerability can pose a potential threat to your organization. If security
vulnerabilities pose a potential threat to your organization, see “Evaluate default security
settings for security vulnerabilities” in Evaluate default security settings and privacy
options for the 2007 Office system to determine whether you need to change the default
security settings for security vulnerabilities.
See Also
29
B. Planning 2007 Office System Security
Settings
30
Evaluate default security settings and
privacy options for the 2007 Office system
The default security and privacy settings in the 2007 Office system can help you to mitigate six
main types of security and privacy threats. Some default security settings and privacy options
might not be sufficient to mitigate the threats in your organization, and other default settings and
options might provide more stringent mitigation than your organization requires. In either case,
you might have to modify the default settings and options to suit your organization's security
needs and requirements.
To determine whether you need to modify any default settings or options, do the following:
• Use your threat evaluation to identify the threats that you need to mitigate in your
organization. If you have not already evaluated threats in your organization, see Evaluate
security and privacy threats for the 2007 Office system.
• Use the guidance provided in this article to evaluate the default settings and options for
each threat that is relevant to your organization, and determine whether the default settings
and options are adequate for your organization.
If the default settings and options for a given threat are not adequate for your organization, you
can then move to the last step of the security planning process, in which you plan security
settings and privacy options.
Evaluate default security settings for code and

application threats
To determine whether the default settings for mitigating code and application threats are
adequate for your organization, you need to evaluate the default settings for the following:
• ActiveX controls
• Add-ins
• Trusted locations
• Trusted publishers
• Visual Basic for Applications (VBA) macros
31
Default settings for ActiveX controls
The default settings for ActiveX controls can cause ActiveX controls to behave in four different
ways based on the characteristics of the ActiveX control itself and the characteristics of the
document that contains the ActiveX control.
• If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot
be loaded in any circumstances. A kill bit is a feature that prevents controls that have a known
exploit from being loaded.
the ActiveX control is marked as Safe for Initialization (SFI), the ActiveX control is loaded in
safe mode with minimal restrictions (that is, with persisted values). The Message Bar does
not appear, and users do not get any notifications about the presence of ActiveX controls in
their documents. All ActiveX controls in the document must be marked as SFI to not generate
a notification.
the document contains ActiveX controls that are Unsafe for Initialization (UFI), users are
notified in the Message Bar that ActiveX controls have been disabled. If a user clicks the
Message Bar, a dialog box appears asking whether the user wants to enable the ActiveX
controls. If the user enables the ActiveX controls, all ActiveX controls (those marked SFI and
UFI) are loaded with minimal restrictions (that is, with persisted values).
• If an ActiveX control is contained in a document that also contains a VBA project, a
notification appears in the Message Bar informing users that ActiveX controls have been
disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user
wants to enable ActiveX controls. If the user enables ActiveX controls, all ActiveX controls
(those marked SFI and UFI) are loaded with minimal restrictions (that is, with persisted
values).
If the default settings for ActiveX controls are suitable for your organization, you do not need to
plan security settings for ActiveX controls. On the other hand, you must plan security settings for
ActiveX controls if you want to do any of the following:
• Disable ActiveX controls.
• Allow all ActiveX controls to run without notifying users.
• Modify the way ActiveX controls are initialized based on SFI, UFI, and safe mode
parameters.
To learn more about ActiveX control security settings, and plan security settings for ActiveX
controls, see Plan security settings for ActiveX controls, add-ins, and macros in the 2007
Office System.
32
Default settings for add-ins
By default, any add-in that is installed and registered is allowed to run without user intervention or
warning. Installed and registered add-ins can include:
• Smart tags.
This default behavior is equivalent to selecting the Trust all installed add-ins and templates
setting, which exists in earlier versions of the Microsoft Office system.
If the default settings for add-ins are suitable for your organization, you do not need to plan
security settings for add-ins. On the other hand, you must plan security settings for add-ins if you
want to do any of the following:
• Disable add-ins on a per-application basis.
• Require that add-ins are signed by a trusted publisher.
• Disable notifications for unsigned add-ins.
To learn more about add-in security settings and plan security settings for add-ins, see Plan
security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Default settings for trusted locations

Settings for trusted locations enable you to designate folders on the hard disk drives of users'
computers or on a network share as trusted document sources. When a folder is designated as a
trusted document source, any document that is saved in the folder is assumed to be a trusted
document. When a trusted document is opened, all content is enabled and active and users are
not notified about any potential risks that might be contained in the document, such as unsigned
macros, ActiveX controls, or links to content on the Internet.
Note:
You can configure trusted locations for only Microsoft Office Access 2007, Microsoft
Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and
Microsoft Office Word 2007.
33
The following list describes the default settings for trusted locations:
• Trusted locations are enabled.
• Users cannot designate network shares as trusted locations. However, users can change
this setting.
• Users can add folders to the Trusted Locations list.
• You can have a mix of user-defined and policy-defined trusted locations.
In addition, several folders are designated as trusted locations. The default folders for each
application are listed in the following tables. (Office Visio 2007 does not have any trusted
locations, by default.)
The following table lists the default trusted locations for Office Access 2007.
Default trusted locations Folder description Trusted subfolders
Program Files\Microsoft Wizard databases Not allowed

Office\Office12\ACCWIZ
The following table lists the default trusted locations for Office Excel 2007.
Program Files\Microsoft Office\Templates Application Allowed

templates
Users\username\Appdata\Roaming\Microsoft\Templates User templates Not allowed
Program Files\Microsoft Office\Office12\XLSTART Excel StartUp Allowed
Users\username\Appdata\Roaming User StartUp Not allowed

\Microsoft\Excel\XLSTART
Program Files\Microsoft Office\Office12\STARTUP Office StartUp Allowed
Program Files\Microsoft Office\Office12\Library Add-ins Allowed
34
The following table lists the default trusted locations for Office PowerPoint 2007.
Program Files\Microsoft Application templates Allowed

Office\Templates
Users\username\Appdata\Roaming User templates Allowed

\Microsoft\Templates
Users\username\Appdata\Roaming Add-ins Not allowed

\Microsoft\Addins
Program Files\Microsoft Application themes Allowed

Office\Document Themes 12
The following table lists the default trusted locations for Office Word 2007.
Program Files\Microsoft Application templates Allowed

Office\Templates
Users\username\Appdata\Roaming User templates Not allowed

\Microsoft\Templates
Users\username\Appdata\Roaming User StartUp Not allowed

\Microsoft\Word\Startup
If the default settings for trusted locations are suitable for your organization, you do not need to
plan security settings for trusted locations. However, you must plan security settings for trusted
locations if you want to do any of the following:
• Turn off trusted locations.
• Add folders to the Trusted Locations list on users' computers.
• Clear the Trusted Locations list on users' computers.
• Allow users to designate trusted locations on network shares.
• Prevent users from designating trusted locations on network shares.
• Prevent users from specifying trusted locations and manage trusted locations only
through Group Policy.
• Modify any of the default trusted locations.
To learn more about trusted location settings and plan security settings for trusted locations, see
Plan trusted locations and trusted publishers settings for the 2007 Office system.
35
Default settings for trusted publishers
Like previous Office releases, the 2007 Office system enables you to create a list of trusted
publishers. A publisher is any developer, software company, or organization that has created and
distributed an ActiveX control, add-in, or macro. A trusted publisher is any reputable publisher that
has been added to the Trusted Publishers list. By default, there are no publishers on the Trusted
Publishers list. However, there are several default settings that affect the way ActiveX controls
and macros behave when they are signed by a trusted publisher.
By default, ActiveX controls and macros that are signed by a publisher that is on the Trusted
Publishers list are enabled and will run without any warning if the following conditions are true:
• The ActiveX control or macro is signed with a digital signature.
authority (CA).
If you do not intend to specify any trusted publishers or use the trusted publishers functionality,
you do not need to plan trusted publishers settings. However, you need to plan trusted publishers
settings if you want to add publishers to the list of trusted publishers. You also need to plan
trusted publishers settings if you require that all add-ins be signed by a trusted publisher. This is
because the 2007 Office system contains several add-ins that will not run unless you add the
appropriate Microsoft certificates to the trusted publishers list. To learn more about trusted
publishers settings and plan trusted publishers settings, see Plan trusted locations and trusted
publishers settings for the 2007 Office system.
Default settings for macros

By default, trusted macros are allowed to run. This includes macros in documents that are saved
in a trusted location, and macros that meet the following criteria:
authority (CA).
chooses to enable the macro. In previous versions of the Office system, unsigned macros were
disabled and users did not have an option to enable them. In the 2007 Office system, on the other
hand, users are notified when a document contains an unsigned macro, and they can enable the
macro if they want to.
36
If the default settings for macros are suitable for your organization, you do not need to plan
security settings for macros. However, you must plan security settings for macros if you want to
do any of the following:
• Make VBA unavailable.
• Make macros unavailable.
• Allow programmatic access to the VBA project.
• Modify the way users are notified about macros.
• Prevent encrypted macros from being scanned for viruses in Office Open XML Formats
files. By default, encrypted macros are scanned in Office Open XML Formats files.
• Change the way macros run when an application is started by Automation.
To learn more about macro security settings and plan security settings for macros, see Plan
security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Evaluate default security settings for document

threats
You can mitigate document threats by having users use the password protection feature to
encrypt documents in Office Excel 2007, Microsoft Office OneNote 2007, Office PowerPoint 2007,
and Office Word 2007. Documents are not encrypted by default in the 2007 Office system, and
there are no administrative settings that enable you to force users to encrypt documents.
However, there are several default settings that affect the way documents are encrypted, and you
can modify those settings if the default settings do not meet your organization's needs.
Note:
Information Rights Management (IRM) can also be used to help mitigate document
threats.
By default, Office Excel 2007, Office PowerPoint 2007, and Office Word 2007 use the following
settings when a user encrypts a document:
• For documents that are saved in the Office Open XML Formats, the cryptographic service
provider (CSP) is:
• Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype) on the
Microsoft Windows XP Professional operating system.
• Microsoft Enhanced RSA and AES Cryptographic Provider on the Windows Vista
operating system.
In both cases, the cryptographic algorithm is AES-128, and the cryptographic key length is
128-bit.
• For documents that are saved in the Office 97-2003 format, the Office 97/2000–
compatible encryption method is used, which is a proprietary encryption method.
37
Additionally, Office OneNote 2007 uses the following default encryption settings:
• Notes are encrypted by using a Triple Data Encryption Standard (DES) algorithm with a
192-bit key length. You cannot change the cryptographic algorithm or the key length that
Office OneNote 2007 uses to encrypt notes.
• Encrypted text that is idle for 10 minutes automatically locks and cannot be viewed until a
user enters a password and unlocks the text. Text is considered to be idle if a user does not
navigate to the text or edit the text.
• Add-ins are allowed to access sections of text that have been unlocked by a user.
• Users can create new encrypted sections of text, and they can encrypt existing sections
of text.
If the default encryption settings are suitable for your organization, you do not need to plan
security settings for document threats. However, you must plan security settings for document
threats if you want to do any of the following:
• Change the default CSP, cryptographic algorithm, or key length that is used by Office
• Change the way Office OneNote 2007 behaves when sections of text are encrypted.
To learn more about document threat settings and plan security settings for document threats,
see Plan document protection settings in the 2007 Office system.
Evaluate default security settings for external

threats
By default, the 2007 Office system mitigates external content threats as follows:
• Users are prevented from accessing external content from a document.
• A notification appears on the Message Bar informing users that links to external content
are blocked.
• Users can unblock links to external content by clicking the Message Bar notification and
enabling external content.
• If users unblock a hyperlink to an Office document, the document will open within an
Office application.
Note:
Links to external content are unblocked (that is, enabled) in documents that are stored in
trusted locations. Therefore, you need to evaluate the default settings for trusted
locations to determine whether the settings are adequate for protecting external threats.
See Default settings for trusted locations earlier in this article.
38
If the default external threat settings are suitable for your organization, you do not need to plan
security settings for external threats. However, you must plan security settings for external threats
if you want to do any of the following:
• Disable hyperlink warnings.
• Allow images to be downloaded automatically in Office PowerPoint 2007.
To learn more about external threat settings and plan security settings for external threats, see
Plan external content settings in the 2007 Office system.
Evaluate default security settings for Internet

Explorer threats
The 2007 Office system contains several settings that can help you mitigate Internet Explorer
threats. These settings, known as Internet Explorer feature control settings, enable you to restrict
Internet Explorer behavior on an application-by-application basis.
You can configure 15 Internet Explorer feature control settings in the 2007 Office system. For
detailed descriptions of each Internet Explorer feature control setting, see Security policies and
settings in the 2007 Office system.
Enabling an Internet Explorer feature control setting for an application is often referred to as
opting in an application because the application adopts the more restrictive Internet Explorer
behavior that is specified by the setting. Likewise, disabling an Internet Explorer feature control
setting for an application is often referred to as opting out an application because the application
does not adopt the more restrictive Internet Explorer behavior that is specified by the setting.
By default, Microsoft Office Groove 2007 (Groove.exe), Office Outlook 2007 (Outlook.exe), and
Microsoft Office SharePoint Designer 2007 (Spdesign.exe) are opted in to all 15 Internet Explorer
feature control settings. Microsoft Office InfoPath 2007 (Infopath.exe) is also opted in to these
Internet Explorer feature control settings, as well as three Office InfoPath 2007 components:
Document Information Panel, Workflow forms, and third-party hosting.
If these default settings are adequate for your organization, you do not need to plan Internet
Explorer feature control settings. However, you must plan Internet Explorer feature control
settings if you want to do any of the following:
• Deploy clean installations of the 2007 Office system to computers that are running an
older version of the Office system.
• Modify the Internet Explorer feature control settings for any of the applications that are
opted in by default.
• Opt in other applications in the 2007 Office system.
• Modify which Office InfoPath 2007 components are opted in.
To learn more about Internet Explorer feature control settings and plan Internet Explorer feature
control settings, see Plan Internet Explorer feature control settings in the 2007 Office
system.
39
Evaluate default privacy options
The 2007 Office system contains several settings that can help you mitigate privacy threats and
control the disclosure of private and personal information. The default settings are as follows:
• Document Inspector is enabled. Document Inspector is a new tool that helps users
mitigate privacy threats by removing metadata, revisions, comments, custom XML tags, and
other potentially private and personal content from a document. Document Inspector is
extensible and can be programmatically modified to suit the privacy needs of your
organization.
• Metadata is protected in an encrypted document. When a user encrypts a document
with the password protection feature, the metadata in the document is encrypted. This setting
applies only to Office Open XML Formats files.
• Metadata is not protected in a rights-managed document. When a user applies
restricted permissions to a document by using Information Rights Management (IRM), the
permissions do not apply to the metadata and the metadata is not encrypted. This setting
applies only to Office Open XML Formats files.
• The option to participate in the Customer Experience Improvement Program is not
selected. The Customer Experience Improvement Program allows Microsoft to automatically
and anonymously collect information from a user's computer, including the error messages
that are generated by the software, the kind of equipment that is installed in the computer,
whether the computer is having any difficulty running Microsoft software, and whether the
hardware and software responds well and performs rapidly.
• The option to download a file periodically that helps determine system problems is
not selected. This setting allows computers to receive updates that can help improve
application reliability by detecting when a computer becomes unstable or crashes and by
automatically running the Microsoft Office Diagnostics tool to help diagnose and repair the
problem. This setting also allows Microsoft to ask users to send error reports for certain types
of error messages that might appear.
• The online content options setting is selected. This setting allows the Help system to
automatically search Microsoft Office Online when users access online Help. It also allows
users to see links to content that is on the Web and it allows the downloading of updated
content. Note: This setting is not selected by default in the French, German, and Italian
versions of the 2007 Office system.
If the default privacy options are suitable for your organization, you do not need to plan privacy
options. However, you must plan privacy options if you want to do any of the following:
• Make unavailable any Inspector modules that are used by Document Inspector.
• Protect metadata in documents that are rights-managed.
• Enforce participation in the Customer Experience Improvement Program.
• Enforce the periodic downloading of updates that improve reliability.
• Configure privacy options for Office PowerPoint 2007 or Office Word 2007.
• Prevent users from searching Microsoft Office Online and receiving Help updates when
they access the online Help.
40
• Suppress the Privacy Options dialog box that appears the first time users run an
application in the 2007 Office system.
• Suppress the first-run Sign up for Microsoft Update dialog box that appears the first
time users start an application in the 2007 Office system.
To learn more about privacy options and plan privacy options, see Plan privacy options in the
2007 Office system.
Evaluate default security settings for security

vulnerabilities
The 2007 Office system provides several settings that can help you mitigate threats from security
vulnerabilities. These settings, known as block file format settings, enable you to prevent users
from opening or saving certain file types and file formats. The default settings are as follows:
• Users can open beta versions of the Office Open XML Formats.
• Users cannot open files that have been saved in a format that is older than the Word 6.0
format. Files that have been saved using a beta version of Word 6.0 are considered to be
older than the Word 6.0 format and cannot be opened by default.
You must design security settings for blocking file formats if you want to do any of the following:
• Mitigate zero-day attacks and exploits until you implement a software update. Zero-day
attacks are so named because they exploit security vulnerabilities between the time that a
security vulnerability becomes publicly known and the time you mitigate the potential threat
by implementing a software update. Software updates for security vulnerabilities are typically
distributed in Microsoft security bulletins or service packs.
• Prevent users from opening beta versions of the Office Open XML Formats.
• Allow users to open files that have been saved in file formats that are older than Word
6.0.
• Prevent users from opening or saving specific file types, such as .htm, .rtf, and .doc files.
• Prevent users from opening files that are compatible with previous versions of Office
• Prevent users from opening documents through external converters, such as a
WordPerfect converter that is installed with the 2007 Office system.
To learn more about block file format settings and plan security settings for blocking file formats,
see Plan block file format settings in the 2007 Office system.
See Also
41
Plan trusted locations and trusted publishers
settings for the 2007 Office system
In this article:
• Plan for trusted locations
• Plan for trusted publishers
The trusted locations feature of the 2007 Microsoft Office system enables you to designate
folders on the hard disks of users' computers or on a network share as trusted file sources. When
a folder is designated as a trusted file source, any file that is saved in the folder is assumed to be
a trusted file. When a trusted file is opened, all content in the file is enabled and active, and users
are not notified about any potential risks that might be contained in the file, such as unsigned
macros, ActiveX controls, or links to content on the Internet.
In addition to trusted locations, you can use the Trusted Publishers list to designate content
publishers that you trust. A publisher is any developer, software company, or organization that has
created and distributed an ActiveX control, add-in, or macro. A trusted publisher is any publisher
that has been added to the Trusted Publishers list. When a file is opened, and the file contains
content that is created by a trusted publisher, all of the content is enabled and active and users
are not notified about any potential risks that might be contained in the file.
To plan for trusted locations and trusted publishers, use the best practices and recommended
guidelines in the following sections.
Plan for trusted locations

The 2007 Office system provides several settings that enable you to control the behavior of
trusted locations. By configuring these settings you can:
• Disable all trusted locations.
• Specify trusted locations globally or on a per-application basis.
• Allow trusted locations to exist on remote shares.
• Prevent users from creating trusted locations.
For detailed information about each trusted location setting, see Security policies and settings
in the 2007 Office system.
Although you can configure trusted locations to suit a wide variety of scenarios, the most common
scenarios for trusted locations include:
• Disabling the trusted locations feature to prevent users from creating trusted locations
and prevent applications from recognizing trusted locations.
• Implementing the trusted locations feature with custom trusted locations.
42
Disabling trusted locations
To disable trusted locations, configure the trusted locations settings as recommended in the
following table.
Setting name Recommended configuration Description
Disable all trusted locations Select this option: Disabled By default, trusted locations are
enabled. Selecting this option
enables all trusted locations,
including trusted locations that
were:
• Created by default
during setup.
• Created by users
through the graphical user
interface.
• Deployed through
Group Policy.
Enabling this option prevents
users from configuring trusted
locations settings in the Trust
Center. This is not a global
setting; you must select this
option on a per-application
basis for Microsoft Office
Access 2007, Microsoft Office
Excel 2007, Microsoft Office
PowerPoint 2007, Microsoft
Office Visio 2007, and Microsoft
Office Word 2007.
If you disable trusted locations, be sure that you:

• Notify users that they cannot use the trusted locations feature. If users have been
opening files from trusted locations, and you disable trusted locations, users might start
seeing warnings in the Message Bar and they might be required to respond to Message Bar
warnings to enable active content, such as ActiveX controls and Visual Basic for Applications
(VBA) macros.
• Record the settings in your security planning documents and in your security operations
documents.
Implementing trusted locations

To implement trusted locations, you must determine:
43
• Which applications you want to configure trusted locations for.
• Which folders you want to use for trusted locations.
• What folder sharing and folder security settings you want to apply to your trusted
locations.
• Which restrictions you want to apply to trusted locations.
Determine which applications you want to configure trusted locations for

You can configure trusted locations for Office Access 2007, Office Excel 2007, Office PowerPoint
2007, Office Visio 2007, and Office Word 2007. As you determine which applications you want to
configure trusted locations for, keep the following in mind:
• Trusted locations affect all active content in a file, including ActiveX controls, hyperlinks,
links to data sources and media, and VBA macros.
• Each application provides the same settings for configuring trusted locations. This means
that you can independently customize trusted locations for each application.
• You can disable trusted locations for one or more applications, and implement trusted
locations for other applications.
Determine which folders you want to use for trusted locations

If the default trusted locations folders are not adequate for your organization, you can create your
own folders and specify them as trusted locations. For more information about default trusted
locations, see Evaluate default security settings and privacy options for the 2007 Office
system.
As you determine which folders you want to specify as trusted locations, keep the following in
mind:
• You can specify trusted locations on a per-application basis or globally.
• One or more applications can share a trusted location.
• To prevent malicious users from adding files to the trusted location or modifying files that
are saved in the trusted location, you must secure any folder that you designate as a trusted
location.
• We do not recommend that you specify network shares as trusted locations. By default,
only trusted locations that are on users' hard disks are allowed. To enable trusted locations
on network shares, you must enable the Allow Trusted Locations not on the computer
setting.
• We do not recommend that you specify the entire Documents or My Documents folder as
a trusted location. Instead, create a subfolder within those folders and specify only that folder
as a trusted location.
44
In addition, you must use the guidelines in the following sections if you want to:
• Use environment variables to specify trusted locations.
• Specify Web folders (that is, http:// paths) as trusted locations.
Using environment variables to specify trusted locations

You can use environment variables to specify trusted locations, but you must change the value
type that is used to store trusted locations in the registry for environment variables to work
properly. If you use an environment variable to specify a trusted location, and you do not make
the necessary registry modification, the trusted location appears in the Trust Center, but it is
unavailable and it appears as a relative path containing the environment variables. After you
change the value type in the registry, the trusted location will appear in the Trust Center as an
absolute path and it will be available.
Important:
You cannot use environment variables when you specify trusted locations by using Group
Policy. You can use environment variables to specify trusted locations only by using the
Office Customization Tool (OCT).
To use environment variables to specify trusted locations, do the following:
1. Use the Registry Editor to locate the trusted location that is represented by an
environment variable.
Trusted locations that are configured by using the OCT are stored in the following location:
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/application_name/Security/Trusted
Locations
Where application_name can be Access, Excel, PowerPoint, Visio, or Word.
Trusted locations are stored in registry entries named Path, and they are stored as String
Value (REG_SZ) value types. Be sure to locate each Path entry that uses environment
variables to specify a trusted location.
2. Change the Path value type.
Applications in the 2007 Office system cannot recognize environment variables that are
stored as String Value (REG_SZ) value types. For applications to recognize environment
variables, you must change the value type of the Path entry so it is an Expandable String
Value (REG_EXPAND_SZ) value type. To do this, perform the following steps:
Note:
Incorrectly editing the registry might severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
a. Write down or copy the value of the Path entry. This should be a relative path that
contains one or more environment variables.
b. Delete the Path entry.
45
c. Create a newPathentry of type Expandable String Value (REG_EXPAND_SZ).
d. Modify the new Path entry so that it has the same value that you wrote down or
copied in the first step.
Be sure to make this change for each Path entry that uses environment variables to specify a
trusted location.
Specifying Web folders as trusted locations

You can specify Web folders (that is, http:// paths) as trusted locations, however, only those Web
folders that support Web Distributed Authoring and Versioning (WebDAV) or FrontPage Server
Extensions Remote Procedure Call (FPRPC) protocols will be recognized as trusted locations.
Use the following guidelines if you are not sure whether a Web folder supports the WebDAV or
FPRPC protocols:
• If an application is opened by Internet Explorer, check the most recently used files list. If
the most recently used files list indicates that the file is located on a remote server, rather
than in the Temporary Internet Files folder, it is likely that the Web folder supports WebDAV in
some form. For example, if you click a document while browsing in Internet Explorer, and the
document opens in Office Word 2007, the most recently used files list should show that the
document is located on the remote server and not in the local Temporary Internet Files folder.
• Try to use the Open dialog box to browse to the Web folder. If the path supports
WebDAV, you should be able to browse to the Web folder or you should get prompted for
credentials. If the Web folder does not support WebDAV, navigation fails and the dialog box
closes.
Note:
Sites that are created with Windows SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007 can be designated as trusted locations.
Determine folder sharing and folder security settings

All folders that you specify as trusted locations must be shared and must be secured. Use the
following guidelines to determine which sharing settings and security settings you need to apply
to each trusted location:
• Share each folder that you designate as a trusted location so that users can access the
files that are saved in the trusted location.
• Configure sharing permissions so that only authorized users have access to the shared
folder. Be sure to use the principle of least privilege and grant permissions that are
appropriate to a user. That is, grant Read permissions to those users who do not need to
modify trusted files, and grant Full Control permissions to those users who need to modify
trusted files.
• Apply folder security permissions so that only authorized users can read or modify the
files in trusted locations. Be sure to use the principle of least privilege and grant permissions
that are appropriate to a user. That is, grant Full Control permissions to only those users who
46
need to modify files; and grant more restrictive permissions to those users who need only to
read files.
Determine restrictions for trusted locations

There are several settings that you can use to restrict or control the behavior of trusted locations.
Use the recommendations in the following table to determine how to configure these settings.
Allow mix of policy and user Select this option: Disabled By default, a computer can
locations have a combination of user-
created, OCT-created, and
Group Policy-created trusted
locations. Selecting this option
disables all trusted locations
that are not created by Group
Policy and prevents users from
creating new trusted locations
interface in the Trust Center.
This is a global setting that
applies to all applications for
which you configure trusted
locations.
47
Allow Trusted Locations not Select this option: Disabled By default, trusted locations
on the computer that are network shares are
disabled, but users can still
select the Allow Trusted
Locations on my network
check box in the Trust Center
graphical user interface.
Selecting this option disables
trusted locations that are
network shares and prevents
users from selecting the Allow
Trusted Locations on my
network check box in the Trust
Center graphical user interface.
If you specify Disabled, and a
user attempts to designate a
network share as a trusted
location, a warning informs the
user that the current security
settings do not allow the
creation of trusted locations
with remote paths or network
paths. If an administrator
designates a network share as
a trusted location through
Group Policy or by using the
OCT, and this setting is
Disabled, the trusted location
is disabled and will not be
recognized by an application.
This is not a global setting; you
must configure this setting on a
per-application basis for Office
Access 2007, Office Excel
2007, Office PowerPoint 2007,
Office Visio 2007, and Office
Word 2007.
48
Note:
You can also use the Remove all trusted locations written by the OCT during
installation setting to delete all trusted locations that have been created by configuring
the OCT. For more information about this setting, see Security policies and settings in
the 2007 Office system.
Plan for trusted publishers

The 2007 Office system stores certificates for trusted publishers in the Internet Explorer trusted
publisher store. Previous versions of Office stored trusted publisher certificate information
(specifically, the certificate thumbprint) in a special Office trusted publisher store. The 2007 Office
system still reads trusted publisher certificate information from the Office trusted publisher store,
but it does not write information to this store. So, if you created a list of trusted publishers in a
previous version of Office, and you upgrade to the 2007 Office system, your trusted publisher list
will still be recognized. However, any trusted publisher certificates that you add to the list will be
stored in the Internet Explorer trusted publisher store. This behavior is the same for all
applications that use the trusted publishers list, including:
• Office Access 2007
• Office Excel 2007
• Microsoft Office InfoPath 2007
• Microsoft Office Outlook 2007
• Office PowerPoint 2007
• Microsoft Office Publisher 2007
• Office Visio 2007
• Office Word 2007
You cannot use the Office 2007 Administrative Templates to add certificates to the trusted
publishers list; however, you can use the OCT. To do this, you must have the digital certificate
(.cer file) from the trusted publisher. If you cannot obtain a certificate directly from the publisher,
you can export a certificate from a file that the publisher has signed, such as a dynamic-link
library (.dll) file or an executable (.exe) file. The following procedure shows you how to do this.
Export a certificate from a .dll file

1. Right-click the .dll file that the publisher has signed, and then click Properties.
2. Click the Digital Signatures tab.
3. In Signature list, click the certificate, and then click Details.
4. In the Digital Signature Details dialog box, click View Certificate.
5. Click the Details tab, and then click Copy to File.
6. In the Certificate Explore Wizard welcome page, click Next.
7. On the Export File Format page, click DER encoded binary X.509 (.CER), and then
click Next.
49
8. On the File to Export page, type a path and name for the .cer file, click Next, and
then click Finish.
Alternately, you can use this procedure to determine which certificates you need and then create
them from within Microsoft Office Word 2007.
Determine which certificates are needed

1. On a test computer or a client computer that is running the standard configuration for
your organization (including any add-ins that users need), enable the Require
Application Add-Ins to be signed by Trusted Publisher option:
a. Click the Microsoft Office Button, click Word Options, click Trust Center, click
Trust Center Settings, click Add-ins, click Require Application Add-ins to be
signed by Trusted Publisher, and then click OK.
2. Exit and restart Word. If add-ins are installed, the Security Warning bar displays the
following message: Application add-ins have been disabled.
3. Temporarily disable SmartTags:
a. Click the Microsoft Office Button, click Word Options, and then click OK. The
Security Warning bar displays the following message: Some active content has
been disabled.
Note:
SmartTags will be enabled again after you close and then restart Word.
b. On the Security Warning bar, click Options.
4. On the Security Alerts – Multiple Issues window, install each certificate to the
Trusted Publishers list by performing the following steps for each add-in that shows a
valid digital signature:
Note:
If you did not disable SmartTags in the previous step, you will see a different
window from which you will not be able to install certificates.
a. Click Show Signature Details.
b. In the Digital Signature Details window, click View Certificate.
c. In the Certificate window, click Install Certificate.
d. In the Certificate Import Wizard, click Next, click Place all certificates in the
following store, click Browse, click Trusted Publishers, click OK, click Next, and
then click Finish.
5. Prepare the certificate files for distribution:
a. In the Trusted Publishers box (click the Microsoft Office Button, click Word
Options, click Trust Center, click Trust Center Settings, and then click Trusted
Publishers), view the certificates that you installed.
b. For each certificate, double-click the certificate and then perform the following
steps:
50
a. In the Certificate window, on the Details tab, click Copy to File.
b. In the Certificate Export Wizard, click Next, and then click Next again to accept
the default file format, enter a file name, select a location to store the file, and then
click Finish.
See Also
Evaluate default security settings and privacy options for the 2007 Office system
Configure trusted locations and trusted publishers settings in the 2007 Office system
51
Plan security settings for ActiveX controls,
add-ins, and macros in the 2007 Office
system
The 2007 Microsoft Office system contains several settings that enable you to change the
behavior of ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros. To plan for
ActiveX controls, add-ins, and macros, use the best practices and recommended guidelines in the
following sections:
• Plan security settings for ActiveX controls
• Plan security settings for add-ins
• Plan security settings for macros
Plan security settings for ActiveX controls

The 2007 Office system provides several security settings that enable you to control the way
ActiveX controls behave and the way users are notified about potentially unsafe ActiveX controls.
These settings are typically used to:
• Disable ActiveX controls in all documents.
• Allow all ActiveX controls to initialize and run without notification.
• Modify the way ActiveX controls are initialized based on the Safe for Initialization (SFI)
and Unsafe for Initialization (UFI) parameters.
To plan security settings for ActiveX controls, use the best practices and recommended guidelines
in the following sections. These guidelines are based on the Enterprise Client (EC) environment
rather than the Specialized Security Limited Functionality (SSLF) environment. The EC
environment represents an organization that has typical security needs. It is suitable for midsize
and large organizations that seek to balance security and functionality. The SSLF environment
represents a less typical organization, one in which security is paramount. It is suitable only for
midsize and large organizations that have stringent security standards, for which security is more
important than application functionality.
Disable ActiveX controls in all documents

If your security architecture is highly restrictive and you want to help minimize the potential risk
from ActiveX controls, you can disable ActiveX controls. Disabling ActiveX controls prevents all
ActiveX controls in a file from initializing (that is, loading) when a file is opened. In some cases, a
disabled ActiveX control might appear in a file as a red x or some other symbol, but the control is
disabled and no action will occur if a user clicks the symbol. Also, when you disable ActiveX
controls, users are not notified that ActiveX controls are disabled.
52
To disable ActiveX controls, configure any one of the settings as recommended in the following
table.
Disable all ActiveX Not configured By default, users are prompted

to enable ActiveX controls.
When you enable this setting,
all ActiveX controls are disabled
and are not initialized when a
user opens a file containing
ActiveX controls. Also, when
you enable this setting, users
are not notified that ActiveX
controls are disabled. This
setting can be configured in the
Office Customization Tool
(OCT) and with the 2007 Office
system Administrative
Templates (.adm files). This
setting applies only to
applications in the 2007 Office
system. This setting does not
disable ActiveX controls in files
that are opened by earlier
versions of Office.
Unsafe ActiveX initialization Select this configuration: Do By default, the Unsafe ActiveX
not prompt and disable all initialization setting is Prompt
controls user to use persisted data.
When you select Do not
prompt and disable all
controls, all ActiveX controls
are disabled and are not
initialized when a user opens a
file containing ActiveX controls.
In addition, users are not
notified that ActiveX controls
are disabled. This setting exists
only in the OCT. This setting
applies only to applications in
the 2007 Office system. This
setting does not disable ActiveX
controls in files that are opened
by earlier versions of Office.
53
Note:
ActiveX controls cannot be disabled in files that are saved in trusted locations. When a
file is opened from a trusted location, all active content in the file is initialized and allowed
to run without notification even if you disable ActiveX controls.
If you disable ActiveX controls, be sure that you:
• Notify users that ActiveX controls are disabled and that no notifications will appear when
they open files that contain disabled ActiveX controls.
• Test the effect that disabling ActiveX controls might have on your organization. Because
many Office solutions are built with ActiveX controls, disabling ActiveX controls can cause
unexpected behavior and prevent applications from working properly.
documents.
Allow all ActiveX controls to initialize and run without

notification
You can configure the 2007 Office system so that all ActiveX controls initialize and run without
notification. This can be useful in some test and development environments, and in isolated
environments where supplemental security mechanisms such as firewalls, virus detection
programs, and intrusion detection programs help ensure that files do not contain malicious
content.
Important:
We do not recommend that you allow ActiveX controls to initialize and run without
warning in a production environment. Allowing ActiveX controls to initialize and run
without warning can substantially increase your risk of attack and potentially weaken your
organization's security.
To allow ActiveX controls to initialize and run without notification, configure any one of the settings
as recommended in the following table.
54
Unsafe ActiveX initialization Select this configuration: Do By default, the Unsafe ActiveX
not prompt initialization setting is Prompt
user to use persisted data.
When you select Do not
prompt, all ActiveX controls are
enabled and are initialized with
minimal restrictions (that is,
persisted values) when a user
opens a file containing ActiveX
controls. Also, users are not
notified that ActiveX controls
are enabled and ActiveX
controls that are SFI are not
enabled in safe mode. This
setting exists only in the OCT.
This setting applies to the 2007
Office system and earlier
versions of Office.
ActiveX Control Initialization Select this configuration: 2 By default, this setting has a
value of 6. When you change
this to 2, SFI and UFI controls
are initialized with minimal
restrictions (that is, with
persisted values). If persisted
values are not available, the
controls are initialized with
default values by using the
InitNew method. SFI controls
are initialized in safe mode, and
users are not notified that
ActiveX controls are enabled.
This setting can be configured
only with the 2007 Office
Templates (.adm files). This
setting applies to the 2007
Office system and earlier
versions of Office.
When you change the setting, SFI and UFI controls are initialized with minimal restrictions (that
is, with persisted values). If persisted values are not available, the controls are initialized with
default values by using the InitNew method. SFI controls are initialized in safe mode, and users
55
are not notified that ActiveX controls are enabled. This setting can be configured only with the
2007 Office system Administrative Templates (.adm files). This setting applies to the 2007 Office
system and earlier versions of Office.
For a list of all configurations, see the 2007 Microsoft Office Security Guide (Threats and
Countermeasures: Security Settings in the 2007 Office System) (http://go.microsoft.com/?
linkId=7711534).
If you allow all ActiveX controls to initialize and run without notification, be sure that you:
• Notify users that ActiveX controls are enabled and that no notifications will appear when
they open files that contain ActiveX controls.
documents.
56
Modify the way ActiveX controls are initialized based on SFI and
UFI parameters
The 2007 Office system provides several settings that enable you to control the way ActiveX
controls are initialized based on SFI, UFI, and safe-mode parameters. SFI, UFI, and safe mode
are parameters that developers can configure when they create ActiveX controls. ActiveX controls
that are marked SFI use safe data sources to initialize. A safe data source is one that is trusted,
known, and does not cause a security breach. Controls that are not marked SFI are considered to
be UFI.
Safe mode is another security mechanism that developers can use to help ensure the safety of
ActiveX controls. When a developer creates an ActiveX control that implements safe mode, the
control can be initialized in two ways: in safe mode and in unsafe mode. When an ActiveX control
is initialized in safe mode, certain restrictions that limit functionality are imposed on the control.
Conversely, when an ActiveX control is initialized in unsafe mode, there are no restrictions on its
functionality. For example, an ActiveX control that reads and writes files might only be allowed to
read files if it is initialized in safe mode, and it might be able to read and write files when it is
initialized in unsafe mode. Only ActiveX controls that are SFI can be initialized in safe mode.
ActiveX controls that are UFI are always initialized in unsafe mode.
By default, ActiveX controls are initialized as follows in the 2007 Office system:
• If a file contains a VBA project, users are prompted to enable or disable the ActiveX
controls that are in the file. If users choose to enable the ActiveX controls, all SFI and UFI
controls are initialized with minimal restrictions (that is, with persistent values). If persistent
values are not available, the controls are initialized with default values by using the InitNew
method. SFI controls are initialized in safe mode.
• If the file does not contain a VBA project, and the file contains only SFI controls, the SFI
controls are initialized with minimal restrictions (that is, with persistent values). If persistent
values are not available, the controls are initialized with default values by using the InitNew
method. SFI controls are initialized in safe mode.
• If the file does not contain a VBA project, and the file contains both SFI and UFI controls,
users are prompted to enable or disable the ActiveX controls that are in the file. If users
choose to enable the ActiveX controls, SFI controls are initialized with minimal restrictions
(that is, with persistent values), and UFI controls are initialized with default values by using
the InitNew method. SFI controls are initialized in safe mode.
If this default behavior is not adequate for your organization but you do not want to disable
ActiveX controls, you can strengthen the way ActiveX controls are initialized by forcing UFI
controls to be initialized with default values instead of minimal restrictions when a file contains a
VBA project. To do this, configure either of the following settings as recommended in the following
table.
57
Setting name Recommended Initialization behavior Initialization behavior
configuration when a VBA project is when no VBA project is
present present
Unsafe ActiveX Select this Prompts users to If the file contains only
initialization configuration: Prompt enable or disable SFI controls, SFI
user to use control controls. If a user controls are initialized
defaults enables controls, SFI with minimal
controls are initialized restrictions (that is,
with minimal with persisted values).
restrictions (that is, If persisted values are
with persisted values), not available, SFI
and UFI controls are controls are initialized
initialized with default with default values by
values by using the using the InitNew
InitNew method. SFI method. SFI controls
controls are initialized are initialized in safe
in safe mode. This mode. Users are not
setting exists only in prompted to enable
the OCT. This setting controls.
applies to the 2007 If file contains UFI
Office system and controls, users are
earlier versions of prompted to enable or
Office. disable controls. If a
user enables controls,
SFI controls are
initialized with minimal
restrictions and UFI
controls are initialized
with default values by
using the InitNew
method. SFI controls
are initialized in safe
mode.
ActiveX Controls Select this Same as behavior for Same as behavior for
Initialization configuration: 4 Unsafe ActiveX Unsafe ActiveX
initialization setting. initialization setting.
You can configure ActiveX control settings to accommodate many more security scenarios. For
more information about ActiveX control settings in the 2007 Office system, including descriptions
of all settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security
policies and settings in the 2007 Office system. For more information about configuring
ActiveX control settings, see Configure security settings for ActiveX controls, add-ins, and
macros in the 2007 Office system.
58
Plan security settings for add-ins
The 2007 Office system provides several settings that enable you to change the way add-ins
behave. Add-ins, also known as application extensions, are supplemental programs or
components that extend the functionality of applications. Add-ins must be installed and registered,
and can include:
• Smart tags.
By default, installed and registered add-ins are allowed to run without notification. However, you
can use the security settings for add-ins to change this behavior. Specifically, you can:
• Disable add-ins on a per-application basis.
Disable add-ins on a per-application basis

If your security architecture is highly restrictive and you want to help minimize the potential risk
from add-ins, you can disable add-ins. When you disable add-ins, you prevent add-ins from
running, and users are not notified that add-ins are disabled.
You cannot globally disable add-ins. You can disable add-ins only on a per-application basis for
the following applications:
• Microsoft Office Access 2007
• Microsoft Office Excel 2007
• Microsoft Office PowerPoint 2007
• Microsoft Office Visio 2007
• Microsoft Office Word 2007
59
To disable add-ins, configure either of the settings as recommended in the following table.
Disable all application add-ins Not configured By default, add-ins are enabled.
When you select this option,
add-ins are disabled and users
are not notified that add-ins are
disabled. This setting can be
configured in the OCT and with
the 2007 Office system
Administrative Templates (.adm
files). You must configure this
setting on a per-application
basis.
Application add-ins warnings Select this configuration: By default, the Application

options Disable all application add-ins warnings options
extensions setting is Enable all installed
application add-ins. When you
select Disable all application
extensions, all add-ins are
disabled and users are not
notified that add-ins are
disabled. This setting exists
only in the OCT. You must
configure this setting on a per-
application basis.
If you disable add-ins, be sure that you:

• Notify users that add-ins are disabled.
documents.
60
Require that add-ins are signed by a trusted publisher
If you do not want to disable add-ins, but you still want to increase the security of add-ins, you
can require that add-ins are signed by a trusted publisher. When you do this, the following
behavior occurs:
• Trusted add-ins run without notification. A trusted add-in is an add-in that is saved in a
trusted location or an add-in that is signed by a publisher that is on the Trusted Publishers list.
• Unsigned add-ins are disabled, but users are prompted to enable or disable the add-ins.
• Add-ins that are signed by a publisher that is not on the Trusted Publishers list are
disabled, but users are prompted to enable or disable the add-ins.
You cannot globally configure a setting that requires add-ins to be signed by a trusted publisher.
You must configure this setting on a per-application basis, and you can configure it for only the
following applications:
• Office Publisher 2007
To require that add-ins are signed by a trusted publisher, configure either of the settings as
recommended in the following table.
61
Require that application add- Not configured By default, add-ins are enabled.
ins are signed by trusted When you select this option,
publisher add-ins that are signed by a
publisher that is on the Trusted
Publishers list will run without
notification. Unsigned add-ins,
and add-ins that are signed by
a publisher that is not on the
Trusted Publishers list will be
disabled, but users will be
prompted to enable or disable
the add-ins. This setting can be
basis.
Application add-ins warnings Select this configuration: By default, the Application

options Require that application add-ins warnings options
extensions are signed by a setting is Enable all installed
trusted publisher application add-ins. When you
select Require that
application extensions are
signed by a trusted
publisher, add-ins that are
signed by a publisher that is on
the Trusted Publishers list will
run without notification.
Unsigned add-ins, and add-ins
that are signed by a publisher
that is not on the Trusted
Publishers list will be disabled,
but users will be prompted to
enable or disable the add-ins.
This setting exists only in the
OCT. You must configure this
basis.
Be sure to record these settings in your security planning documents and in your security
operations documents.
62
Disable notifications for unsigned add-ins
Even if you require that add-ins be signed by a trusted publisher, users can still enable unsigned
add-ins through the Message Bar. If you do not want users to enable unsigned add-ins, you can
disable notifications for unsigned add-ins. You can do this only on a per-application basis, and
you can configure it for only the following applications:
63
To do this, configure either of the settings as recommended in the following table.
Disable trust bar notification Not configured By default, add-ins are enabled.
for unsigned application add- When you select this option,
ins signed add-ins that are not
trusted are disabled, but users
are prompted to enable or
disable the add-ins. Unsigned
add-ins are also disabled, but
users are not notified and they
are not prompted to enable or
disable the unsigned add-ins.
This setting must be used in
conjunction with the Require
that application add-ins are
signed by trusted publisher
setting. This setting can be
basis.
Application add-ins warnings Require that extensions are By default, the Application
options signed, and silently disable add-ins warnings options
unsigned extensions setting is Enable all installed
application add-ins. When you
select Require that
extensions are signed, and
silently disable unsigned
extensions, signed add-ins
that are not trusted are
disabled, but users are
the add-ins. Unsigned add-ins
are also disabled, but users are
not notified and they are not
the unsigned add-ins. This
setting exists only in the OCT.
You must configure this setting
on a per-application basis.
64
If you disable notifications for unsigned add-ins, be sure that you:
• Notify users that unsigned add-ins are silently disabled.
documents.
For more information about add-in settings in the 2007 Office system, including descriptions of
settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security
policies and settings in the 2007 Office system. For more information about configuring add-in
settings, see Configure security settings for ActiveX controls, add-ins, and macros in the
2007 Office system.
Plan security settings for macros

The 2007 Office system provides several security settings that enable you to control the way
macros and VBA behave. You can us these settings to:
• Change the default security settings for macros. This includes disabling macros, enabling
all macros, and changing the way that users are notified about macros.
• Change the way that VBA behaves. This includes disabling VBA and allowing Automation
clients to have programmatic access to VBA projects.
65
• Change the way that macros behave in applications that are started programmatically
through Automation.
• Prevent encrypted macros from being scanned for viruses.
To plan security settings for macros, use the best practices and recommended guidelines in the
following sections.
Change the default security settings for macros

The 2007 Office system provides several settings that enable you to change the default behavior
of macros. By default, trusted macros are allowed to run without notification. This includes
macros in documents that are saved in a trusted location, and macros that meet the following
criteria:
authority (CA).
chooses to enable the macro. (Some applications do not have a Message Bar; in these cases,
notifications appear in dialog boxes.)
Note:
The default security setting for macros is different in Microsoft Office Outlook 2007. For
more information, see the Office Outlook 2007 security documentation.
If the default security settings for macros do not meet the needs of your organization, you can do
either of the following:
• Disable untrusted macros without notification.
• Disable notifications for unsigned macros, but allow notifications for signed macros.
66
Disable untrusted macros without notification
When you disable untrusted macros without notification, untrusted macros are not loaded and
users are not notified that untrusted macros are disabled. Trusted macros are allowed to run
without notification. This setting is useful if your organization has a restricted security model and
you do not want users to run untrusted macros.
To disable untrusted macros without notification, configure either of the settings that are
described in the following table. These settings must be configured on a per-application basis,
and can be configured for only the following applications:
VBA macro warning settings Select this option: Enabled By default, users are notified
Select this configuration: No about the presence of untrusted
warnings for all macros but macros in a file, and users can
disable all macros enable or disable the untrusted
macros. When you select
Disable all VBA macros and
No warnings for all macros
but disable all macros,
untrusted macros are disabled,
users are not notified that
untrusted macros are disabled,
and users cannot enable
untrusted macros. Trusted
macros are allowed to run
without notification. This setting
can be configured only with the
2007 Office system
files).
67
Disable notifications for unsigned macros
When you disable notifications for unsigned macros, unsigned macros are silently disabled, but
users are notified about signed macros and they can enable or disable signed macros. Trusted
macros are allowed to run without notification. This setting is useful if your environment requires
protection from unsigned macros.
To disable notifications for unsigned macros, configure either of the settings that are described in
the following table. These settings must be configured on a per-application basis, and can be
configured for only the following applications:
68
VBA macro warning settings Select this option: Enabled By default, users are notified
Select this configuration: Trust about untrusted macros in a file
Bar warning for digitally signed and users can enable or disable
macros only (unsigned macros the untrusted macros. When
will be disabled) you select Trust Bar warning
for digitally signed macros
only (unsigned macros will be
disabled), the following occurs:
• Unsigned macros are
silently disabled.
• Users are notified about
the presence of signed
macros.
• Users can enable or
disable signed macros.
• Trusted macros are
allowed to run without
notification.
only with the 2007 Office system
files).
When you select Disable Trust
Bar warning for unsigned
VBA macros (unsigned code
will be disabled), the following
occurs:
• Unsigned macros are
silently disabled.
• Users are notified about
the presence of signed
macros.
• Users can enable or
disable signed macros.
• Trusted macros are
allowed to run without
notification.
only in the OCT.
69
Control the way VBA behaves
The 2007 Office system provides two settings that enable you to control the way VBA behaves.
By default, VBA is enabled, if it is installed, and Automation clients do not have programmatic
access to VBA projects. You can change this behavior in the following ways:
• You can provide Automation clients programmatic access to VBA projects.
• You can disable VBA.
In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several
settings that enable you to control the way VBA behaves in Office Visio 2007. For more
information, see Security policies and settings in the 2007 Office system.
Provide Automation clients programmatic access to VBA projects

When you provide Automation clients programmatic access to VBA projects, Automation clients
have the ability to use the VBA object model.
To provide Automation clients programmatic access to VBA projects, configure the setting that is
described in the following table. This setting must be configured on a per-application basis, and
can be configured for the following applications:
Trust access to Visual Basic Select this option: Disabled By default, Automation clients do
project not have programmatic access to
VBA projects. When you select
this option, Automation clients
can programmatically access the
VBA object model. This setting
can be configured in the OCT
and with the 2007 Office system
files).
Important:
If you provide Automation clients programmatic access to VBA projects, you can increase
your risk of attack from unauthorized programs that build self-replicating code.
Disable VBA
When you disable VBA, macros and other programmatic content will not run. This is useful if you
have a restricted security model and you do not want users to run macros, or if your organization
is under a security attack and you want to temporarily prevent macros from running.
70
To disable VBA, configure the setting that is described in the following table. This is a global
setting that applies to the following applications:
• Office Outlook 2007
• Microsoft Office SharePoint Designer 2007
Disable VBA for Office Not configured By default, VBA is enabled if it

applications is installed. When you select
this option, VBA will not
function and users will not be
able to run macros and other
programmatic content. This
OCT and with the 2007 Office
Templates (.adm files).
Disabling VBA prevents macros and other content from running. For more information about the
consequences of disabling VBA, see the following article in the Microsoft Knowledge Base:
Considerations for disabling VBA in Office (http://go.microsoft.com/fwlink/?
If you disable VBA, be sure that you:
• Notify users that VBA is disabled.
documents.
In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several
settings that enable you to change the way VBA behaves Office Visio 2007. For more information,
see Security policies and settings in the 2007 Office system.
Change the way macros behave in applications that are started

programmatically through Automation
The 2007 Office system provides a single setting that enables you to control the way macros
behave when they are run in an application that is started programmatically through Automation.
Automation is a programming tool that allows developers to access the functionality of one
application from another application. For example, a developer could create a project
management application that uses the e-mail features and scheduling features of Office Outlook
71
2007. By default, when an application uses Automation to start an application in the 2007 Office
system, macros are enabled and allowed to run without any security checks. You can change this
behavior in two ways:
• You can disable macros in the application that is started programmatically. When you do
this, users are not notified that macros are disabled and users are not prompted to enable or
disable macros. This setting is useful if your organization has a restricted security model and
you do not allow users to run macros.
• You can run macros according to the security settings that are configured in the
application that is started programmatically. When you do this, macro behavior is dictated by
the security settings that are configured in the application that is started programmatically. For
example, if you require that all macros be digitally signed in Office Excel 2007, and an
application uses Automation to start Office Excel 2007, macros will not run unless they are
digitally signed. This setting is useful if you want your organization's security settings for
macros to extend to applications that are started through Automation.
To change the default behavior of macros in applications that are started programmatically
through Automation, use either of the settings that are recommended in the following table. You
can configure these settings in the OCT and with the 2007 Office system Administrative
Templates (.adm files). These settings are global and apply to the following applications:
Automation security Select this option: Enabled By default, the Automation

Select this configuration: Use security setting is Macros
application macro security enabled. When you select Use
level application macro security
level, macros run according to
the security settings of the
application that is started
programmatically through
Automation.
When you select Disable
macros by default, macros are
disabled in 2007 Office system
applications that are started
through Automation. Users are
not notified that macros are
prompted to enable macros.
If you change Automation security settings, be sure that you:

72
• Thoroughly test all of your applications to be sure that your change does not cause
unpredictable behavior or limit functionality in an application. Some applications use
Automation to silently start applications in the 2007 Office system.
• Record the configuration settings in your security planning documents and in your
security operations documents.
In addition to these security settings in the 2007 Office system, Office Publisher 2007 provides a
setting that enables you to configure Automation security for macros in Office Publisher 2007. For
more information, see Security policies and settings in the 2007 Office system.
Prevent encrypted macros from being scanned for viruses

The 2007 Office system provides several settings that enable you to prevent encrypted macros
from being scanned for viruses. This is useful if your virus-scanning program does not support the
Microsoft Antivirus application programming interface (API).
By default, macros are encrypted when you encrypt and save a file in the Office Open XML
Formats file format. If your virus-scanning program does not support the Microsoft Antivirus API,
your virus-scanning program cannot scan encrypted macros. As a result, encrypted macros will
be disabled. To prevent your antivirus program from scanning encrypted macros, configure the
settings as recommended in the following table.
Determine whether to force Select this option: Disabled By default, encrypted macros
encrypted macros to be are scanned by your virus-
scanned in Microsoft Excel scanning program when you
Open XML workbooks open an encrypted workbook
that contains macros. When
you enable this option,
encrypted macros are not
scanned by your virus-
scanning program, which
means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting applies
only to Office Excel 2007. You
can configure this setting in the
73
Determine whether to force Select this option: Enabled By default, encrypted macros
scanned in Microsoft scanning program when you
PowerPoint Open XML open an encrypted
presentations presentation that contains
macros. When you select this
option, encrypted macros are
not scanned by your virus-
only to Office PowerPoint 2007.
You can configure this setting
in the OCT and with the 2007
Office system Administrative
Determine whether to force Select this option: Enabled By default, encrypted macros
scanned in Microsoft Word scanning program when you
Open XML documents open an encrypted document
that contains macros. When
you select this option,
encrypted macros are not
scanned by your virus-
only to Office Word 2007. You
can configure this setting in the
If you change the default settings for scanning encrypted macros, be sure that you:
• Record the settings in your security planning documents.
• Record the settings in your security operations documents.
74
See Also
Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office
system
GPOAccelerator (http://go.microsoft.com/fwlink/?LinkId=103576)
75
Plan document protection settings in the
2007 Office system
The 2007 Microsoft Office system contains several settings that enable you to control the way
documents are encrypted. By using these settings, you can:
• Specify the cryptographic service provider (CSP), cryptographic algorithm, and key length
that are used to encrypt documents in Microsoft Office Excel 2007, Microsoft Office
PowerPoint 2007, and Microsoft Office Word 2007.
• Change the way sections of text are encrypted with the password protection feature in
Microsoft Office OneNote 2007.
For detailed explanations of each encryption setting, see "Document protection settings" in
Security policies and settings in the 2007 Office system.
As you plan your encryption settings, keep the following guidelines in mind:
• There is no administrative setting that enables you to force users to encrypt documents.
• There are separate encryption settings for files that are saved in the Office 97-2003
format and in the new Office Open XML Formats.
• Disabling notifications in the Message Bar has no effect on encryption settings.
• We recommend that you do not change the default CSP, cryptographic algorithm, or key
length unless you are an expert in cryptography and encryption and your organization's
security model requires encryption settings that are different from the default settings.
• You can encrypt documents in only the following applications: Office Excel 2007, Office
OneNote 2007, Office PowerPoint 2007, and Office Word 2007.
• Saving documents in trusted locations has no effect on encryption settings. If a document
is encrypted, and it is saved in a trusted location, a user must provide a password to open the
document.
Although you can configure encryption settings to address a wide variety of scenarios, these
settings are most commonly used to:
• Change encryption settings for Office Excel 2007, Office PowerPoint 2007, and Office
Word 2007.
• Change the encryption settings for Office OneNote 2007.
76
Change encryption settings for Excel 2007,
PowerPoint 2007, and Word 2007
To change the CSP, cryptographic algorithm, and key length that are used to encrypt documents
in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007, configure the settings that
are listed in the following table.
This setting Enables you to do this
Encryption type for password-protected Office Specify a CSP, cryptographic algorithm, and key
Open XML files length for encrypted files that are saved in
Office Open XML Formats.
Encryption type for password-protected Office Specify a CSP, cryptographic algorithm, and key
97-2003 files length for encrypted files that are saved in the
Office 97-2003 format.
If you change the default settings for the CSP, cryptographic algorithm, and key length, be sure
that:
• Users have the proper support for the settings that you specify installed on their
computers.
• You record the settings in your security planning documents and in your security
operations documents.
In addition, if your organization uses the Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint File Formats to encrypt Office Open XML Formats files, you should review the
following:
• By default the Compatibility Pack uses the following settings to encrypt Office Open XML
Formats files:
• Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128
(on the Microsoft Windows XP Professional operating system).
• Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128 (on
Microsoft Windows Server 2003 and Windows Vista operating systems).
• Users are not notified that the Compatibility Pack uses these encryption settings.
• The graphical user interface on earlier versions of the Office system might show incorrect
encryption settings for Office Open XML Formats files if the Compatibility Pack is installed.
• Users cannot use the graphical user interface in earlier versions of the Office system to
change the encryption settings for Office Open XML Formats files.
• If you use the Encryption type for password-protected Office Open XML files policy
setting to change encryption settings, and the policy setting is applied to a computer on which
the Compatibility Pack is installed, the Compatibility Pack will encrypt Office Open XML
77
Formats files with the encryption settings that you specified in the Encryption type for
password-protected Office Open XML files policy setting.
Change encryption settings for OneNote 2007

The 2007 Office system provides several settings that enable you to change the way that the
password protection feature works in Office OneNote 2007. Although you can configure these
settings for numerous different scenarios, these settings are most commonly used to:
• Prevent users from using the password protection feature to encrypt sections of text.
• Strengthen password protection feature settings.
Prevent users from encrypting sections of text

To prevent users from encrypting newly created notes in Office OneNote 2007, use the settings
that are listed in the following table.
Disable password-protected Select this option: Disabled By default, encrypted sections

sections are enabled. When you enable
this configuration option, users
cannot:
• Encrypt new and
existing sections of text.
• Disable encryption on
a section of text that is
encrypted.
• Change the password
that is used to unlock a
section of text.
When this option is selected,
users can still enter a password
to access sections of text that
are encrypted.
If you enable this setting, be sure that you:

• Notify users that they cannot use the password protection feature to encrypt sections of
text.
documents.
78
Strengthen password protection feature settings
To strengthen the password protection feature settings for Office OneNote 2007, use the settings
that are listed in the following table.
Disallows add-ons access to Select this option: Enabled By default, add-ins can access
password protected section encrypted sections of text that
are unlocked. Selecting this
option prevents add-ins from
accessing encrypted sections
of text even when the text is
unlocked by a user.
Lock password protected Select this option: Enabled By default, encrypted sections
sections as soon as I of text remain unlocked for a
navigate away from them period of time after a user
enters a password to unlock
the text. Selecting this option
ensures that encrypted
sections of text become locked
as soon as a user navigates
away from the text.
If you change these settings from their default state, be sure that you:
• Notify users about the more restrictive settings.
documents.
See Also
Configure document protection settings in the 2007 Office system
79
Plan external content settings in the 2007
Office system
The 2007 Microsoft Office system contains several settings that enable you to control the way
external threats are mitigated. By default, links to external content are disabled. This includes
links to data sources, hyperlinks to Web sites and documents, and links to images and media.
When a user opens a document that contains links to external content, the Message Bar notifies
the user that the links are disabled. Users can enable the links by clicking the Message Bar. You
can modify this default behavior by configuring security settings for external content. These
settings enable you to:
• Suppress hyperlink warnings.
• Allow the automatic downloading of linked images in Microsoft Office PowerPoint 2007.
For detailed explanations of each external content setting, see "External content settings" in
Security policies and settings in the 2007 Office system.
To plan security settings for external content, use the best practices and recommended guidelines
in the following sections.
Suppress hyperlink warnings

You can suppress warnings for some unsafe hyperlinks, including hyperlinks that use unsafe
protocols and hyperlinks from a remote file to the local computer. Unsafe protocols are protocols
that can run scripts or content that is potentially unsafe, including msn, nntp, mms, outlook, and
stssync. To suppress hyperlink warnings for these types of hyperlinks, configure the setting that is
described in the following table. This is a global setting that applies to the following applications:
• Microsoft Office Access 2007
• Microsoft Office Excel 2007
• Microsoft Office InfoPath 2007
• Microsoft Office OneNote 2007
• Microsoft Office Outlook 2007
• Microsoft Office Project 2007
• Microsoft Office PowerPoint 2007
• Microsoft Office Visio 2007
• Microsoft Office Word 2007
80
Setting name Configuration Description
Disable hyperlink warnings Disabled By default, users are notified

about unsafe hyperlinks. In
addition, unsafe hyperlinks are
disabled until they are enabled
by a user. Enabling this setting
suppresses warnings for the
following:
• Hyperlinks that use
unsafe protocols.
• Hyperlinks from a
remote file to the local
computer.
You can configure this setting in
the OCT and with the 2007
Office system Administrative
Allow linked images to download automatically in

Office PowerPoint 2007
By default, Office PowerPoint 2007 does not display images that are saved on an external Web
site (that is, a Web site that is beyond your perimeter firewall). Instead, a placeholder image
displays and a warning appears in the Message Bar that notifies users about the potentially
harmful external content. Users can allow the image to download by clicking the Message Bar.
Note:
Links to images on internal Web sites are not blocked. An internal Web site is any Web
site that is behind your perimeter firewall.
You can change this default behavior so that linked images download automatically. When you do
this, users are not warned or notified about the potentially harmful nature of the external image. In
addition, users could be exposed to malicious image content and Web beacons. Web beacons
are a special type of threat agent that can enable malicious users to identify personal and private
information, such as a computer's IP address.
81
To allow linked images to download automatically in Office PowerPoint 2007, configure the setting
that is described in the following table.
Setting name Configuration Description
Unblock automatic download Disabled By default, images that are

of linked images saved on an external computer
do not display in slides.
Enabling this setting allows
linked images on external Web
sites to download and appear in
slides. You can configure this
setting in the OCT and with the
2007 Office system
files).
See Also
Configure external content settings in the 2007 Office system
Security policies and settings in the 2007 Office system
82
Plan Internet Explorer feature control
settings in the 2007 Office system
Internet Explorer feature control settings enable you to mitigate threats that can occur when an
application programmatically uses Internet Explorer functionality. It is important to mitigate
Internet Explorer threats because any threats that exist for Internet Explorer also exist for any
application that is hosting Internet Explorer.
You can configure 15 Internet Explorer feature control settings in the 2007 Office system. For
more information about the Internet Explorer feature control settings, see Security policies and
settings in the Office 2007 system. Each setting restricts a specific type of Internet Explorer
behavior or functionality. To enable the restrictive behavior or functionality for a particular setting,
you opt in applications. When an application is opted in to a particular Internet Explorer feature
control setting, the more restrictive behaviors specified by the setting are enforced whenever the
application hosts Internet Explorer. Conversely, when an application is opted out of a particular
setting, the more restrictive behaviors specified by the setting are not enforced whenever the
application hosts Internet Explorer.
To design Internet Explorer feature control settings, you must:
• Identify applications that host Internet Explorer.
• Determine which Internet Explorer feature control settings to implement.
• Identify potential conflicts with previous versions of the Office system.
Identify applications that host Internet Explorer

An application hosts Internet Explorer when any type of active content — such as ActiveX
controls, add-ins, or Visual Basic for Applications (VBA) macros — programmatically uses
Internet Explorer functionality. A common example occurs when a user opens a Microsoft Office
Word 2007 document that contains an ActiveX control, and the ActiveX control programmatically
invokes Internet Explorer to render HTML. In this case, Office Word 2007 is hosting Internet
Explorer.
By default, Office Groove 2007, Office Outlook 2007, and Office SharePoint Designer 2007 are
opted in to all 15 Internet Explorer feature control settings. Microsoft Office InfoPath 2007 is also
opted in to these Internet Explorer feature control settings, as well as three Office InfoPath 2007
components: Document Information Panel, Workflow forms, and third-party hosting. These
applications are opted in because they host Internet Explorer or there is a high likelihood that they
will host Internet Explorer.
83
Use the following guidelines to help identify other applications that host Internet Explorer or could
potentially host Internet Explorer.
• Applications that enable users to run untrusted ActiveX controls, add-ins, or macros can
potentially host Internet Explorer.
• Applications that enable users to run ActiveX controls, add-ins, or macros that render
HTML or provide browser functionality typically host Internet Explorer.
• Applications that you have configured to render HTML or provide browser functionality
typically host Internet Explorer.
• Applications that provide users access to VBA projects or allow users to create VBA
macros can potentially host Internet Explorer.
• Applications that allow users to access external documents and data can potentially host
Internet Explorer.
We recommend that you opt in any applications that host Internet Explorer or any applications
that can potentially host Internet Explorer. Be sure to record the application name and the
corresponding executable file name in your security planning documents. You will need to know
the executable file name to configure Internet Explorer feature control settings by using the Office
Customization Tool (OCT) or Group Policy.
84
The following table lists the executable file names for the applications that you can opt in to the
Internet Explorer feature control settings for the 2007 Office system.
Application Executable file name
Microsoft Office Access 2007 Msaccess.exe
Microsoft Office Excel 2007 Excel.exe
Microsoft Office Groove 2007 (Opted in by Groove.exe

default)
Microsoft Office OneNote 2007 Onent.exe
Microsoft Office Outlook 2007 (Opted in by Outlook.exe

default)
Microsoft Office PowerPoint 2007 Powerpnt.exe
Microsoft Office Project 2007 Winproj.exe
Microsoft Office Publisher 2007 Mspub.exe
Microsoft Expression Web Exprwd.exe
Microsoft Office Visio 2007 Visio.exe
Office SharePoint Designer 2007 (Opted in by Spdesign.exe

default)
Office Word 2007 Winword.exe
Microsoft Office PowerPoint Viewer Pptview.exe
Microsoft Script Editor Mse7.exe
Determine which Internet Explorer feature control

settings to implement
Applications can be opted in to any or all of the 15 Internet Explorer feature control settings,
which restrict a wide range of Internet Explorer functionality. In most cases, if an application hosts
Internet Explorer or can potentially host Internet Explorer, the application should be opted in to all
15 Internet Explorer feature control settings. Opting in an application to all 15 settings helps
ensure that the most restrictive Internet Explorer security model is implemented whenever the
application hosts Internet Explorer.
85
Although we recommend that you opt in applications to all 15 Internet Explorer feature control
settings, there are cases where you might need to opt out of specific settings. You might have to
opt out of a setting if:
• The restrictions of a particular setting prevent an application from behaving as expected.
For example, if you know that an application uses Internet Explorer to download files without
user intervention, you might have to opt out of the Restrict File Download setting.
• The restrictions of a particular setting are not necessary because the specific threat that
the setting mitigates poses little or no risk in your organization. For example, if users cannot
access public networks such as the Internet, you might not need to opt in to the Block pop-
ups setting.
• The restrictions of a particular setting cause a decrease in performance. For example, the
Saved from URL setting can cause a decrease in performance. If the loss in performance is
great, you might have to opt out of that setting.
Be sure to record in your security planning documents the applications that you want to opt in to
all 15 Internet Explorer feature control settings. Also be sure to record any Internet Explorer
feature control settings that you need to opt out of.
Note:
Office InfoPath 2007 is a special case and cannot be opted in to or opted out of individual
Internet Explorer feature control settings. You can only configure which Office InfoPath
2007 components are opted in to or opted out of the entire group of Internet Explorer
feature control settings. Be sure to record in your security planning documents any Office
InfoPath 2007 components that you want to opt out. We recommend that you leave the
default settings as they are and opt in all Office InfoPath 2007 components. For more
information about the Office InfoPath 2007 settings, see Security policies and settings
in the 2007 Office system.
Identify conflicts with previous versions of Office

Although we recommend that you opt in any application that hosts Internet Explorer or can
potentially host Internet Explorer, there are some instances where opting in an application can
cause unexpected behavior in previous versions of the Office system. This unexpected behavior
occurs because of the way Internet Explorer feature control settings are stored in the registry, and
can occur only in side-by-side installations of the 2007 Office system and earlier Office releases.
When an application is opted in or opted out of a Internet Explorer feature control setting, the
application's executable file name is stored in the registry and given a value of 1 (opted in) or 0
(opted out). For example, if you opt in Office Word 2007 to the Restrict ActiveX Install Internet
Explorer feature control setting, a registry key entry named Winword.exe is added under the
FEATURE_RESTRICT_ACTIVEXINSTALL registry key, and the Winword.exe entry is set to a
value of 1.
Whenever Internet Explorer is invoked programmatically, it determines whether the Internet
Explorer application is hosted in any processes, dynamic-link libraries (DLLs), or executable files.
Internet Explorer also checks the registry to see which processes, DLLs, or executable files are
86
opted in to or opted out of each Internet Explorer feature control setting. If Internet Explorer is
hosted by a process, DLL, or executable file, and the registry settings indicate that the process,
DLL, or executable file is opted in to an Internet Explorer feature control setting, Internet Explorer
enables the more restrictive behavior of the Internet Explorer feature control setting. For example,
if Internet Explorer is hosted by Winword.exe, and the Winword.exe entry under the
FEATURE_RESTRICT_ACTIVEXINSTALL registry key has a value of 1, Internet Explorer adopts
the more restrictive behavior that is specified by the Restrict ActiveX Install Internet Explorer
feature control setting.
However, Winword.exe is the executable file name for Office Word 2007 and for Microsoft Office
Word 2003. Therefore, if you have side-by-side installations of Office Word 2007 and Office Word
2003, and you opt in Office Word 2007 to the Internet Explorer feature control settings, Internet
Explorer cannot determine whether you want to apply the Internet Explorer feature control
settings to Office Word 2007 or to Office Word 2003. This problem occurs with applications that
have used the same executable file name for successive versions of the Office system. The
following table lists the executable file names that are the same in the 2007 Office system and
earlier versions of the Office system.
Executable file name Applications
Excel.exe Office Excel 2007, Office Excel 2003
Msaccess.exe Office Access 2007, Office Access 2003
Mspub.exe Office Publisher 2007, Publisher 2003
Outlook.exe Office Outlook 2007, Office Outlook 2003
Powerpnt.exe Office PowerPoint 2007, Office PowerPoint

2003
Visio.exe Office Visio 2007, Office Visio 2003
Winproj.exe Office Project 2007, Office Project 2003
Winword.exe Office Word 2007, Office Word 2003
To identify potential problems with side-by-side installations, we recommend that you test each
Internet Explorer feature control setting with the earlier versions of applications that appear in the
preceding table. The Internet Explorer feature control settings are supported only on the 2007
Office system. The Internet Explorer feature control settings are not supported in earlier Office
releases and might cause applications in earlier Office releases to behave unpredictably.
See Also
Configure Internet Explorer feature control settings in the 2007 Office system
Evaluate default security and privacy settings for the 2007 Office System
Evaluate security and privacy threats for the 2007 Office system
87
Plan privacy options in the 2007 Office
system
The 2007 Microsoft Office system contains settings and options that can help you mitigate privacy
threats and control the disclosure of private and personal information. These settings and options
can be categorized into four main groups as shown in the following table.
Use these To do this
Document Inspector settings Disable the Inspector modules that are included
with the new Document Inspector tool.
Metadata protection settings Protect metadata that is contained in rights-

managed and encrypted Office Open XML
Formats files.
Office privacy options • Control whether users participate in the

Customer Experience Improvement
Program (CEIP).
• Control whether users are allowed to
automatically receive reliability updates.
• Control how the Help system handles
updated content on the Web.
• Suppress the Privacy Options dialog
box that appears the first time users start an
application.
Application-specific privacy options Customize privacy-related behavior in Microsoft

Office PowerPoint 2007 and Microsoft Office
Word 2007.
For detailed explanations, see "Privacy options" in Security policies and settings in the 2007
Office system. As you plan your privacy options, keep the following guidelines in mind:
• We recommend that you do not disable the default Inspector modules for Document
Inspector unless you are replacing an Inspector module with a custom Inspector module. For
a description of each Inspector module, see Remove hidden data and personal information
from Office documents (http://go.microsoft.com/fwlink/?LinkID=78523).
• You cannot disable the Inspector module for Comments, Revisions, Versions, and
Annotations or the Inspector module for Document Properties and Personal Information.
• We recommend that you enable all three of the Office privacy options. By selecting these
options, you enable users to access the most current Help topics, increase the reliability and
stability of your Office installations, and help Microsoft create better applications.
88
• Be sure to inform users about any changes you make to the application-specific privacy
options for Office PowerPoint 2007 and Office Word 2007. Changing the default settings for
these privacy options can disable functionality that users might expect.
Although you can configure these settings and options for a wide variety of privacy scenarios,
these settings and options are most commonly used to:
• Maximize the protection of private and personal information that is contained in
documents.
• Suppress the first-run Privacy Options dialog box that appears the first time users start
an application in the 2007 Office system.
• Suppress the first-run Sign up for Microsoft Update dialog box that appears the first
time users start an application in the 2007 Office system.
For more information about how to configure privacy options and settings, see Configure
privacy options in the 2007 Office system.
Maximize the protection of personal and private

information in documents
The recommended guidelines in the following sections are based on the Enterprise Client (EC)
environment rather than the Specialized Security Limited Functionality (SSLF) environment. The
EC environment represents an organization that has typical security needs. It is suitable for
midsize and large organizations that seek to balance security and functionality. The SSLF
environment represents a less typical organization, one in which security is paramount. It is
suitable only for midsize and large organizations that have stringent security standards, for which
security is more important than application functionality.
linkId=7711534).
Use the following guidelines to help maximize the protection of personal and private information
that is contained in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007 documents.
• Do not disable the Inspector modules that are included in Document Inspector. By
default, documents are scanned with all Inspector modules when users run Document
Inspector.
• Educate users about Document Inspector. There are no administrative settings that
enable you to force users to run Document Inspector. Formal training and awareness about
Document Inspector can help mitigate privacy threats.
89
• Create custom Inspector modules that address your organization's specific privacy
concerns. Document Inspector is extensible and can be programmatically modified to suit
the privacy needs of your organization. For more information, see Customizing the 2007
Office System Document Inspector (http://go.microsoft.com/fwlink/?
• Enable the metadata protection settings that are listed in the following table.
Metadata protection setting Recommended configuration Description

name
Protect document metadata Select this option: Enabled By default, document

for rights-managed Office metadata is not protected in
Open XML Files Office Open XML Formats files
that are restricted using IRM.
Selecting this option protects
(encrypts) metadata, such as
author name, hyperlink
references, and number of
words, in Office Open XML
Formats files that are restricted
using IRM.
Protect document metadata Select this option: Enabled By default, document

for password-protected files metadata is protected
(encrypted) in Office Open
XML Formats files that are
encrypted with the password
protection feature. Selecting
this option protects (encrypts)
metadata, such as author
name, hyperlink references,
and number of words, in Office
Open XML Formats files that
are encrypted with the
password protection feature.
90
• Configure the Office privacy options as recommended in the following table.
Privacy option name Recommended configuration Description
Enable Customer Experience Not configured By default, users are not

Improvement Program enrolled in the Customer
Experience Improvement
Program (CEIP) and you do
not need to select this option.
However, choosing to disable
this option will not cause
usability issues for 2007 Office
users. Selecting this option
blocks participation in the
CEIP, which can reveal the IP
address of a user's computer
to Microsoft.
Automatically receive small Not configured By default, users do not

updates to improve reliability automatically receive small
updates to improve reliability
and you do not need to select
this option. However, disabling
this setting will prevent users
from receiving information and
advice from Microsoft about
fixing and preventing 2007
Office application errors, which
could cause your support
department to experience an
increase in desktop support
requests. Blocking this
prevents the IP address of a
user's computer from being
revealed to Microsoft.
91
Online content options Select this option: Enabled By default, the Help system
Select this configuration: automatically searches
Search online content Microsoft Office Online for
whenever available Help content when a computer
is connected to the Internet.
Selecting this option and
selecting Never show online
content or entry points
prevents the Help system from
accessing Office Online. It also
displaying links to content that
is on Office Online and it
downloading updated Help
content.
Note:
By default, in the
French, German, and
Italian versions of the
2007 Office system,
the Help system does
not access Office
online and it does not
display links to content
that is on Office online.
92
• Configure the application-specific privacy options as recommended in the following
table.
Application-specific privacy Recommended configuration Description

option name
Warn before printing, saving, Select this option: Enabled By default, users are not
or sending a file that contains warned before printing, saving,
tracked changes or comments or sending a file that contains
tracked changes or comments.
Selecting this option warns
about tracked changes
(revisions) and comments
before users print, send, or
save a document. This setting
can be configured only for
Office Word 2007.
Make hidden markup visible Select this option: Enabled By default, hidden markup is
invisible. Selecting this option
displays all tracked changes
before users open or save
documents. This setting can
be configured only for Office
PowerPoint 2007 and Office
Word 2007.
Store random number to Select this option: Enabled By default, a random number
improve merge accuracy is not stored to improve merge
accuracy. Selecting this option
improves the accuracy of
merging tracked changes by
multiple authors. This setting
can be configured only for
Office Word 2007.
93
Suppress the first-run Privacy Options dialog box
The Privacy Options dialog box appears the first time users start an application in the 2007
Office system. Users can select the following three privacy options in the Privacy Options dialog
box:
• Get online Help This corresponds to the Online content options privacy option, which
enables you to control how a computer searches Help content on the Microsoft Office Online
Web site and choose whether updated Help content is downloaded to users' computers.
• Keep your system running This corresponds to the Automatically receive small
updates to improve reliability privacy option, which enables you to control whether a
computer automatically receives updates that help track and solve crashes, hangs, and
system failures.
• Make Office better This corresponds to the Enable Customer Experience
Improvement Program (CEIP) privacy option, which controls whether users participate in
the CEIP program.
You can prevent the first-run Privacy Options dialog box from appearing by configuring Office
Customization Tool (OCT) settings or Group Policy settings. You can also prevent the first-run
Privacy Options dialog box from appearing by configuring the ShowOptIn registry entry. To
learn more about using the ShowOptIn registry entry, see the following article in the Microsoft
Knowledge Base: How to prevent the "Welcome to the 2007 Microsoft Office system" dialog box
from opening when a 2007 Office suite is started for the first time (http://go.microsoft.com/fwlink/?
94
To use only the OCT to suppress the first-run Privacy Options dialog box, configure the options
that are recommended in the following table.
Online content options Not configured Selecting this option and

Select this configuration: selecting Search online
Search online content content whenever available
whenever available allows the Help system to
access Office Online. It also
allows the Help system to
display links to content that is
on Office Online and it allows
the Help system to download
updated Help content.
Note By default, in the
French, German, and Italian
versions of the 2007 Office
system, the Help system does
not access Office online and it
does not display links to
content that is on Office online.
Automatically receive small Not configured Selecting this option allows the
updates to improve reliability downloading of a small file that
enables Microsoft to provide
users with help if they are
experiencing an abnormal
number of program errors.
Selecting this option also
allows the IP address of a
user's computer to be revealed
to Microsoft.
Enable Customer Experience Select this option: Enabled Selecting this option allows
Improvement Program participation in the Customer
Experience Improvement
Program, which can reveal the
IP address of a user's
computer to Microsoft.
95
To use only Group Policy to suppress the first-run Privacy Options dialog box, configure the
settings that are recommended in the following table.
Online content options Not configured To suppress the first-run

Select this option: Search Privacy Options dialog box,
online content whenever you can select either the
available Enabled or the Disabled
option. Doing so prevents
users from configuring the
setting in the graphical user
interface, which prevents the
first-run Privacy Options
dialog box from appearing.
Note:
By default, in the
French, German, and
Italian versions of the
2007 Office system,
the Help system does
not access Office
online and it does not
display links to content
that is on Office online.
Automatically receive small Not configured To suppress the first-run

updates to improve reliability Privacy Options dialog box,
you can select either the
Enabled or the Disabled
96
Enable Customer Experience Not configured To suppress the first-run

Improvement Program Privacy Options dialog box,
you can select either the
Enabled or the Disabled
Note:
You can also suppress the first-run Privacy Options dialog box by using a combination
of OCT and Group Policy settings. However, the combination of settings must follow the
recommendations described in the previous tables.
Suppress the first-run Sign up for Microsoft

Update dialog box
The Sign up for Microsoft Update dialog box appears the first time users start an application in
the 2007 Office system. Users can select the following two options on the Sign up for Microsoft
Update dialog box:
• Download and install updates from Microsoft Update when available
(recommended) This option corresponds to the Turn on automatic updating setting in the
Windows Vista operating system and the Automatic (recommended) setting in the Microsoft
Windows XP Professional operating system. This setting enables a computer to automatically
access Microsoft Update and download and install any available updates for the 2007 Office
system.
• I don't want to use Microsoft Update This option corresponds to the Turn off
automatic updating setting in the Windows Vista operating system and the Turn off
Automatic Updates setting in the Windows XP operating system. This setting prevents a
computer from accessing Microsoft Update.
97
To prevent the Sign up for Microsoft Update dialog box from appearing, you must enable one of
the following Group Policy settings:
• Computer Configuration/Administrative Templates/System/Internet Communication
Management/Internet Communication settings/Turn off access to all Windows update
features
• User Configuration/Administrative Templates/Windows Components/Windows
Update/Remove access to use all Windows Update features
• User Configuration/Administrative Templates/Start Menu and Taskbar/Remove links and
access to Windows Update
Note:
You can suppress the first-run Sign up for Microsoft Update dialog box only by
configuring Group Policy settings. There are no settings in the OCT that enable you to
suppress the first-run Sign up for Microsoft Update dialog box.
See Also
Configure privacy options in the 2007 Office system
98
Plan block file format settings in the 2007
Office system
Block file format settings prevent users from opening or saving specific file types and file formats
in Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, and Microsoft Office Word
2007. The only block file format setting that is configured by default is the Block opening of files
before version setting. This setting prevents users from opening Office Word 2007 files that have
been saved in a format that is earlier than the Word 6.0 format. Files that have been saved using
a beta version of Word 6.0 are considered to be earlier than the Word 6.0 format and cannot be
opened by default. You can use block file format settings to help:
• Enforce file type and file format requirements in your organization.
• Manage file usage during and after a migration.
• Mitigate security threats that target specific file types and formats.
There are two types of block file format settings: block open settings and block save settings.
Block open settings prevent users from opening various file types and formats; block save
settings prevent users from saving files in various file types and formats.
The following table lists file types and file formats that are blocked by each block open setting.
The file name extensions that are listed are not a complete list of the file types and formats that
are blocked by a specific setting. The table lists file name extensions for the most common
examples of the file types and formats that are blocked.
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
Block opening of pre- .xlsb .pptx .docx

release versions of the .xlsx .pptm .docm
file formats that are
.xlsm .potx .dotx
new to Office 2007
.xltx .potm .dotm
.xltm .ppsx
.xlam .ppsm
99
Block opening of Open .xlsx .pptx .docx

XML file types .xlsx .pptm .dotx
.xlsm .potx .docm
.xltx .potm .dotm
.xltm .ppsx .xml
.xlam .ppsm
.ppam
.thmx
.xml
Block opening of .xlsb N/A N/A

Binary 12 file types
Block opening of .xls .ppt .doc

Binary file types .xla .pot .dot
.xlt .pps
.xlm .ppa
.xlw
.xlb
Block opening of HTML .mht N/A N/A

and XMLSS file types .mhtml
.htm
.html
.xml
.xmlss
Block opening of HTML N/A .htm .htm

file types .html .html
.mht .mht
.mhtml .mhtml
100
Block opening of N/A .rtf N/A

Outlines .txt
.doc
.wpd
.docx
.docm
.wps
Block opening of N/A .ppt N/A

Converters .pot
.pps
.ppa
Block open Converters N/A N/A Prevents converters

from opening all
document types and
formats.
Block opening of Word N/A N/A .xml

2003 XML file types
Block opening of RTF N/A N/A .rtf

file types
Block opening of XML .xml N/A N/A

file types
Block opening of DIF .dif N/A N/A

and SYLK file types .slk
Block opening of Text .txt N/A .txt

file types .csv
.prn
Block opening of XLL .xll N/A N/A

file type
Block opening of N/A N/A Prevents opening of

Internal file types Word files that have
been saved in pre-
release (beta) binary
formats, including
Word 2003 and earlier.
101
Block opening of files N/A N/A Prevents opening of

before version files with formats
earlier than a specified
version of Word.
For a detailed description of each block open setting, see "Block file format settings" in Security
policies and settings in the Office 2007 system.
The following table lists the file types and file formats that are blocked for each block save setting.
The file name extensions listed are not a complete list of the file types and formats that are
blocked by a specific setting. The table lists file name extensions for the most common examples
of the file types and formats that are blocked.
Block saving of Open .xlsx .pptx .docx

XML file types .xlsm .pptm .dotx
.xltx .potx .docm
.xltm .potm .dotm
.xlam .ppsx .xml
.ppsm
.ppam
.thmx
.xml
Block saving of Binary .xlsb N/A N/A

12 file types
Block saving of Binary .xls .ppt .doc

file types .xla .pot .dot
.xlt .pps
.xlm .ppa
.xlw
.xlb
102
Block saving of HTML .mht N/A N/A

and XMLSS file types .mhtml
.htm
.html
.xml
.xmlss
Block saving of HTML N/A .htm .htm

file types .html .html
.mht .mht
.mhtml .mhtml
Block saving of outlines N/A .rtf N/A

.txt
.doc
.wpd
.docx
.docm
.wps
Block saving of N/A N/A Prevents converters

converters from saving all file
types and formats.
Block saving of N/A .jpg N/A

GraphicFilters .png
.tif
.bmp
.wmf
.emf
Block saving of Word N/A N/A .xml

2003 XML file types
Block saving of RTF file N/A N/A .rtf

types
Block saving of XML file .xml N/A N/A

types
103
Block saving of DIF and .dif N/A N/A

SYLK file types .slk
Block saving of Text file .txt N/A .txt

types .csv
.prn
For a detailed description of each block save setting, see Security policies and settings in the
Office 2007 system.
When a user attempts to open a file type or file format that is blocked, the block file format
mechanism evaluates the file at the parser level (when the file is loading), which provides a more
thorough determination of file type and format than simple file-name extension checking. Because
of this, changing the file name extension on a file will not affect the blocking mechanism. For
example, if a file is saved in the Word 2003 binary format with a .doc extension, and you rename
the file so that the extension is .rtf, any setting that blocks the opening of Word 2003 binary files
will prevent users from opening the file even though it has an .rtf extension.
When a user attempts to save a file by using a file type or file format that is blocked, an error
message appears. The error message explains that you are attempting to save a file that has
been blocked by a system administrator. The error message also provides a link to the following
Microsoft Knowledge Base article: You receive an error message when you try to open or save a
file in one of the 2007 Office programs or in one of the Office 2003 programs
(http://go.microsoft.com/fwlink/?LinkId=79656&clcid=0x409).
Keep the following overall considerations in mind as you plan your block file format settings.
These considerations apply any time you use block file format settings.
• You can configure block file format settings only for Office Excel 2007, Office PowerPoint
2007, and Office Word 2007 files.
• Block save settings can be configured only through Group Policy. You cannot use the
Office Customization Tool (OCT) to configure block save settings.
• Most block open settings can be configured only through Group Policy. There is one
block open setting that can be configured by using the OCT.
• Block open settings do not apply to files that are opened from trusted locations.
104
• Block file format settings are application-specific. You cannot prevent users from
using other applications to open or save file types or formats that are blocked. For
example, you can enable block file format settings that prevent users from opening .dot
files in Office Word 2007, but users will still be able to open .dot files with Microsoft Office
Publisher 2007, which uses a converter to read the .dot file.
• Disabling notifications in the Message Bar has no effect on block file format settings. The
block file format warning dialog box appears before any notification appears in the Message
Bar.
Although you can use block file format settings to manage file usage in many scenarios, these
settings are most commonly used to:
• Force an organization to use the new file formats that are included in the 2007 Office
system.
• Mitigate zero-day security attacks by temporarily preventing users from opening specific
types of files.
• Prevent an organization from opening files that have been saved in earlier Office Word
formats.
• Prevent an organization from using pre-release (that is, beta) file formats.
Force an organization to use the new 2007 Office

file format
The 2007 Office system introduces new file formats called Office Open XML Formats. Office
Open XML Formats enhance functionality, security, and programmability, and are recommended
for files that are created with the 2007 Office system.
To enforce Office Open XML Formats throughout your organization, use the settings that are
listed in the following table.
105
Block saving of Binary file Select this option: Enabled By default, this setting is
types disabled and does not prevent
users from saving binary format
files. Selecting this option
prevents users from saving files
in the binary formats that are
used by earlier versions of the
Office system. This setting must
be configured for Office Excel
2007, Office PowerPoint 2007,
and Office Word 2007, unless
you do not want to enforce the
new file format across all
applications.
Block saving of Open XML Select this option: Disabled By default, users are allowed to
file types save Office Open XML Formats
files and you do not need to
select this option to enforce the
use of the new file format.
However, selecting this option is
a recommended best practice if
you want to help ensure that
users save files in the new file
formats. This option must be
selected for Office Excel 2007,
Office PowerPoint 2007, and
Office Word 2007, unless you
do not want to enforce the new
file format across all
applications.
106
Block opening of Open XML Select this option: Disabled By default, users are allowed to
file types open Office Open XML Formats
files and you do not need to
select this option to enforce the
use of the new file types.
However, selecting this option is
a recommended best practice if
you want to help ensure that
users open files that are saved
in the new file types. This option
must be selected for Office
Excel 2007, Office PowerPoint
2007, and Office Word 2007,
unless you do not want to
enforce the new file format
across all applications.
107
The settings listed in the previous table do not restrict users from saving or opening files in text
formats, such as .txt, .rtf, .csv, or .xml. To prevent users from opening or saving files in these
formats, configure the block open and block save settings that are listed in the following table.
Configure this block open or To this state For these applications

block save setting
Block opening of HTML and Enabled Office Excel 2007

XMLSS file types
Block opening of HTML file Enabled Office PowerPoint 2007, and

types Office Word 2007
Block opening of Word 2003 Enabled Office Word 2007

XML file types
Block opening of RTF file Enabled Office Word 2007

types
Block opening of XML file Enabled Office Excel 2007

types
Block opening of DIF and Enabled Office Excel 2007

SYLK file types
Block opening of Text file types Enabled Office Excel 2007
Block opening of XLL file type Enabled Office Excel 2007 and Office
Word 2007
Block saving of HTML and Enabled Office Excel 2007

XMLSS file types
Block saving of HTML file Enabled Office PowerPoint 2007, and

types Office Word 2007
Block saving of Word 2003 Enabled Office Word 2007

XML file types
Block saving of RTF file types Enabled Office Word 2007
Block saving of XML file types Enabled Office Excel 2007
Block saving of DIF and SYLK Enabled Office Excel 2007

file types
Block saving of Text file types Enabled Office Excel 2007 and Office
Word 2007
Be sure to record each of your settings in your security planning documents. You will need to
know the name of the setting and the configuration state to configure block file format settings
with the OCT or with Group Policy.
108
For more information about Office Open XML Formats, see FAQ: File format
(http://technet.microsoft.com/en-us/library/cc179106.aspx).
Mitigating zero-day attacks

You can mitigate zero-day attacks by preventing users from opening specific file types or file
formats that can exploit a security vulnerability. Zero-day attacks are so named because they
exploit security vulnerabilities between the time that a security vulnerability becomes publicly
known and the time that you implement a software update to mitigate the potential threat.
Software updates for security vulnerabilities are typically distributed in security bulletins or service
packs.
Use the following steps to mitigate zero-day attacks.
Mitigate zero-day attacks

1. Identify the file type or file format that is posing a risk. This is usually discussed in the
security bulletin or the service pack documentation that provides a software update for
the security vulnerability.
2. Evaluate the block open and block save settings to determine whether there is a
setting that prevents users from opening and saving the high-risk file type or file format.
3. Enable both the block open and the block save settings for the file type or format that
is posing a risk.
4. Configure the block open and block save settings to Disabled or Not Configured
after you deploy a software update for the security vulnerability.
5. Record your settings in your security planning documents or your security operations
documents. Be sure to identify settings that you must configure before you deploy the
software update and after you deploy the software update.
Preventing an organization from opening files that

have been saved in earlier Word formats
To prevent users from opening files that have been saved in earlier Word formats, you must
enable the Block opening of files before version setting. When this setting is enabled, you can
specify the earliest Word format that users are allowed to open. For example, if you configure this
setting for Word 95 RTM (release to manufacturing), users are not allowed to open files that are
saved in Word 95 beta format or earlier Word formats. By default, this setting is enabled and
configured for Word 6.0.
109
The following table lists the 24 versions of Word that you can specify by using the Block opening
of files before version setting.
Setting (as it appears in the graphical user Description

interface)
Word 1.x for Windows Prevents the opening of all Word formats that
are earlier than the specified version.
Word 4.x for Macintosh Prevents the opening of all Word formats that
Word 1.2 for Windows Japan Prevents the opening of all Word formats that
Word 1.2 for Windows Korea Prevents the opening of all Word formats that
Word 5.x for Macintosh Prevents the opening of all Word formats that
Word 1.2 for Windows Taiwan Prevents the opening of all Word formats that
Word 2.x for Windows Prevents the opening of all Word formats that
Word 2.x for Windows BiDi Prevents the opening of all Word formats that
Word 2.x for Windows Japan Prevents the opening of all Word formats that
Word 2.x for Windows Korea Prevents the opening of all Word formats that
Word 2.x for Windows Taiwan Prevents the opening of all Word formats that
Word 6.0 for Windows Prevents the opening of all Word formats that
are earlier than the Word 6.0 format. This is the
default setting.
Word 6.0 for Macintosh Prevents the opening of all Word formats that
Word 95 RTM Prevents the opening of all Word formats that

are earlier than the Word 95 final (public)
release format.
110
Setting (as it appears in the graphical user Description
interface)
Word 95 Beta Prevents the opening of all Word formats that

are earlier than the Word 95 pre-release (beta)
format.
Word 97 for Windows Prevents the opening of all Word formats that
Word 98 for Macintosh Prevents the opening of all Word formats that
Word X for Macintosh Prevents the opening of all Word formats that
are earlier than the Word XP format.
are earlier than the Word 2003 format.
Word 11 saved by Word 12 Prevents the opening of all Word formats that
are earlier than the Word 2003 format saved by
Office Word 2007.
Be sure to record your settings in your security planning documents. You will need to know the
setting name, configuration state, and the version of Word as it appears in the graphical user
interface to configure block file format settings with the OCT or with Group Policy.
111
Preventing an organization from using pre-release
(beta) file formats
To prevent an organization from using pre-release (beta) file formats, use the settings that are
listed in the following table.
Block opening of pre-release Select this option: Enabled By default, users are allowed to
versions of the file formats open pre-release (beta)
that are new to Office 2007 versions of Office Open XML
Formats files. Selecting this
option prevents users from
opening Office Open XML
Formats files if the files have
been saved by using a pre-
release (beta) version of the
2007 Office system. This
setting must be configured for
Office Excel 2007, Office
PowerPoint 2007, and Office
Word 2007.
Block opening of Internal file Select this option: Enabled By default, users are allowed to
types open pre-release (beta) Word
binary file types. Selecting this
option prevents users from
opening Word files if the files
have been saved in pre-
release (beta) binary formats.
This includes all pre-release
binary formats of Word 2003
and all earlier Word versions.
only for Office Word 2007.
You cannot prevent users from opening binary format files if the files have been saved by using
pre-release versions of Office Excel 2007 and Office PowerPoint 2007. However, you can use the
Block opening of Binary file types setting to prevent users from opening all files that have been
saved in a binary format.
Be sure to record all of your settings in your security planning documents. You will need to know
the setting name and configuration state to configure block file format settings with the Office
Customization Tool (OCT) or with Group Policy.
112
See Also
Configure block file format settings in the 2007 Office system
Evaluate security and privacy threats for the 2007 Office system
113
C. Planning Outlook 2007 Security
114
Use Outlook 2007 to help protect messages
You have two main options for helping to protect messages in Microsoft Office Outlook 2007 from
unauthorized use, tampering, or change: 1) cryptographic messaging using the S/MIME standard,
and 2) Information Rights Management (IRM). While both of these options can help protect
messages your users send and receive, they work differently and are each best suited for
different scenarios.
S/MIME is a standard for sending digitally signed and encrypted e-mail messages. Using S/MIME
in Outlook is the preferred way to:
• Sign a message to prove the identity of the sender. S/MIME is the only option the 2007
Microsoft Office system supports for digital signatures. It is not possible to tamper with an
IRM message, and in this way it is similar to a signed message. But IRM protection is more
limited because there are no authorities that attest to the identities of the senders, and the
Outlook user interface does not show information about the identity of the sender.
• Help ensure that Internet e-mail messages are not vulnerable to attackers that use
software to monitor and intercept e-mail traffic over the Internet. The focus is on the Internet,
as that is where point-to-point encryption is most valuable and where interoperability
standards are most important.
The biggest value in using S/MIME is when users send and receive e-mail messages outside
corporate boundaries, where they are not protected by the corporate firewall.
Another feature that can help to protect messages in Outlook is IRM. IRM gives organizations
and information workers greater control over sensitive information. IRM is the preferred way to
help to:
• Protect e-mail conversations containing sensitive information by restricting the ability to
forward or copy the messages in an e-mail thread. The reasons to use IRM have little to do
with whether an unauthorized person outside the organization—for example, a hacker on the
Internet—will intercept the communication. Instead, IRM is used most efficiently when the
sender is concerned that the intended recipient will share the information inappropriately.
• Prevent people from using out-of-date information by enforcing message expiration. With
IRM, expiration dates on messages are enforced, unlike expiration dates set on messages
without IRM.
The biggest value for IRM is within the corporation, where employees need to share information
while maintaining some control over who has access to this information IRM is especially helpful
in ensuring that this information does not leak outside the corporate firewall.
See Also
Plan for e-mail messaging cryptography
115
Plan for limiting junk e-mail in Outlook 2007
Microsoft Office Outlook 2007 includes features that can help users avoid receiving and reading
junk e-mail messages, including the Junk E-mail Filter and disabling automatic content download
from external servers.
Note:
This topic is for Outlook administrators. To configure Outlook junk e-mail options on your
computer, see Junk E-mail Filter options (http://go.microsoft.com/fwlink/?
LinkId=81371).
The filtering manager helps users avoid reading junk e-mail messages. The filter is on by default
and the protection level is set to Low, which is designed to filter the most obvious junk e-mail
messages. The filter replaces the rules for processing junk e-mail messages in previous versions
of Outlook (prior to Microsoft Outlook 2003). The filter incorporates technology built into the
software to evaluate e-mail messages to determine if the messages are likely to be junk e-mail, in
addition to filtering lists that automatically block or accept messages to or from specific senders.
Automatic picture download settings help reduce the risk of Web beacons activating in e-mail
messages by automatically blocking the download of pictures, sounds, and other content from
external servers in e-mail messages. Automatic content download is disabled by default.
Configure junk e-mail settings in Outlook 2007 contains more information about configuring
how external content is downloaded.
This topic discusses how the Outlook Junk E-mail Filter works, and how you can configure the
Junk E-mail Filter to meet the needs of your organization. For example, you can configure the
filter to be more aggressive, though this might also cause it to filter more legitimate messages.
Rules that are not part of junk e-mail management are not affected.
Overview: the Outlook Junk E-mail Filter

The Junk E-mail Filter contains two parts:
• Three Junk e-mail Filter lists: Safe Senders, Safe Recipients, and Blocked Senders.
• State-of-the-art technology developed by Microsoft Research. This technology evaluates
whether an unread message should be treated as junk e-mail based on several factors,
including the message content and whether the sender is included in Junk E-mail Filter lists.
All settings for the Junk E-mail Filter are stored in each user's Outlook profile. You can override
the profile settings by using policies for all options except the Junk E-mail Filter lists. However,
you can create and deploy initial lists of Safe Senders, Safe Recipients, and Blocked Senders for
your users.
The Junk E-mail Filter is provided for a subset of Outlook account types. The types are listed in
the following section, Supported account types. The filter works best when it is used with
Microsoft Exchange Server 2003 and later accounts, as described in detail later in this topic.
116
When Outlook users are upgraded to Office Outlook 2007 , existing Junk E-mail Filter lists are
maintained, unless you deploy new lists to users.
Supported account types

Office Outlook 2007 supports junk e-mail filtering for the following account types:
• Microsoft Exchange Server e-mail accounts in Cached Exchange Mode
• Microsoft Exchange Server e-mail accounts when mail is delivered to a Personal Folders
file (PST file)
• HTTP accounts
• POP accounts
• MSN Hotmail accounts
• IMAP accounts
The following account types are not supported for Outlook junk e-mail filtering:
• Microsoft Exchange Server e-mail accounts in Online (MDB) mode
• Third-party MAPI providers
Information about what junk e-mail filtering options are available with Exchange Server is
included in the next section, Support in different versions of Exchange Server.
In scenarios in which POP e-mail messages are downloaded into an Exchange Online (MDB)
mailbox, Outlook blocks junk e-mail messages for the user's POP e-mail; however, Outlook does
not block Exchange Online junk e-mail messages.
Support in different versions of Exchange Server

Junk E-mail Filter behavior depends on the Exchange Server version you use for messaging.
Later versions of Exchange Server support more filtering options than earlier versions do.
The following list details Junk E-mail Filter behavior with different versions of Exchange Server.
• Versions earlier than Exchange Server 2003
If users use Cached Exchange Mode or download to a Personal Folders file (PST file): Users
can create and use the Junk E-mail Filter lists, which are available from any computer that
users use.
If users work online: The Junk E-mail Filter is not available.
• Exchange Server 2003 and later versions of Exchange
If users use Cached Exchange Mode or download to a PST file: The Junk E-mail Filter lists
that are available from any computer are also used by the server to evaluate mail. This
means that if a sender is on a user's Blocked Senders list, mail moves to the Junk E-mail
folder on the server and is not evaluated by Office Outlook 2007. In addition, Office Outlook
2007 uses Microsoft Research technology to evaluate e-mail messages.
If users work online: The Junk E-mail Filter lists that are available from any computer are also
used by the server to evaluate mail. This means that if a sender is on a user's Blocked
117
Senders list, mail moves to the Junk E-mail folder on the server and is not evaluated by
Office Outlook 2007.
Upgrading from a previous installation of Outlook

before Outlook 2003
When a user's previous version of Outlook (earlier than Outlook 2003) is upgraded to Office
Outlook 2007, the rules that previously handled junk e-mail messages are removed. The existing
rules and files used by the old filter are not migrated. The existing rules are handled as follows:
• Rules created by the old filter
With the previous rules filter for junk e-mail messages, users could create up to three client-
side rules for their mailbox: Adult Content Rule, Junk E-mail Rule, and Exception List.
Outlook removes these rules from the user's mailbox when Outlook 2003 starts for the first
time on the user's computer. This means that Outlook 2003 always disables the previous junk
e-mail filter.
• Files that contain the Adult Senders list and the Blocked Senders list
These text files are left on the user's computer, but Outlook no longer uses the files.
Configuring the Junk E-mail Filter user interface

You can specify several options to configure how the Junk E-mail Filter works for your users,
including the following:
• Set the Junk E-mail Filter protection level.
• Permanently delete suspected junk e-mail messages or move the messages to the Junk
E-mail folder.
• Trust e-mail messages from users' Contacts.
The default values for the Junk E-mail Filter are designed to help provide a positive experience
for users. However, you can configure these settings to different defaults and set other options
and policies when you deploy Outlook to your organization, such as defining an alternative URL
for the location of filter updates.
Junk e-mail settings are set only once. When the user first starts Outlook 2003, the settings are
configured in the profile that the user chooses. Other profiles the user has, or may create later, do
not include the settings that you have configured. Instead, default settings are used.
Default values for the Junk E-mail Filter settings are:
• Junk E-mail: Set to LOW
• Permanently delete: Set to OFF
• Trust my Contacts: Set to ON
You can use the Office Customization Tool to configure these options to specify default values for
users, or the options can be enforced by Group Policy. For more information about configuring
options for the Junk E-mail Filter, see Configure junk e-mail settings in Outlook 2007.
118
Providing default Junk E-mail Filter lists
You can deploy default Junk E-mail Filter lists to your users. The Junk E-mail Filter uses these
lists as follows:
• Safe Senders list
E-mail messages received from the e-mail addresses in the list or from any e-mail address
that includes a domain name in the list are never treated as junk e-mail.
• Safe Recipients list
E-mail messages sent to the e-mail addresses in the list or to any e-mail address that
includes a domain name in the list are never treated as junk e-mail.
• Blocked Senders list
E-mail messages received from the e-mail addresses in the list or from any e-mail address
that includes a domain name in the list are always treated as junk e-mail.
If a domain name or e-mail address is on both the Blocked Senders list and the Safe Senders list,
the Safe Senders list takes precedence over the Blocked Senders list. This reduces the risk that
mail that users want might be treated as junk e-mail by mistake. The lists are stored on the server
and are available if users roam.
To deploy the Junk E-mail Filter lists, you create the lists on a test computer and distribute the
lists to your users. The lists you provide are default lists; they cannot be locked down by policy.
For more information about deploying default lists, see Create and deploy Junk E-mail Filter lists
in Outlook 2007 (http://technet.microsoft.com/en-us/library/cc179056.aspx).
See Also
Configure junk e-mail settings in Outlook 2007
Create and deploy Junk E-mail Filter lists in Outlook 2007 (http://technet.microsoft.com/en-
119
Plan for e-mail messaging cryptography
Microsoft Office Outlook 2007 supports security-related features to help users send and receive
cryptographic e-mail messages. These features include cryptographic e-mail messaging, security
labels, and signed receipts.
Note:
To obtain full security functionality in Outlook, you must install Outlook with local
administrative rights.
Cryptographic messaging features in Outlook

Outlook supports cryptographic messaging features that enable users to do the following:
• Digitally sign an e-mail message. Digital signing provides nonrepudiation and verification
of contents (the message contains what the person sent, with no changes).
• Encrypt an e-mail message. Encryption helps to ensure privacy by making the message
unreadable to anyone other than the intended recipient.
Additional features can be configured for security-enhanced messaging. If your organization
provides support for these features, security-enhanced messaging enables users to do the
following:
• Send an e-mail message with a receipt request. This helps to verify that the recipient is
validating the user's digital signature (the certificate that the user applied to a message).
• Add a security label to an e-mail message. Your organization can create a customized
S/MIME V3 security policy that adds labels to messages. An S/MIME V3 security policy is
code that you add to Outlook. It adds information to the message header about the sensitivity
of the message. See Security Labels and signed receipts later in this topic.
How Outlook implements cryptographic messaging

The Outlook cryptography model uses public key encryption to send and receive signed and
encrypted e-mail messages. Outlook supports S/MIME V3 security, which allows users to
exchange security-enhanced e-mail messages with other S/MIME e-mail clients over the Internet
or intranet. E-mail messages encrypted by the user's public key can be decrypted using only the
associated private key. This means that when a user sends an encrypted e-mail message, the
recipient's certificate (public key) encrypts it. When a user reads an encrypted e-mail message,
the user's private key decrypts it.
120
In Outlook, users are required to have a security profile to use cryptographic features. A security
profile is a group of settings that describes the certificates and algorithms used when a user
sends messages that use cryptographic features. Security profiles are configured automatically if
the profile is not already present when:
• The user has certificates for cryptography on his or her computer.
• The user begins to use a cryptographic feature.
You can customize these security settings for users in advance. You can use registry settings or
Group Policy settings to customize Outlook to meet your organization's cryptographic policies and
to configure (and enforce, with Group Policy) the settings you want in the security profiles. These
settings are described in the table in Set consistent Outlook 2007 cryptography options for
an organization.
Digital IDs: A combination of public/private keys and certificates

S/MIME features rely on digital IDs, which associate a user's identity with a public and private key
pair. The combination of a certificate and private/public key pair is called a digital ID. The private
key can be saved in a security-enhanced store, such as the Microsoft Windows certificate store,
on the user's computer or on a Smart Card. Outlook fully supports the X.509v3 standard, which
requires that public and private keys are created by a certificate authority such as VeriSign, Inc.
Users can obtain digital IDs by using public World Wide Web-based certificate authorities such as
VeriSign and Microsoft Certificate Server. For more information about how users can acquire a
digital ID, see the Outlook Help topic Get a Digital ID. As an administrator, you can provide digital
IDs to a group of users. Outlook also continues to support working with Microsoft Exchange Key
Management Server to obtain or provide digital IDs.
When certificates for digital IDs expire, users typically must obtain updated certificates from the
issuing certificate authority. If your organization relies on Microsoft Exchange Key Management
Server for certificates, Outlook automatically manages certificate update for users.
Security labels and signed receipts

Outlook includes support for S/MIME V3 Enhanced Security Services (ESS) extensions about
security labels and signed receipts. These extensions help you to provide security-enhanced e-
mail communications within your organization and to customize security to fit your requirements.
If your organization develops and provides S/MIME V3 security policies to add custom security
labels, the code in the security policies can enforce attaching a security label to an e-mail
message. Here are two examples of security labels:
• An Internal Use Only label might be implemented as a security label to apply to mail that
should not be sent or forwarded outside your company.
• A label can specify that certain recipients cannot forward or print the message, if the
recipient also has the security policy installed.
Users can also send security-enhanced receipt requests with messages to verify that the
recipients recognize the user's digital signature. When the message is received and saved (even
121
if it is not yet read) and the signature is verified, a receipt implying that the message was read is
returned to the user's Inbox. If the user's signature is not verified, no receipt is sent. When the
receipt is returned, because the receipt is also signed, you have verification that the user received
and verified the message.
Classes of encryption strengths

There are two classes of encryption key strengths available from Microsoft: high (128-bit) and low
(40-bit). Microsoft provides 128-bit encryption capabilities in Windows 2000 and Windows XP, the
operating systems required for the 2007 Microsoft Office system. Ensuring that users have
software versions that support high encryption helps to provide a high level of security-enhanced
e-mail messaging.
Additional resources
The Outlook Security Labels application programming interface (API) creates security label policy
modules that define the sensitivity of message content in your organization. For a detailed
description of creating policy modules and code samples, see the MSDN article Creating
Security Label Policy Modules.
Public key cryptography can help you maintain security-enhanced e-mail systems. For more
information about the use of public key cryptography in Outlook, search for the Outlook 98
Security whitepaper in the Knowledge Base search page of the Microsoft Product Support
Services Web site.
Microsoft Exchange Key Management Server version 5.5 issues keys for Microsoft Exchange
Server security only. Microsoft Exchange Key Management Server 5.5 Service Pack 1 supports
both Exchange security and S/MIME security. For more information, see the Microsoft Exchange
Server version 5.5 Resource Guide in the Microsoft BackOffice Resource Kit, Second Edition.
122
How users manage cryptographic digital IDs
in Outlook 2007
Microsoft Office Outlook 2007 provides ways for users to manage their digital IDs—the
combination of a user's certificate and public and private encryption key set. Digital IDs help to
keep users' e-mail messages secure by letting them exchange cryptographic messages.
Managing digital IDs includes:
• Obtaining a digital ID. For more information about how users can acquire a digital ID, see
the Outlook Help topic Get a Digital ID.
• Storing a digital ID, so you can move the ID to another computer or make it available to
others.
• Providing a digital ID to others.
• Exporting a digital ID to a file. This is useful when the user is creating a backup or moving
to a new computer.
• Importing a digital ID from a file into Outlook. A digital ID file might be a user's backup
copy or might contain a digital ID from another user.
• Renewing a digital ID that has expired.
A user who performs cryptographic messaging at more than one computer must copy his or her
digital ID to each computer.
Places to store digital IDs

Digital IDs can be stored in three locations:
• The Microsoft Exchange Global Address Book
• A Lightweight Directory Access Protocol (LDAP) directory service
• A Microsoft Windows file
Microsoft Exchange Global Address Book

Users who enroll in Exchange Advanced Security store their certificates in their organization's
Global Address Book. Alternatively, users use their LDAP provider to open the Global Address
Book.
Only certificates generated by Microsoft Exchange Server Advanced Security or by Microsoft
Exchange Key Management Server (KMS) are automatically published in the Global Address
Book. Externally generated certificates can be manually published to the Global Address Book by
clicking the Publish to GAL button in the Trust Center under the Tools menu option.
123
Internet directory service (LDAP)
External directory services, certificate authorities, or other certificate providers can publish their
users' certificates through an LDAP directory service. Outlook allows access to these certificates
through LDAP directories.
Windows file
Digital IDs can be stored on users' computers. Users export their digital ID to a file by using the
Import/Export option in the Trust Center under the Tools menu option. They can encrypt the file
when they create it by providing a password.
Providing digital IDs to others

In order for a user to exchange cryptographic e-mail messages with another user, they must have
each other's public key. Users provide access to their public key through a certificate. There are
several ways to provide a digital ID to others; for example, users can:
• Use a certificate to digitally sign an e-mail message.
• Provide a certificate by using a directory service, such as the Microsoft Exchange Global
Address Book.
Provide a certificate in a digitally signed e-mail message

A user provides his or her public key to another user by composing an e-mail message and
digitally signing the message by using a certificate. When Outlook users receive the signed
message, they right-click the user's name on the From line and click Add to Contacts. The
address information and the certificate are saved in the Outlook user's contacts list.
Obtain a certificate from a directory service

Another alternative is for a user to automatically retrieve another user's certificate from an LDAP
directory on a standard LDAP server when he or she sends an encrypted e-mail message. To
gain access to a certificate this way, users must be enrolled in S/MIME security with digital IDs for
their e-mail accounts.
A user can also obtain certificates from the Global Address Book. To do this, the user must be
enrolled in Microsoft Exchange Server Advanced Security.
Importing digital IDs

Users can import a digital ID from a file. This is useful, for example, if a user wants to send
cryptographic e-mail messages from a new computer. Each computer from which the user sends
cryptographic e-mail messages must have the user's certificates installed. Users import digital IDs
from a file by using the Import/Export option in the Trust Center under the Tools menu option.
124
Renewing keys and certificates
A time limit is associated with each certificate and private key. When the keys provided by the
Microsoft Exchange Key Management Server approach the end of the designated time period,
Outlook displays a warning message and offers to renew the keys. Outlook prompts the user,
offering to send the renewal message to the server on each user's behalf.
If users do not choose to renew a certificate before it expires, or if they use another certificate
authority rather than KMS, the user must contact the certificate authority to renew the certificate.
125
Plan for configuring security settings in
Outlook 2007
You can customize many of the security-related features in Microsoft Office Outlook 2007,
including limiting automated access to address books and managing users' access to
attachments.
Caution:
Outlook is configured with high security-related settings by default. High security levels
can result in limitations to Outlook functionality, such as restrictions on e-mail message
attachment file types. Be aware that lowering any default security settings might increase
the risk of virus execution or propagation. Use caution and read the documentation
before you modify these settings.
Specifying how security settings are enforced in

Outlook
A new feature in Office Outlook 2007 allows you to configure security options by using new Group
Policy settings, instead of modifying security settings by using the Outlook security template and
publishing the settings to a form in a top-level folder in Exchange Server public folders. To use
Group Policy to configure security options, you must configure the new Outlook Security Mode
setting.
For more information about specifying the method used to customize security settings in Outlook,
see Specify the method Outlook uses to manage virus prevention features.
To continue using the Exchange Server security form for Outlook security settings, you must also
configure the new Group Policy setting.
Default security settings in the product are enforced if you do not enable the setting.
Choosing between the Exchange Server security

form and Group Policy security settings
Office Outlook 2007 supports both the Exchange Server security form and Group Policy security
settings. You can choose the option that is best for your environment. Following are sample
environments in which you can use the security form, Group Policy, or either one.
Scenario for using the security form

• An Exchange Server environment with public folders. Client computers must use Outlook
2000 with the security update, Outlook 2002, Outlook 2003, or Office Outlook 2007.
126
Scenarios for using Group Policy security settings
• A Microsoft Exchange 2007 environment without public folders. All client computers use
Outlook.
• An Exchange 2007 environment without public folders. Client computers with Office
Outlook 2007 use Group Policy security settings, and client computers with other versions of
Outlook depend on default security or the security form.
• An environment without Exchange Server. All client computers use Outlook.
Scenarios for using security form or Group Policy security

settings
• An Exchange Server environment in which Exchange Server is being upgraded to
Exchange 2007. Client computers use Office Outlook 2007.
• An Exchange Server environment in which client computers are being upgraded from
Outlook 2002 or Outlook 2003 to Office Outlook 2007.
Caveats to consider when customizing security

settings
There are three caveats to consider when you customize Group Policy security settings for
Outlook:
• Customized settings configured using Group Policy might not be active
immediately. You can configure Group Policy to refresh automatically (in the background) on
users' computers while users are logged on, at a frequency that you determine. To ensure
that new Group Policy settings are active immediately, users must log off and log back on to
their computers.
• Outlook checks security settings only at start up. If security settings are refreshed
while Outlook is running, the new configuration is not used until the user closes and restarts
Outlook.
• No customized settings are applied in Personal Information Manager (PIM)-only
mode. In PIM mode, Outlook uses the default security settings. No administrator settings are
necessary or used in this mode.
Customizing options for junk e-mail and ActiveX

controls
In addition to modifying how Outlook manages virus-prevention security options, you can also
customize junk e-mail and ActiveX control features.
You can customize the following Junk E-mail options: read as plain text, automatic picture
download, and HTML mail zones. For more information about modifying these settings, see
Configure junk e-mail settings in Outlook 2007.
127
You can also customize how Outlook runs ActiveX controls in one-off forms. For more information
about customizing how ActiveX controls behave in one-off forms, see Customize ActiveX and
custom forms security settings in Outlook 2007.
Updated Object Model Guard

The Object Model (OM) Guard that helps prevent viruses from using the Outlook Address Book to
propagate themselves is updated. Outlook checks for up-to-date antivirus software to help
determine when to display address book access warnings and other Outlook security warnings.
128
How administrator and user security settings
interact in Outlook 2007
Security settings defined by the user through the Microsoft Office Outlook 2007 user interface
work as if they are included in the Group Policy settings you define as the administrator. When
there is a conflict between the two, settings with a higher security level override settings with a
lower security level.
The following list describes specific interactions between Group Policy security settings and
security settings that a user defines in Outlook.
• Display Level 1 attachments. When this Group Policy is set, all file types that were set
to Level 1 security are set to Level 2 security. If a user wants to block a file type, the user can
customize the list in Outlook to block access to specific types of attachments.
• Add file extensions to block as Level 1. If you use this Group Policy setting to create a
list of Level 1 file types, the list overrides the default list provided with Outlook and overrides
user's settings for Level 1 file types. Even if you allow users to remove file types from the
default Level 1 group of excluded file types, users cannot use Group Policy to remove file
types that were added to the list.
For example, if the user wants to remove the file types EXE, REG, and COM from the Level 1
group, but you use the Add Level 1 file extensions Group Policy setting to add EXE as a
Level 1 file type, the user can only remove REG and COM files from the Level 1 group in
Outlook.
• Remove file extensions blocked as Level 1. The user's list is combined with the list
you set in Group Policy to determine which Level 1 items are set to Level 2.
• Add file extensions to block as Level 2. If a user changes Level 1 files to Level 2 files,
and those file types are listed in Group Policy as Level 2 extensions, the files are treated as
Level 2 attachments.
• Remove file extensions blocked as Level 2. There is no interaction with this setting.
• Allow users to demote attachments to Level 2. This setting allows a user to change a
Level 1 attachment to Level 2. If you do not configure this Group Policy setting, the default
behavior in Outlook is to ignore the user's list.
See Also
Attachment file types restricted by Outlook 2007
129
Plan for Outlook 2007 security in special
environments
When you use Group Policy to configure security settings for Microsoft Office Outlook 2007, there
are issues to consider when your environment includes one or more of the following:
• Users who access their mailboxes by using a hosted Exchange Server.
• Users with administrative rights on their computers.
• Users who access Exchange mailboxes by using Outlook Web Access.
Users with a hosted Exchange Server

environment
If users access mailboxes by using a hosted Exchange Server, you might use the Exchange
Server security form to configure security settings or use the default Outlook security settings. In
hosted environments, users access their mailboxes remotely; for example, by using a virtual
private network (VPN) connection or by using RPC over HTTP. Since Group Policy is deployed by
using Active Directory and in this scenario, the user's local computer is not a member of the
domain, Group Policy security settings cannot be applied.
Also, by using the Exchange Server security form to configure security settings, users
automatically receive updates to security settings. Users cannot receive updates to Group Policy
security settings unless their computer is in the Active Directory domain.
Users with administrative rights

Restrictions to Group Policy settings are not enforced when users log on with administrative
rights. Users with administrative rights can also change the Outlook security settings on their
computer and can remove or alter the restrictions you have configured. This is true not just for
Outlook security settings, but for all Group Policy settings.
While this can be problematic when an organization intends to have standardized settings for all
users, there are mitigating factors:
• Group Policy overrides local changes at the next logon. Changes to Outlook security
settings revert to the Group Policy settings when the user logs on.
• Overriding a Group Policy affects only the local computer. Users with administrative rights
affect only security settings on their computer, not the security settings for users on other
computers.
• Users without administrative rights cannot change policies. In this scenario, Group Policy
security settings are as secure as settings configured by using the Exchange Server security
form.
130
Users with an Outlook Web Access environment
Outlook and Outlook Web Access (OWA) do not use the same security model. OWA has separate
security settings stored on the OWA server.
131
II. Deploying security settings
A. Configuring 2007 Office System Security

Settings
Configure trusted locations and trusted

publishers settings in the 2007 Office
system
You can configure trusted locations and trusted publishers settings by using the Office
Customization Tool (OCT) and the Group Policy Object Editor.
Before you begin

Before you begin configuring settings, be sure you meet the planning requirements,
administrative requirements, and tool requirements that are described in this section.
• Planning requirements You must complete the following steps in the security planning
process before you can effectively configure trusted locations and trusted publishers settings:
Choose a deployment tool for security settings and privacy options in the 2007 Office
system
Plan trusted locations and trusted publishers settings for the 2007 Office system
• Administrative requirements The following table lists the administrative credentials
that are required to perform settings configuration actions.
132
To perform these actions You must be a member of these groups
Run the OCT Administrators group on the local computer
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
• Tool requirements It is assumed that you:

• Understand how to use the OCT to customize the 2007 Microsoft Office system. For
more information about the OCT, see Office Customization Tool in the 2007 Office system
• Have created a network installation point from which you can run the OCT.
• Understand what Administrative Templates (that is, .adm files) are.
• Have loaded the Office 2007 Administrative Templates into the Group Policy Object
Editor.
Configure trusted locations by using the OCT

The following procedures show how to use the OCT to disable trusted locations, specify shared
folders as trusted locations, restrict trusted locations, and delete all trusted locations that have
been created by using the OCT. To learn the location of other trusted locations settings in the
OCT, see Security policies and settings in the 2007 Office system.
Disable trusted locations by using the OCT

You can disable trusted locations only on a per-application basis; there is no single setting that
enables you to globally disable trusted locations. To globally disable trusted locations, you must
disable trusted locations for each of the following applications: Microsoft Office Access 2007,
Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and
Disable trusted locations settings by using the OCT

1. In the left pane of the OCT, click Office security settings.
2. In the details pane, under Default security settings, double-click Allowed trusted
locations options for the application you want to configure.
3. In the Specify Security Settings dialog box, click Disable all trusted locations,
only files signed by trusted publishers will be trusted and click OK.
133
Specify trusted locations by using the OCT
You can specify trusted locations only on a per-application basis by using the OCT. There is no
single OCT setting that enables you to specify a global trusted location that applies to all
applications. To specify a global trusted location that applies to all applications, you must specify
the trusted location separately for each application or use Group Policy settings.
Specify trusted locations on a per-application basis by using the OCT

2. In the details pane, under Add the following paths to the Trusted Locations list,
click Add.
3. In the Specify Security Settings dialog box, do the following:
In Application, click the application to which you want the trusted location to apply.
In Path, type the path to the folder that you want to trust.
Select the Subfolders of this location are also trusted check box if you want all
subfolders within the trusted folder to also be trusted.
In Description, type a description of the trusted location.
4. Click OK.
If you specify a network share as a trusted location, you must enable the Allow Trusted
Locations not on the computer setting. In addition, you can use environment variables to
represent trusted locations; however, you must modify the registry so that the environment
variables are recognized. Also, you can specify Web folders (that is, http:// paths) as trusted
locations, but not all Web folders are recognized as trusted locations. For more information about
using environment variables to specify trusted locations and specifying Web folders as trusted
locations, see Plan trusted locations and trusted publishers settings for the 2007 Office
system.
Restrict trusted locations by using the OCT

You can restrict trusted locations by using the OCT to configure the following settings.
Allow only policy-based trusted locations

1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office 2007 system, open Security
Settings and click Trust Center.
3. In the details pane, double-click Allow mix of policy and user locations.
4. Click Disabled and click OK.
Do not allow network shares to be trusted locations

2. In the details pane, under Default security settings, double-click Allowed trusted
134
locations options for the application you want to configure.
3. In the Specify Security Settings dialog box, click Allow Trusted Locations on the
users machine only (application default) and click OK.
Delete all trusted locations created by using the OCT

Use the following procedure to delete all trusted locations that have been created by using the
OCT.
Delete all trusted location created by using the OCT

2. In the details pane, under Add the following paths to the Trusted Locations list,
select the Remove all trusted locations written by the OCT during installation check
box.
You can deploy trusted locations by using the Setup program or by using the Windows Installer
program. For more information, see Run Setup for the 2007 Office system on users' computers
(http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users' configurations after
installing the 2007 Office system (http://technet.microsoft.com/en-us/library/cc179141.aspx).
Configure trusted locations by using Group Policy

The following procedures show how to use the Group Policy Object Editor to disable trusted
locations, specify shared folders as trusted locations, and restrict trusted locations. To learn the
location of other trusted locations settings in the Group Policy Object Editor, see Security
policies and settings in the 2007 Office system.
Disable trusted locations by using Group Policy

You can disable trusted locations only on a per-application basis. There is no single setting that
enables you to globally disable trusted locations. To globally disable trusted locations, you must
disable trusted locations for each of the following applications: Microsoft Office Access 2007,
Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and
Disable trusted locations settings by using Group Policy

1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access
2007/Application Settings/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office PowerPoint
135
2007/PowerPoint Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
2. In the details pane, double-click Disable all trusted locations, click Enabled and
click OK.
Specify trusted locations by using Group Policy

You can specify trusted locations globally or on a per-application basis by using Group Policy.
Use the following procedure to specify a global trusted location.
Specify global trusted locations by using Group Policy

1. In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007
system/Security Settings/Trust Center
2. In the details pane, double-click a trusted location that has not been configured, such
as Trusted Location #1, Trusted Location #2, and so on.
3. In the Trusted Location Properties dialog box, click Enabled and do the following:
In Date, type today's date.
Select the Allow subfolders check box if you want all subfolders within the trusted folder
to also be trusted.
4. Click OK.
Use the following procedure to specify trusted locations on a per-application basis.
Specify trusted locations on a per-application basis by using Group Policy

following locations in the Group Policy Object Editor tree:
136
2. In the details pane, double-click a trusted location that has not been configured, such
as Trusted Location #1, Trusted Location #2, and so on.
3. In the Trusted Location Properties dialog box, click Enabled and do the following:
In Date, type today's date.
Select the Allow subfolders check box if you want all subfolders within the trusted folder
to also be trusted.
4. Click OK.
If you specify a network share as a trusted location, you must enable the Allow Trusted
Locations not on the computer setting. In addition, you cannot use environment variables to
represent trusted locations in Group Policy. You can specify Web folders (that is, http:// paths) as
trusted locations, but not all Web folders are recognized as trusted locations. For more
information about using environment variables to specify trusted locations and specifying Web
folders as trusted locations, see Plan trusted locations and trusted publishers settings for
the 2007 Office system.
Restrict trusted locations by using Group Policy

You can restrict trusted locations by using the Group Policy Object Editor to configure the
following settings.
Allow only policy-based trusted locations

system/Security Settings/Trust Center
2. In the details pane, double-click Allow mix of policy and user locations, click
Disabled and click OK.
Do not allow network shares to be trusted locations

1. In the Group Policy Object Editor tree, navigate to one of the following locations,
depending on which application you want to configure:
137
2. In the details pane, double-click Allow Trusted Locations not on the computer,
click Disabled and click OK.
Configure trusted publishers settings by using the

OCT
The following procedure shows how to use the OCT to add trusted publishers to the trusted
publishers list. You cannot use the Office 2007 Administrative Templates to add trusted publishers
to the trusted publishers list. To add a trusted publisher to the trusted publishers list, you must
have the digital certificate (.cer file) that the publisher used to sign their ActiveX control, add-in, or
macro. For more information about how you can obtain a publisher's digital certificate, see Plan
trusted locations and trusted publishers settings for the 2007 Office system.
Add digital certificates to the trusted publishers list by using the OCT
2. In the details pane, under Add the following digital certificates to the Trusted
Publishers list, click Add.
3. In the Add Digital Certificates dialog box, click the digital certificate that you want to
add and click Add.
See Also
138
Configure security settings for ActiveX
controls, add-ins, and macros in the 2007
Office system
You can configure settings for ActiveX controls, add-ins, and Visual Basic for Applications (VBA)
macros by using the Office Customization Tool (OCT) and the Group Policy Object Editor.
Before you begin

process before you can effectively configure trusted locations and trusted publishers settings:
system

Editor.
139
Use the following sections to determine how to configure settings for:
ActiveX controls
Add-ins
Macros
Configure settings for ActiveX controls

The following procedures show how to use the OCT and the Group Policy Object Editor to disable
ActiveX controls and change the way ActiveX controls are initialized. To learn more about ActiveX
control settings, see Security policies and settings in the 2007 Office system and Plan
security settings for ActiveX controls, add-ins, and macros in the 2007 Office system.
Disable ActiveX controls

You can use the following procedures to disable ActiveX controls. The settings described in these
procedures apply only to applications in the 2007 Microsoft Office system; that is, ActiveX
controls are not disabled in documents that are opened in earlier versions of Office. In addition,
even though you disable ActiveX controls in a document, ActiveX controls still initialize and run
without notification if a document is opened from a trusted location.
Disable ActiveX controls by using the OCT

2. In the tree view of the OCT, open Microsoft Office 2007 system and click Security
Settings.
3. In the details pane, double-click Disable all ActiveX.
4. Click Enabled, select the Disable All ActiveX check box and click OK.
Note:
You can also disable ActiveX controls by setting the Unsafe ActiveX initialization setting
in the OCT to Do not prompt and disable all controls.
Disable ActiveX controls by using the Group Policy Object Editor

system/Security Settings
2. In the details pane, double-click Disable All ActiveX, click Enabled, select the
Disable All ActiveX check box and click OK.
140
Change the way ActiveX controls are initialized
The following procedures show how to use the OCT and the Group Policy Object Editor to
change the way ActiveX controls are initialized. ActiveX control initialization depends on several
factors, including whether there is a VBA project present in a document and whether a control is
marked safe for initialization (SFI) or unsafe for initialization (UFI).
Change the way ActiveX controls are initialized by using the OCT
2. In the details pane, in Unsafe ActiveX initialization, click one of the following:
Prompt user to use control defaults. This setting initializes ActiveX controls with default
values and might require user input before ActiveX controls are initialized.
Prompt user to use persisted data. This setting initializes ActiveX controls with
persisted values and might require user input before ActiveX controls are initialized.
Do not prompt. This setting initializes all controls and does not require user input.
Change the way ActiveX controls are initialized by using the Group Policy Object Editor
2. In the details pane, double-click ActiveX Control Initialization and click Enabled. In
ActiveX Control Initialization, click the initialization setting that you want.
There are six possible initialization settings for ActiveX controls. Some settings might
require user input before ActiveX controls are initialized.
3. Click OK.
Configure settings for add-ins

The following procedures show how to use the OCT and the Group Policy Object Editor to:
• Disable add-ins.
To learn more about security settings for add-ins, see Security policies and settings in the
2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in
141
Disable add-ins
You can use the following procedures to disable add-ins. When you disable add-ins, users are not
notified that add-ins are disabled. Also, add-ins can be disabled only on a per-application basis.
There is no global setting that disables add-ins.
Disable add-ins by using the OCT

2. In the details pane, under Default security settings, double-click Application add-
ins warnings options for the application you want to configure.
3. In the Specify Security Settings dialog box, click Disable all application
extensions and click OK.
Note:
You can also disable add-ins by setting the Disable all application add-ins setting to
Enabled in the OCT.
Disable add-ins by using the Group Policy Object Editor

2007/Application Settings/Security/Trust Center
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher
2007/Security/Trust Center
2. In the details pane, double-click Disable all application add-ins, click Enabled and
click OK.
Require that add-ins are signed by a trusted publisher

You can use the following procedures to require that add-ins are signed by a trusted publisher.
You can configure this setting only on a per-application basis. There is no global setting that
requires add-ins to be signed by a trusted publisher.
142
Use the OCT to require add-ins to be signed by a trusted publisher
3. In the Specify Security Settings dialog box, click Require that application
extensions are signed by trusted publisher and click OK.
Use the Group Policy Object Editor to require add-ins to be signed by a trusted
publisher
2. In the details pane, double-click Require that application add-ins are signed by
trusted publisher, click Enabled and click OK.
Disable notifications for unsigned add-ins

You can use the following procedures to disable notifications for unsigned add-ins. You can
configure this setting only on a per-application basis. There is no global setting that disables
unsigned add-ins and disables notifications for unsigned add-ins.
Disable notifications for unsigned add-ins by using the OCT

3. In the Specify Security Settings dialog box, click Require that extensions are
signed, and silently disable unsigned extensions and click OK.
143
Disable notifications for unsigned add-ins by using the Group Policy Object Editor
2. In the details pane, double-click Disable trust bar notifications for unsigned
application add-ins, click Enabled and click OK.
Note:
You must use the Disable trust bar notifications for unsigned application add-ins
setting in conjunction with the Require that application add-ins are signed by trusted
publisher setting.
Configure settings for macros

The following procedures show how to use the OCT and the Group Policy Object Editor to
configure:
• Default security settings for macros.
• Disable VBA.
• Provide Automation clients programmatic access to VBA projects.
• Automation security for macros.
• Prevent encrypted macros from being scanned for viruses.
To learn more about security settings for macros, see Security policies and settings in the
2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in
144
Configure default security settings for macros
You can use the following procedures to configure default security settings for macros. You can
configure this setting only on a per-application basis.
Configure default security settings for macros by using the OCT

2. In the details pane, under Default security settings, double-click VBA macro
warnings options for the application you want to configure.
3. In the Specify Security Settings dialog box, click the default security setting that
you want and click OK.
Configure default security settings for macros by using the Group Policy Object Editor
2. In the details pane, double-click VBA macro warning settings, click Enabled, and
choose the default security setting that you want.
3. Click OK.
Note:
You can also change the default security setting for macros in Microsoft Office Outlook
2007. For more information, see the security documentation for Office Outlook 2007.
145
Disable VBA
You can use the following procedures to disable VBA. You can configure this setting only on a
global basis.
Disable VBA by using the OCT

Settings.
3. In the details pane, double-click Disable VBA for Office applications.
4. Click Enabled and click OK.
Disable VBA by using the Group Policy Object Editor

2. In the details pane, double-click Disable VBA in Office applications, click Enabled,
and click OK.
Provide Automation clients programmatic access to VBA

projects
You can use the following procedures to provide Automation clients programmatic access to VBA
projects. You can configure this setting only on a per-application basis.
Provide Automation clients programmatic access to VBA projects by using the OCT
2. In the tree view of the OCT, navigate to one of the following locations:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
3. In the details pane, double-click Trust access to Visual Basic project.
146
Provide Automation clients programmatic access to VBA projects by using the Group
Policy Object Editor
2. In the details pane, double-click Trust access to Visual Basic project.
Configure Automation security for macros

You can use the following procedures to configure Automation security for macros. You can
configure this setting only on a global basis.
Configure Automation security for macros by using the OCT

Settings.
3. In the details pane, double-click Automation security and click Enabled.
4. In Set the Automation security level, click the setting that you want and click OK.
Configure Automation security for macros by using the Group Policy Object Editor
2. In the details pane, double-click Automation security and click Enabled.
3. In Set the Automation security level, click the setting that you want and click OK.
Prevent encrypted macros from being scanned for viruses

You can use the following procedures to prevent encrypted macros from being scanned for
viruses. You can configure this setting only on a per-application basis.
Prevent encrypted macros from being scanned for viruses by using the OCT
147
3. In the details pane, double-click one of the following based on the application that
you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft
PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word
Open XML documents
Prevent encrypted macros from being scanned for viruses by using the Group Policy
Object Editor
2. In the details pane, double-click one of the following based on the application that
you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft
PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word
Open XML documents
See Also
Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
148
Configure document protection settings in
You can configure document protection settings by using the Office Customization Tool (OCT) or
by using the Group Policy Object Editor.
Before you begin

process before you can effectively configure document protection settings:
• Choose a deployment tool for security settings and privacy options in the 2007
Office system
• Evaluate default security and privacy settings for the 2007 Office System
• Plan document protection settings in the 2007 Office system

Editor.
149
Configure document protection settings by using
the OCT
Use the following procedure to configure encryption settings for Office Open XML Formats files.
Before you perform this procedure, you must know the cryptographic service provide (CSP), the
cryptographic algorithm, and the key length that you want to use for encryption settings. The
following registry key contains a list of the CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
Configure encryption settings for Office Open XML Formats files

2. In the tree view of the OCT, open Microsoft Office 2007 system, and click Security
Settings.
3. In the details pane, double-click Encryption type for password protected Office
Open XML files.
4. Click Enabled, and in Encryption type type the following information, separated by
commas:
CSP
Cryptographic algorithm
Key length
5. Verify that your entry looks like the following example (no spaces are allowed on
either side of the commas):
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128
6. Click OK to save your settings.
Use the following procedure to configure encryption settings for Office 97-2003 format files.
Before you perform this procedure, you must know the CSP, the cryptographic algorithm, and the
key length that you want to use for encryption settings. The following registry key contains a list of
the CSPs that are installed on a computer:
Configure encryption settings for Office 97-2003 format files

Settings.
97-2003 files.
commas:
CSP
150
Key length
Use the following procedure to configure Microsoft Office OneNote 2007 encryption settings.
Configure Office OneNote 2007 encryption settings

2. In the tree view of the OCT, open Microsoft Office OneNote 2007, open Tools|
Options, and click Password.
3. In the details pane, double-click the encryption setting that you want to configure.
4. Click Enabled to enable a setting, or click Disabled to disable a setting.
You can deploy document protection settings by using the Setup program or by using the
Windows Installer program. For more information, see Run Setup for the 2007 Office system on
users' computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'
configurations after installing the 2007 Office system (http://technet.microsoft.com/en-
us/library/cc179141.aspx).
Configure document protection settings by using

Group Policy
Use the following procedure to configure encryption settings for Office Open XML Formats files.
Configure encryption settings for Office Open XML Formats files

1. In the Group Policy Object Editor tree, navigate to the following:
Open XML files.
commas:
CSP
151
Key length
Use the following procedure to configure encryption settings for Office 97-2003 format files.
Configure encryption settings for Office 97-2003 format files

User Configuration/Administrative Templates/Microsoft Office System
2007/Security Settings
97-2003 files.
commas:
CSP
Key length
152
Use the following procedure to configure Office OneNote 2007 encryption settings.
Configure Office OneNote 2007 encryption settings

User Configuration/Administrative Templates/Microsoft Office OneNote 2007/Tools|
Options/Security Settings/Password
2. In the details pane, double-click the encryption setting that you want to configure.
3. Click Enabled to enable a setting, or click Disabled to disable a setting.
See Also
Plan document protection settings in the 2007 Office system
153
Configure external content settings in the
2007 Office system
You can configure external content settings by using the Office Customization Tool (OCT) or by
using the Group Policy Object Editor.
Before you begin

Before you begin to configure settings, be sure you meet the planning requirements,
process before you can effectively configure document protection settings:
Office system
• Plan external content settings in the 2007 Office system

Editor.
Configure hyperlink warnings settings

Use the following procedures to configure hyperlink warnings settings.
154
Configure hyperlink warnings by using the OCT
Settings.
3. In the details pane, double-click Disable hyperlink warnings.
4. Click Enabled and click OK to save your settings.
Configure hyperlink warnings by using the Group Policy Object Editor

2. In the details pane, double-click Disable hyperlink warnings.
Configure linked images settings in Office

PowerPoint 2007
Use the following procedures to configure linked images settings in Microsoft Office PowerPoint
2007.
Configure linked images settings by using the OCT

2. In the tree view of the OCT, open Microsoft Office PowerPoint 2007, open
PowerPoint Options and click Security.
3. In the details pane, double-click Unblock automatic download of linked images.
155
Configure linked images settings by using the Group Policy Object Editor
2007/PowerPoint Options/Security
2. In the details pane, double-click Unblock automatic download of linked images.
See Also
Plan external content settings in the 2007 Office system
156
Configure Internet Explorer feature control
settings in the 2007 Office system
You can configure Internet Explorer feature control settings by using the Office Customization
Tool (OCT) or by using the Group Policy Object Editor.
Before you begin

process before you can effectively configure Internet Explorer feature control settings:
Office system
• Plan Internet Explorer feature control settings in the 2007 Office system

Editor.
Important:
Internet Explorer feature control settings are supported only on the 2007 Office system. If
you have a side-by-side installation of the 2007 Office system and an earlier version of
157
the Office release (such as Office 2003), the Internet Explorer feature control settings
might cause unexpected behavior in applications that are not part of the 2007 Office
system.

settings by using the OCT
Use the following procedure to configure Internet Explorer feature control settings for all
applications except Microsoft Office InfoPath 2007.
Configure Internet Explore feature control settings for all applications except Office
InfoPath 2007
2. In the tree view of the OCT, open Microsoft Office 2007 system (machine), open
Security Settings, and click IE Security.
3. In the details pane, double-click the Internet Explorer feature control setting that you
want to configure.
4. To opt in or opt out specific applications, click Enabled, and do the following:
Select the check boxes next to the applications that you want to opt in.
Clear the check boxes next to the applications that you want to opt out.
5. To opt out all applications, click Disabled.
Use the following procedure to configure Internet Explorer feature control settings for Office
InfoPath 2007.
Configure Internet Explorer feature control settings for Office InfoPath 2007
2. In the tree view of the OCT, open Microsoft Office InfoPath 2007 (machine), and
click Security.
3. In the details pane, double-click Windows Internet Explorer Feature Control Opt-
In.
4. Click Enabled, and choose a setting from the drop-down combo box.
158
You can use the Setup program or the Windows Installer program to deploy Internet Explorer
feature control settings. For more information, see Run Setup for the 2007 Office system on
users' computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'

settings by using Group Policy
Use the following procedure to configure Internet Explorer feature control settings for all
applications except Microsoft Office InfoPath 2007.
Configure Internet Explorer feature control settings for all applications except Office
InfoPath 2007
Computer Configuration/Administrative Templates/Microsoft Office 2007 system
(machine)/Security Settings/IE Security
2. In the details pane, double-click the Internet Explorer feature control setting that you
want to configure.
3. To opt in or opt out of specific applications, click Enabled, and do the following:
Select the check boxes next to the applications that you want to opt in.
Clear the check boxes next to the applications that you want to opt out of.
4. To opt out of all applications, click Disabled.
Use the following procedure to configure Internet Explorer feature control settings for Office
InfoPath 2007.
Configure Internet Explorer feature control settings for Office InfoPath 2007
Computer Configuration/Administrative Templates/Microsoft Office InfoPath 2007
(machine)/Security
2. In the details pane, double-click Windows Internet Explorer Feature Control Opt-
In.
3. Click Enabled, and choose a setting from the drop-down combo box.
See Also
Plan Internet Explorer feature control settings in the 2007 Office system
159
Configure privacy options in the 2007 Office
system
You can configure privacy options by using the Office Customization Tool (OCT) and the Group
Policy Object Editor.
The recommended guidelines in the following sections are based on the Enterprise Client (EC)
environment rather than the Specialized Security Limited Functionality (SSLF) environment. The
EC environment represents an organization that has typical security needs. It is suitable for
midsize and large organizations that seek to balance security and functionality. The SSLF
environment represents a less typical organization, one in which security is paramount. It is
suitable only for midsize and large organizations that have stringent security standards, for which
security is more important than application functionality.
linkId=7711534).
Before you begin

process before you can effectively configure privacy options:
system
Plan privacy options in the 2007 Office system
160
Editor.
Configure privacy options by using the OCT

The following procedures show how to use the OCT to maximize the protection of private and
personal information.
Maximize the protection of metadata in Office Open XML Formats files

Settings.
3. In the details pane, double-click Protect document metadata for rights managed
Office Open XML Files, click Enabled, and click OK.
4. In the details pane, double-click Protect document metadata for password
protected files, click Enabled, and click OK.
Maximize the protection of private and personal information in the Office 2007 release
2. In the tree view of the OCT, open Microsoft Office 2007 system, open Privacy, and
click Trust Center.
3. In the details pane, double-click Enable Customer Experience Improvement
Program, click Disabled, and click OK.
4. In the details pane, double-click Automatically receive small updates to improve
reliability, click Disabled, and click OK.
5. In the tree view of the OCT, open Microsoft Office 2007 system, open Tools|
Options|General|Services Options, and click Online Content.
6. In the details pane, double-click Online content options, click Enabled, and in
Online content options, click Never show online content or entry points.
7. Click OK.
161
Maximize the protection of private and personal information in Office Word 2007
documents
2. In the tree view of the OCT, open Microsoft Office Word 2007, open Word Options,
and click Security.
3. In the details pane, double-click Warn before printing, saving, or sending a file
that contains tracked changes or comments, click Enabled, and click OK.
4. In the details pane, double-click Make hidden markup visible, click Enabled, and
click OK.
5. In the details pane, double-click Store random number to improve merge
accuracy, click Enabled, and click OK.
Maximize the protection of private and personal information in Office PowerPoint 2007
documents
2. In the tree view of the OCT, open Microsoft Office PowerPoint 2007, open
PowerPoint Options, and click Security.
click OK.
The following procedure shows how to use the OCT to suppress the first-run Privacy Options
dialog box.

2. In the tree view of the OCT, open Microsoft Office 2007 system, open Privacy, and
click Trust Center.
Program, click Enabled, and click OK.
reliability, click Enabled, and click OK.
5. In the tree view of the OCT, open Microsoft Office 2007 system, open Tools|
Options|General|Services Options, and click Online Content.
Online content options, click Search online content whenever available.
7. Click OK.
You can deploy privacy options by using the Setup program or by using the Windows Installer
program. For more information, see Run Setup for the 2007 Office system on users' computers
(http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users' configurations after
installing the 2007 Office system (http://technet.microsoft.com/en-us/library/cc179141.aspx).
162
Configure privacy options by using Group Policy
The following procedures show how to use the Group Policy Object Editor to maximize the
protection of private and personal information.
Maximize the protection of metadata in Office Open XML Formats files

2. In the details pane, double-click Protect document metadata for rights managed
Office Open XML Files, click Enabled, and click OK.
3. In the details pane, double-click Protect document metadata for password
protected files, click Enabled, and click OK.
Maximize the protection of private and personal information in the Office 2007 release
system/Privacy/Trust Center
Program, click Disabled, and click OK.
reliability, click Disabled, and click OK.
User Configuration/Administrative Templates/Microsoft Office 2007 system/Tools|
Options|General|Services Options/Online Content
Online content options, click Never show online content or entry points.
6. Click OK.
Maximize the protection of private and personal information in Office Word 2007
documents
Options/Security
2. In the details pane, double-click Warn before printing, saving, or sending a file
that contains tracked changes or comments, click Enabled, and click OK.
click OK.
4. In the details pane, double-click Store random number to improve merge
accuracy, click Enabled, and click OK.
163
Maximize the protection of private and personal information in Office PowerPoint 2007
documents
2007/PowerPoint Options/Security
click OK.
The following procedures show how to use the Group Policy Object Editor to suppress the first-
run Privacy Options dialog box and the first-run Sign up for Microsoft Update dialog box.

system/Privacy/Trust Center
Program, click Enabled, and click OK.
reliability, click Enabled, and click OK.
4. Navigate to the following:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Tools|
Options|General|Service Options/Online Content
Online content options, click Search online content whenever available.
6. Click OK.
164
Suppress the first-run Sign up for Microsoft Update dialog box
1. In the Group Policy Object Editor tree, navigate to any of the following settings:
Computer Configuration/Administrative Templates/System/Internet Communication
Management/Internet Communication settings/Turn off access to all Windows
update features
User Configuration/Administrative Templates/Windows Components/Windows
Update/Remove access to use all Windows Update features
User Configuration/Administrative Templates/Start Menu and Taskbar/Remove
links and access to Windows Update
2. In the details pane, double-click the setting to which you navigated.
3. Click Enabled, and then click OK.
See Also
Plan privacy options in the 2007 Office system
Security policies and settings in the 2007 Office system
165
Configure block file format settings in the
2007 Office system
You can configure block file format settings by using the Office Customization Tool (OCT) or the
Group Policy Object Editor.
Before you begin

process before you can effectively configure block file format settings:
system
Plan block file format settings in the 2007 Office system

Editor.
166
Configure block file format settings by using the
OCT
Use the following procedure to configure block file format settings by using the OCT.
Configure block file format settings by using the OCT

Microsoft Office Excel 2007/Block file formats/Open
Microsoft Office PowerPoint 2007/Block file formats/Open
Microsoft Office Word 2007/Block file formats/Open
3. In the details pane, double-click the block file format setting that you want to
configure.
4. To enforce the block open setting, click Enabled.
5. To disable the block open setting, click Disabled.
You can deploy block file format settings by using the Setup program or by using the Windows
Installer program. For more information, see Run Setup for the 2007 Office system on users'
computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'
167
Configure block file format settings by using
Group Policy
Use the following procedures to configure block file format settings by using Group Policy.
Configure block file format settings by using the Group Policy Object Editor
1. In the Group Policy Object Editor tree, navigate to one of the following:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Block file
formats
2007/Block file formats
User Configuration/Administrative Templates/Microsoft Office Word 2007/Block file
formats
2. In the details pane, double-click Open to configure block open settings, or double-
click Save to configure block save settings.
3. In the details pane, double-click the setting that you want to configure.
4. To enforce the block file format setting, click Enabled.
5. To disable the block file format setting, click Disabled.
See Also
Plan block file format settings in the 2007 Office system
168
B. Configuring Outlook 2007 Security
Settings
169
Set consistent Outlook 2007 cryptography
options for an organization
You can control many aspects of Microsoft Office Outlook 2007 cryptography features to help
configure more secure messaging and message encryption for your organization. For example,
you can configure a Group Policy setting that requires a security label on all outgoing mail or a
setting that disables publishing to the Global Address List.
You can lock down the settings to customize cryptography by using the Outlook Group Policy
template (Outlk12.adm). Or you can configure default settings by using the Office Customization
Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding
locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
To customize cryptographic options by using Group Policy
1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
2. To customize cryptographic settings, under User Configuration\Administrative
Templates\Microsoft Office Outlook 2007\Security\Cryptography, double-click the policy
setting you want to set. For example, double-click Do not display 'Publish to GAL' button.
(Some options are included in the Signature Status dialog box folder.)
3. Click Enabled. When appropriate, choose an option that displays on the Setting tab.
4. Click OK.
The settings you can configure for cryptography are shown below.
Cryptography option Description
Minimum encryption settings Set to the minimum key length for an encrypted
e-mail message.
S/MIME interoperability with external clients: Specify the behavior for handling S/MIME
messages.
Always use Rich Text formatting in S/MIME Always use Rich Text for S/MIME messages
messages instead of the format specified by the user.
S/MIME password settings Specify the default and maximum amount of

time that an S/MIME password is valid.
Message formats Choose message formats to support: S/MIME

(default), Exchange, Fortezza, or a combination
of formats.
170
Message when Outlook cannot find the digital Enter a message to display to users.
ID to decode a message
Do not provide Continue option on Encryption Disable the Continue button on encryption
warning dialog boxes settings warning dialog boxes.
Run in FIPS compliant mode Put Outlook into FIPS 140-1 mode.
Do not check e-mail address against address of Do not verify user's e-mail address with address
certificates being using (sic) of certificates used for encryption or signing.
Encrypt all e-mail messages Encrypt outgoing e-mail messages.
Sign all e-mail messages Sign outgoing e-mail messages.
Send all signed messages as clear signed Use Clear Signed for signed outgoing e-mail
messages messages.
Request an S/MIME receipt for all S/MIME Request a security-enhanced receipt for
signed messages outgoing e-mail messages.
URL for S/MIME certificates Provide a URL at which users can obtain an
S/MIME receipt. The URL can contain three
variables (%1, %2, and %3), that will be
replaced by the user's name, e-mail address,
and language, respectively.
Ensure all S/MIME signed messages have a Require all S/MIME-signed messages to have a
label security label.
Do not display 'Publish to GAL' button Disable the 'Publish to GAL' button on the E-
mail Security page of the Trust Center.
Signature Warning Specify an option for when signature warnings

display to users.
S/MIME receipt requests Specify an option for how S/MIME receipt

requests are handled.
Fortezza certificate policies Enter a list of policies allowed in the policies

extension of a certificate showing that the
certificate is a Fortezza certificate. List policies
separated by semi-colons.
Require SUITEB algorithms for S/MIME Use only Suite-B algorithms for S/MIME
operations operations.
Enable Cryptography Icons Display Outlook cryptography icons in the

Outlook UI.
171
Retrieving CRLs (Certificate Revocation Lists) Specify how Outlook behaves when CRL lists
are retrieved.
Missing CRLs Specify the Outlook response when a CRL is

missing: display error or warning (default).
Missing root certificates Specify the Outlook response when a root

certificate is missing: display error or warning
(default).
Promote Level 2 errors as errors, not warnings Specify the Outlook response for Level 2 errors:
display error or warning (default).
Attachment Secure Temporary Folder Specify a folder path for the Secure Temporary
Files Folder. This overrides the default path and
is not recommended.
More information about setting Outlook

cryptography options
The following sections provide additional information about configuration options for Outlook
cryptography.
Outlook security policy settings

The following table lists the Windows registry settings you can configure for your custom
installation. The Windows registry settings correspond to the Group Policy settings listed earlier.
You add these value entries in the following subkey:
HKEY_CURRENT_USER\Software\\Microsoft\Office\12.0\Outlook\Security
Value name Value data Description Corresponding UI option

(Data type)
AlwaysEncrypt 0, 1 (DWORD) Set to 1 to encrypt Encrypt contents check

outgoing messages. box (E-mail Security
Default is 0. page).
AlwaysSign 0, 1 (DWORD) Set to 1 to sign Add digital signature

outgoing messages. check box (E-mail
Default is 0. Security page).
172
(Data type)
ClearSign 0, 1 (DWORD) Set to 1 to use Clear Send clear text signed

Signed for outgoing message check box (E-
messages. Default is mail Security page).
0.
RequestSecureReceipt 0, 1 (DWORD) Set to 1 to request Request S/MIME receipt

security-enhanced check box (E-mail
receipts for outgoing Security page).
messages. Default is
0.
ForceSecurityLabel 0, 1 (DWORD) Set to 1 to require a None

label on outgoing
messages. (The
registry setting does
not specify which
label.) Default is 0.
ForceSecurityLabelX ASN encoded This value entry None

BLOB (Binary) specifies whether a
user-defined security
label must exist on
outgoing signed
messages. The string
can optionally include
label, classification,
and category. Default
is no security label
required.
SigStatusNoCRL 0, 1 (DWORD) Set to 0 to specify None

that a missing CRL
during signature
validation is a
warning. Set to 1 to
specify that a missing
CRL is an error.
Default is 0.
173
(Data type)
SigStatusNoTrustDecision 0, 1, 2 Set to 0 to specify None

(DWORD) that a No Trust
decision is allowed.
Set to 1 to specify
that a No Trust
decision is a warning.
Set to 2 to specify
that a No Trust
decision is an error.
Default is 0.
PromoteErrorsAsWarnings 0, 1 (DWORD) Set to 0 to promote None

Error Level 2 errors
as errors. Set to 1 to
promote Error Level
2 errors as warnings.
Default is 1.
PublishtoGalDisabled 0, 1 (DWORD) Set to 1 to disable Publish to GAL button

the Publish to GAL (E-mail Security page)
button. Default is 0.
FIPSMode 0, 1 (DWORD) Set to 1 to put None

Outlook into FIPS
140-1 mode. Default
is 0.
WarnAboutInvalid 0, 1, 2 Set to 0 to display the Secure E-mail Problem

(DWORD) Show and Ask pont dialog box.
check box (Secure
E-mail Problem pont
dialog box). Set to 1
to always show the
dialog box. Set to 2
to never show the
dialog box. Default is
2.
174
(Data type)
DisableContinueEncryption 0, 1 (DWORD) Set to 0 to show the Continue Encrypting

Continue button on final
Encrypting button in Encryption Errors dialog
the final Encryption box. This dialog box
Errors dialog box. appears when a user tries
Set to 1 to hide the to send a message to
button. Default is 0. someone who cannot
receive encrypted
messages. This setting
disables the button that
allows users to send the
message regardless. (The
recipient cannot open
encrypted mail messages
sent by overriding the
error.)
RespondtoReceiptRequest 0, 1, 2, 3 Set to 0 to always None

(DWORD) send a receipt
response and prompt
for a password, if
needed. Set to 1 to
prompt for a
password when
sending a receipt
response. Set to 2 to
never send a receipt
response. Set to 3 to
enforce sending a
receipt response.
Default is 0.
175
(Data type)
NeedEncryptionString String Displays the Default string

specified string when
the user tries
unsuccessfully to
open an encrypted
message. Can
provide information
about where to enroll
in security. Default
string is used, unless
the value is set to
another string.
Options 0, 1 (DWORD) Set to 0 to show a None

warning dialog box
when a user attempts
to read a signed
message with an
invalid signature. Set
to 1 to never show
the warning. Default
is 0.
MinEncKey 40, 64, 128, Set to the minimum None

168 (DWORD) key length for an
encrypted e-mail
message.
RequiredCA String Set to the name of None

the required
certificate authority
(CA). When a value
is set, Outlook
disallows users from
signing e-mail by
using a certificate
from a different CA.
176
(Data type)
EnrollPageURL String URL for the default Get Digital ID button (E-
certificate authority mail Security page).
(internal or external)
from which you wish
your users to obtain
new digital IDs. Note:
Set in
HKEY_CURRENT_U
SER\Software\Micros
oft\Office\12.0\Outloo
k\Security subkey if
you do not have
administrator rights
on the user's
computer.
When you specify a value for PromoteErrorsAsWarnings, potential Error Level 2 conditions
include the following:
• Unknown Signature Algorithm
• No Signing Certification Found
• Bad Attribute Sets
• No Issuer Certificate Found
• No CRL Found
• Out of Date CRL
• Root Trust Problem
• Out of Date CTL
177
When you specify a value for EnrollPageURL, use the following parameters to send information
about the user to the enrollment Web page.
Parameter Placeholder in URL string
User display name %1
SMTP e-mail name %2
User interface language ID %3
For example, to send user information to the Microsoft enrollment Web page, set the
EnrollPageURL entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
For example, if the user's name is Jeff Smith, e-mail address is someone@example.com, and
user interface language ID is 1033, the placeholders are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff
%20Smith&email=someone@example.com&helplcid=1033
Security policy settings for general cryptography

The following table shows additional Windows registry settings that you can use for your custom
configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\SMIME\SecurityPolicies\Default
Value name Value data (Data Description Corresponding UI

type) option
ShowWithMultiLabels 0, 1, (DWORD) Set to 0 to attempt None

to display a
message when the
signature layer has
different labels set
in different
signatures. Set to 1
to prevent display of
message. Default is
0.
178
Value name Value data (Data Description Corresponding UI
type) option
CertErrorWithLabel 0, 1, 2 (DWORD) Set to 0 to process None

a message with a
certificate error
when the message
has a label. Set to 1
to deny access to a
message with a
certificate error. Set
to 2 to ignore the
message label and
grant access to the
message. (The user
still sees a
certificate error.)
Default is 0.
179
Security policy settings for KMS-issued certificates
The values in the following table only apply to certificates issued by Microsoft Exchange Key
Management Service (KMS). The table shows additional Windows registry settings that you can
use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider
Value name Value data (Data type) Description Corresponding UI option
MaxPWDTime 0, number (DWORD) Set to 0 to remove None

the user's ability to
save a password (the
user is required to
enter a password
each time a key set is
required). Set to a
positive number to
specify a maximum
password time in
minutes. Default is
999.
DefPWDTime Number (DWORD) Set to the default None

value for the amount
of time a password is
saved.
180
Specify the method Outlook uses to manage
virus prevention features
With Microsoft Office Outlook 2007, you can use new Group Policy settings to configure security
options that help prevent viruses. With previous versions of Outlook, you modified security
settings by using the Outlook security template and publishing the settings to a form in a top-level
folder in Exchange Server public folders. Users who needed these settings required the
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key
to be set on their computers for the settings to apply.
The CheckAdminSettings registry key is no longer used to determine users' security settings.
Instead, you configure a new Group Policy setting: Outlook Security Mode. The option you
choose in this setting determines which security settings are enforced in Outlook:
• Default security settings in the product
• Security settings in the Exchange Server security form
• Group Policy security settings
To configure the method that Outlook uses for security settings
1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm) and go to User
Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security Form
settings\Microsoft Office Outlook 12.0 Security.
2. Double-click Outlook Security Mode, and click Enabled.
3. In the Outlook Security Policy drop-down list, select the method that you want Outlook
to use for enforcing security settings.
4. Click OK.
Download Center.
To continue using the Exchange Server security form for Outlook security settings, you must
configure the new Group Policy setting. If you do not configure the setting, Outlook uses default
security settings. If you do not enable the Outlook Security Mode setting, default security settings
in the product are enforced.
More information about managing virus

prevention settings
More information about managing virus prevention settings is included in the following sections.
181
Migrating to Group Policy settings
If you previously used the Exchange Server security form to manage security settings and now
choose to use Group Policy with Outlook, you must manually migrate the settings that you
configured earlier to the corresponding Group Policy settings for Outlook.
Updated Object Model Guard

Users might receive a warning when an application accesses the Outlook Address Book—for
example, when users synchronize a hand-held device with Outlook on their desktop computer.
This feature cannot be modified by using the Exchange Server security form or Group Policy. To
prevent the access warning, the application must be coded to interact with Outlook in a trusted
manner.
The Object Model (OM) Guard that helps prevent viruses from using the Outlook Address Book to
propagate themselves has been updated. Outlook now checks for up-to-date antivirus software to
help determine when to display address book access warnings and other Outlook security
warnings.
For more information about coding trusted add-ins, see Important Security Notes for Microsoft
Outlook COM Add-in Developers (http://go.microsoft.com/fwlink/?LinkId=74697).
182
Customize attachment settings in Outlook
2007
In Microsoft Office Outlook 2007, you can specify that attachments to Outlook items (such as e-
mail messages or appointments) are restricted based on the file type of the attachment. A file type
can have either a Level 1 or Level 2 restriction. You can also configure what users can do with
attachment restrictions. For example, you might allow users to change the restrictions for a group
of attachment file types from Level 1 (user cannot view the file) to Level 2 (user can open the file
after saving it to disk).
Note:
This topic is for Outlook administrators. To learn more about why some Outlook
attachments are blocked, see Blocked attachments: The Outlook feature you love to
hate (http://go.microsoft.com/fwlink/?LinkId=81268). Or learn how to share files with
restricted file types by reading Blocked attachments in Outlook
(http://go.microsoft.com/fwlink/?LinkId=81269).
You can configure attachment settings by using Group Policy. In Group Policy, load the Outlook
template (Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office
Outlook 2007\Security\Security Form Settings\Attachment Security. These settings cannot be
configured by using the Office Customization Tool.
Download Center.
Note:
To use Group Policy to configure these attachment settings, you must first configure the
method that Outlook uses for security settings correctly. For more information about
setting the Outlook security settings method, see Plan for configuring security settings
in Outlook 2007.
183
The following table describes the Group Policy options for attachments.
Item Description
Display Level 1 Enables users to access all attachments with Level 1 file types by first
attachments saving the attachments to disk, and then opening them (as with Level 2
attachments).
Allow users to demote Enables users to create a list of attachment file types to demote from
attachments to Level 2 Level 1 to Level 2. The registry key in which users create the list of file
types to demote is:
HKCU\Software\Microsoft\Office\12.0\Outlook\Security\Level1Remove.
In the registry key, users specify the file types (usually three letters) to
remove from the Level 1 file list, separated with semicolons.
Disable the prompt Prevents users from receiving a warning when they send an item
about Level 1 containing a Level 1 attachment. This option affects only the warning.
attachments when Once the item is sent, the user cannot view or gain access to the
sending an item attachment. If you want users to be able to post items to a public folder
without receiving this prompt, you must select both this check box and
the Do not prompt about Level 1 attachments when closing an item
check box.
Disable the prompt Prevents users from receiving a warning when they close an e-mail
about Level 1 message, appointment, or other item containing a Level 1 attachment.
attachments when This option affects only the warning. Once the item is closed, the user
closing an item cannot view or gain access to the attachment. If you want users to be
able to post items to a public folder without receiving this prompt, you
must select both this check box and the Do not prompt about Level 1
attachments when sending an item check box.
Allow in-place activation Allows users to double-click an embedded object, such as a Microsoft
of embedded OLE Excel spreadsheet, and open it in the Outlook editor.
objects
Display OLE package Displays OLE objects that have been packaged. A package is an icon
objects that represents an embedded or linked OLE object. When you double-
click the package, the program used to create the object either plays
the object (for example, if the object is a sound file) or opens and
displays the object. Allowing Outlook to display OLE package objects
can be problematic, because the icon can be easily changed and used
to disguise malicious files.
184
Add or remove Level 1 file types
Level 1 files are hidden from the user. The user cannot open, save, or print a Level 1 attachment.
(If you specify that users can demote a Level 1 attachment to a Level 2 attachment, Level 2
restrictions apply to the file.) The InfoBar at the top of the item displays a list of the blocked files.
(The InfoBar does not appear on a custom form.) The default list of Level 1 file types is provided
in Attachment file types that are restricted by Outlook in the See Also section, which is visible
when you are connected to the Internet.
When you remove a file type from the Level 1 list, attachments with that file type are no longer
blocked.
The following table describes how to add or remove Level 1 file types from the default list. You
can use Group Policy to configure these settings. In Group Policy, load the Outlook template
(Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office Outlook
2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured
by using the Office Customization Tool.
Note:
in Outlook 2007.
Action Description
Add file types to block as Level 1 Specifies the file types (usually three letters)
you want to add to the Level 1 file list. Do not
enter a period before each file type. If you enter
multiple file types, separate them with
semicolons.
Remove file types blocked as Level 1 Specifies the file types (usually three letters)
you want to remove from the Level 1 file list. Do
not enter a period before each file type. If you
enter multiple file types, separate them with
semicolons.
Add or remove Level 2 file types

With a Level 2 file, the user is required to save the file to the hard disk before the file is opened. A
Level 2 file cannot be opened directly from an item.
When you remove a file type from the Level 2 list, it becomes a regular file type that can be
opened, saved, and printed in Outlook. There are no restrictions on the file.
The following table describes how to add or remove Level 2 file types from the default list. You
can use Group Policy to configure these settings. In Group Policy, load the Outlook template
185
(Outlk12.adm) and go to User Configuration\Administrative Templates\ Microsoft Office Outlook
2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured
by using the Office Customization Tool.
Note:
in Outlook 2007.
Action Description
Add file types to block as Level 2 Specifies the file types (usually three letters)
you want to add to the Level 2 file list. Do not
enter a period before each file type. If you enter
multiple file types, separate them with
semicolons.
Remove file types blocked as Level 2 Specifies the file types (usually three letters)
semicolons.
Additional attachment security settings

Several Group Policy settings for attachment security in earlier versions of Outlook are available
in Office Outlook 2007. In earlier versions of Outlook, most security settings were managed by
using a form published to a Microsoft Exchange public folder, rather than by using Group Policy.
In a few scenarios, you could configure Group Policy settings in addition to the settings enforced
by the Exchange Server security form.
Note:
If you are using only Group Policy to manage Outlook security, these options are
configured by using new Group Policy settings (described earlier in this topic). If you are
using the Exchange Server security form, you might still want to configure these legacy
settings.
If you are using the Exchange Server security form to manage Outlook security, you can
configure these legacy settings in combination with settings on the security form.
The following table describes the way legacy Group Policy settings for attachment security
interact. To configure these settings, load the Outlook template (Outlk12.adm) in Group Policy. Go
to User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security. These
settings cannot be configured by using the Office Customization Tool.
186
Action Description
Prevent users from customizing attachment When enabled, users cannot customize the list
security settings of file types that are allowed as attachments in
Outlook, regardless of how you have configured
other Outlook security settings.
Allow access to e-mail attachments Specifies the file types (usually three letters)
semicolons.
If you configure the Allow access to e-mail attachments Group Policy setting, the final list of
restricted file types is based on other attachment security settings:
• If you use the Exchange Server security form to configure security settings, file types on
the Level 1 list created by using the Exchange Server security form are still restricted.
• If you use Group Policy to configure security settings, the list of Level 1 file types you
have specified by using the Group Policy setting Add file extensions to block as Level 1 are
still restricted.
• If you use default security settings, all files types listed in this Group Policy setting are no
longer restricted.
187
Customize programmatic settings in Outlook
2007
As an administrator of Microsoft Office Outlook 2007, you can configure programmatic security
settings to manage restrictions for the following technologies: the Outlook object model,
Collaboration Data Object (CDO), and Simple MAPI. These technologies are defined as follows:
• Outlook object model—The Outlook object model allows you to programmatically
manipulate data stored in Outlook folders.
• CDO—Collaboration Data Object (CDO) libraries are used to implement messaging and
collaboration functionality in a custom application. CDO is a COM wrapper of the MAPI library
and can be called from any development language that supports Automation. CDO
implements most but not all MAPI functionality, but more than Simple MAPI.
• Simple MAPI—Simple MAPI enables developers to add basic messaging functionality,
such as sending and receiving messages, to their Microsoft Windows-based applications. It is
a subset of MAPI, which provides complete access to messaging and information exchange
systems.
You can use Group Policy to configure programmatic security settings. In Group Policy, load the
Outlook template (Outlk12.adm). The attachment options settings are located under User
Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security
Form Settings\Programmatic Security. These settings cannot be configured by using the Office
Customization Tool.
Download Center.
Note:
To use Group Policy to configure programmatic security settings, you must first configure
the method that Outlook uses for security settings correctly. For more information about
in Outlook 2007.
The following table describes the Group Policy options for programmatic settings. You can
choose one of the following settings for each item:
• Prompt user—Users receive a message allowing them to choose whether to allow or
deny the operation. For some prompts, users can choose to allow or deny the operation
without prompts for up to 10 minutes.
• Automatically approve—The operation is allowed and the user does not receive a
prompt.
• Automatically deny—The operation is not allowed and the user does not receive a
prompt.
188
Item Description
Configure Outlook object model prompt when Specifies what happens when a program
sending mail attempts to send mail programmatically by
using the Outlook object model.
Configure Simple MAPI sending prompt Specifies what happens when a program
attempts to send mail programmatically by
using Simple MAPI.
accessing an address book attempts to gain access to an address book by
using the Outlook object model.
Configure Simple MAPI name resolution prompt Specifies what happens when a program
attempts to gain access to an address book by
using Simple MAPI.
reading address information attempts to gain access to a recipient field, such
as To, by using the Outlook object model.
Configure Simple MAPI message opening Specifies what happens when a program
prompt attempts to gain access to a recipient field, such
as To, by using Simple MAPI.
responding to meeting and task requests attempts to send mail programmatically by
using the Respond method on task requests
and meeting requests. This method is similar to
the Send method on mail messages.
executing Save As attempts to programmatically use the Save As
command on the File menu to save an item.
Once an item has been saved, a malicious
program could search the file for e-mail
addresses.
Configure Outlook object model prompt when Specifies what happens when a user adds a
accessing the Formula property of a Combination or Formula custom field to a
UserProperty object custom form and binds it to an Address
Information field. By doing this, code can be
used to indirectly retrieve the value of the
Address Information field by getting the Value
property of the field.
accessing address information via attempts to search mail folders for address
UserProperties.Find information by using the Outlook object model.
189
Customize ActiveX and custom forms
security settings in Outlook 2007
You can specify ActiveX and custom forms security settings for Microsoft Office Outlook 2007
users. Custom forms security settings include options for changing how Office Outlook 2007
restricts scripts, custom controls, and custom actions.
Customizing how ActiveX controls behave in one-

off forms
When Outlook receives a message that contains a form definition, the item is a one-off form. To
help prevent unwanted script and controls from running in one-off forms, Outlook does not load
ActiveX controls in one-off forms by default.
You can lock down the settings to customize ActiveX controls by using the Outlook Group Policy
template (Outlk12.adm). Or you can configure default settings by using the Office Customization
Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding
Download Center.
To customize ActiveX options by using Group Policy
2. To customize how results are displayed, under User Configuration\Administrative
Templates\Microsoft Office Outlook 2007\Security, double-click Allow Active X One Off
Forms.
3. Click Enabled.
4. Choose an option from the Sets which ActiveX controls to allow drop-down list.
5. Click OK.
Choose one of the options in the following table.
Option Description
Allows all ActiveX Controls Allows all ActiveX controls to run without
restrictions.
Allows only Safe Controls Allows only safe ActiveX controls to run. An
ActiveX control is safe if it is signed with
Authenticode and the signer is listed in the
Trusted Publishers List.
190
Option Description
Load only Outlook Controls Outlook loads only the following controls. These
are the only controls that can be used in one-off
forms.
• Controls from fm20.dll
• Microsoft Office Outlook Rich Format
Control
• Microsoft Office Outlook Recipient
Control
• Microsoft Office Outlook View Control
If you do not configure any of these options, the default is to load only Outlook controls.
Customizing custom forms security settings

You can lock down the settings to configure security for custom forms by using the Outlook Group
Policy template (Outlk12.adm). Or you can configure default settings by using the Office
Customization Tool (OCT), in which case users can change the settings. The OCT settings are in
corresponding locations on the Modify user settings page of the OCT.
To customize customs form security options by using Group Policy
2. To customize how results are displayed, under User Configuration\Administrative
Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom
Form Security, double-click the setting you want to set. For example, double-click Allow
scripts in one-off Outlook forms.
3. Click Enabled. If appropriate, choose option from the drop-down list in the setting.
4. Click OK.
Note:
To use Group Policy to configure Custom Form Security, you must first configure the
method that Outlook uses for security settings correctly. See the following topic for more
information about setting this option: Specify the method Outlook uses to manage
virus prevention features.
The settings you can configure for scripts, custom controls, and custom actions are shown below:
Option Description
Allow scripts in one-off Outlook forms Run scripts in forms where the script and the
layout are contained in the message. If users
receive a one-off form that contains script, users
are prompted to ask if they want to run the
script.
191
192
Manage trusted add-ins for Outlook 2007
If you use default Microsoft Office Outlook 2007 security settings, all Component Object Model
(COM) add-ins installed in Office Outlook 2007 are trusted by default. If you customize security
settings by using Group Policy, you can specify COM add-ins that are trusted and that can run
without encountering the Outlook object model blocks.
To trust a COM add-in, you include the file name for the add-in in a Group Policy setting with a
calculated hash value for the file. Before you can specify an add-in as trusted by Outlook, you
must install a program to calculate the hash value.
To compute the hash value for a trusted add-in
1. Download the hash calculation program - the Outlook 2007 Security Hash Generator Tool
- from the Microsoft Office Download Center (http://go.microsoft.com/fwlink/?LinkId=75742).
2. Extract the contents to a local folder (such as C:\hashtool).
3. Run the command prompt for your computer: Click Start, All Programs, Accessories,
Command Prompt.
Note:
On Windows Vista requires an additional step. Right-click Command Prompt, then
select Run as administrator.
4. Change directories to the folder where you extracted the hash tool files.
5. Type: createhash.bat /register and press Enter. (This step needs to be
completed only once.)
6. Type: createhash.bat filename where filename is the full path and file name of the
add-in file you are creating the hash number for.
7. Press Enter.
8. Copy and save the value that is displayed on the screen to the clipboard. This is the
value that you will add to the Group Policy setting (see the following procedure).
Specify the add-in as trusted by entering in Group Policy the value generated by the program,
paired with the add-in file name.
Download Center.
To specify the trusted add-in in Group Policy
Configuration\Administrative Templates\Microsoft Office Outlook
2007\Security\Security Form Settings\Programmatic Security\Trusted Add-ins.
2. Double-click Configure trusted add-ins, and click Enabled.
3. Click Show.
4. In the Show contents dialog box, click Add.
193
5. In the Add item dialog box, in the Enter the name of the item to be added field, type
the file name of the COM add-in.
6. In the Enter the value to be added field, paste the hash value of the COM add-in that
you saved when you ran the hash value calculation program.
7. Click OK three times.
The COM add-in can now run without prompts for Office Outlook 2007 users who use this
security setting.
To remove a file from the list of trusted add-ins, update the Group Policy setting by deleting the
entry for the add-in.
Working with Outlook COM add-ins

A COM add-in should be coded so that it takes advantage of the Outlook trust model in order to
run without warning messages in Outlook. Users might continue to see warnings when they
access Outlook features that use the add-in, such as when they synchronize a hand-held device
with Outlook on their desktop computer.
However, users are less likely to see warnings in Office Outlook 2007 than in previous versions of
Outlook. The Object Model (OM) Guard that helps prevent viruses from using the Outlook
Address Book to propagate themselves is updated in Office Outlook 2007. Outlook checks for up-
to-date antivirus software to help determine when to display address book access warnings and
other Outlook security warnings.
If the user continues to see security prompts after the add-in is included in the list of trusted add-
ins, you must work with the COM add-in developer to resolve the problem. For more information
about coding trusted add-ins, see Important Security Notes for Microsoft Outlook COM Add-
in Developers (http://go.microsoft.com/fwlink/?LinkId=74697).
If you enforce customized Outlook security settings with the Microsoft Exchange Server security
form published in an Exchange Server public folder, you can learn how to trust COM add-ins.
Scroll down to the Trusted Code tab section in the Microsoft Office 2003 Resource Kit topic,
Outlook Security Template Settings (http://go.microsoft.com/fwlink/?LinkId=75744).
Note:
To use Group Policy instead of the Exchange security form to configure trusted add-ins,
you must first configure the method that Outlook uses for security settings correctly. For
more information about setting the Outlook security settings method, see Specify the
method Outlook uses to manage virus prevention features.
194
Configure security for Outlook 2007 folder
home pages
In Microsoft Office Outlook 2007, you can view Web pages without leaving Outlook. You do this
by assigning a Web page as a home page for a folder. You can associate a Web page with any
personal or public folder. When you click the folder, Outlook displays the folder home page
assigned to it. Although this feature provides the opportunity to create powerful public folder
applications, scripts can be included on the Web page that access the Outlook object model. This
exposes users to security risks.
You can improve security by using Group Policy to disable folder home pages for all of your
users.
You can lock down this setting (recommended) by using the Outlook Group Policy template
(Outlk12.adm). Or you can configure a default setting by using the Office Customization Tool
(OCT), in which case users can change the setting. The OCT settings are in corresponding
Download Center.
To disable folder home pages by using Group Policy
1. In Group Policy, load the Microsoft Office Outlook 2007 template (Outlk12.adm).
2. Under User Configuration\Administrative Templates\Microsoft Office Outlook
2007\Folder Home Pages for Outlook Special Folders\Settings for Disable Folder Home
Pages, double-click Do not allow Home Page URL to be set in folder Properties.
3. Click Enabled.
4. Click OK.
More information about Outlook folder home

pages
These folder home pages do not follow the Outlook security model. They can run scripts, just as
any other Web page can. Access to the Outlook object model allows scripts to manipulate all of
the user’s Outlook information on the computer.
From a security perspective, this means that anyone who can create a public folder and set that
folder with a home page can include scripts that can manipulate data in users’ mailboxes when
the users go to that public folder. Because of this, be cautious about granting permissions for
users to set public folders as home pages.
195
Configure junk e-mail settings in Outlook
2007
Microsoft Office Outlook 2007 provides features that can help users avoid receiving and reading
junk e-mail messages, including the Junk E-mail Filter and the disabling of automatic content
download from external servers.
You can configure settings to deploy these features to meet the needs of your organization. For
example, you can configure the Junk E-mail Filter to be more aggressive, though in that case it
might catch more legitimate messages as well. Rules that are not part of the junk e-mail
management built into the software are not affected.
Note:
This topic is for Outlook administrators. To learn more about configuring junk e-mail
settings in Outlook on your desktop, see Change the level of protection in the Junk E-Mail
Filter (http://go.microsoft.com/fwlink/?LinkId=81273).
Configuring the Junk E-mail Filter

You can lock down the settings to customize Junk E-mail Filter options by using the Outlook
Group Policy template (Outlk12.adm). Or you can configure default settings by using the Office
Customization Tool (OCT), in which case users can change the settings. The OCT settings are in
corresponding locations on the Modify user settings page of the OCT.
Note:
If you decide to configure Junk E-mail Filter settings in the OCT, see the procedure To
ensure default Junk E-mail settings are applied using the OCT later in this topic for an
additional setting that must be configured.
Use the following procedure to configure Junk E-mail Filter options in Outlook. The Outlook
template and other ADM files can be downloaded from 2007 Office System Administrative
Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft Download
Center.
To configure Outlook Junk E-mail Filter settings in Group Policy

Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools |
Options…\Preferences\Junk E-mail.
2. Double-click the option that you want to configure. For example, double-click Junk E-
mail protection level.
3. Click Enabled.
4. If appropriate, select a radio button for the option you want to set, or choose an
196
option from a drop-down list.
5. Click OK.
You can configure the following settings for the Outlook Junk E-mail filter.
Junk E-mail filter option Description
Hide Junk Mail UI Disable junk e-mail filtering and hide related
settings in Outlook.
Junk E-mail protection level Select the level of junk e-mail protection for
users: No Protection, Low, High, Trusted Lists
Only.
Permanently delete Junk E-mail Permanently delete suspected junk e-mail

instead of moving it to the Junk E-mail folder.
Trust E-mail from Contacts Trust e-mail addresses included in users'

Contacts folders.
Add e-mail recipients to users' Safe Senders Automatically add all e-mail recipients to users'
Lists Safe Senders Lists.
Overwrite or Append Junk Mail Import List Change default from overwrite Junk Mail Import
list to append to the list.
Specify path to Safe Senders list Specify a text file containing a list of e-mail
addresses to append to or overwrite the Safe
Senders list.
Specify path to Safe Recipients list Specify a text file containing a list of e-mail
addresses to append to or overwrite the Safe
Recipients list.
Specify path to Blocked Senders list Specify a text file containing a list of e-mail
addresses to append to or overwrite the
Blocked Senders list.
If you configure default values by using the OCT (rather than using Group Policy to lock down
settings), a specific Junk E-mail setting must be configured so the new defaults can be applied.
To ensure default Junk E-mail settings are applied using the OCT
1. In the OCT, on the Modify user settings page, under Microsoft Office Outlook
2007\Tools | Options\Preferences\Junk E-mail, double-click Junk Mail Import list.
2. Click Enabled.
3. Click OK.
197
Configuring automatic picture download
To help protect users' privacy and to combat Web beacons—functionality embedded within items
to detect when recipients have viewed an item—Office Outlook 2007 is configured by default to
not automatically download pictures or other content from external servers on the Internet.
You can lock down the settings to customize automatic picture download by using the Outlook
Group Policy template (Outlk12.adm). Or you can configure default settings by using the OCT, in
which case users can change the settings. The OCT settings are in corresponding locations on
the Modify user settings page of the OCT.
To configure options for automatic picture download behavior in Outlook

2. Under User Configuration\Administrative Templates\Microsoft Office Outlook
2007\Tools | Options\Security, click Automatic Picture Download Settings.
3. Double-click the option that you want to configure. For example, double-click Do not
permit download of content from safe zones.
4. Click Enabled.
5. If appropriate, select a radio button for the option you want to set, or choose an
option from a drop-down list.
6. Click OK.
You can configure the following settings for automatic picture download.
Automatic picture download option Description
Display pictures and external content in HTML Enable this option to automatically display
e-mail external content in HTML mail.
Automatically download content for e-mail from Enable this option to automatically download
people in Safe Senders and Safe Recipients content when e-mail message is from someone
lists in the user's Safe Senders list or to someone in
the user's Safe Recipients list.
Do not permit download of content from safe Disable this option to automatically download
zones content for sites in Safe Zones (as defined by
Trusted Zones, Internet, and Intranet settings).
Block Trusted Zones Disable this option to include Trusted Zones in
the Safe Zones for Automatic Picture Download.
Include Internet in Safe Zones for Automatic Automatically download pictures for all Internet
Picture Download e-mail.
Include Intranet in Safe Zones for Automatic Automatically download pictures for all Intranet
Picture Download e-mail
198
More about automatic picture download
Messages in HTML format often include pictures or sounds. Sometimes these pictures or sounds
are not included in the message, but are instead downloaded from a Web server when the e-mail
message is opened or previewed. This is typically done by legitimate senders to avoid sending
extra-large messages.
However, junk e-mail senders can use a link to content on external servers to include a Web
beacon in e-mail messages, which notifies the Web server when users read or preview the
message. The Web beacon notification validates the user's e-mail address to the junk e-mail
sender, which can result in more junk e-mail being sent to the user.
This feature to not automatically download pictures or other content can also help users to avoid
viewing potentially offensive material (for external content linked to the message) and, if they are
on a low bandwidth connection, to decide whether an image warrants the time and bandwidth to
download it. Users can view the blocked pictures or content in a message by clicking the InfoBar
under the message header or by right-clicking the blocked image.
By default, Outlook does not download pictures or other content automatically, except when the
external content comes from a Web site in the Trusted Sites zone or from an address or domain
specified in the Safe Senders List. You can change this behavior so that content from any of the
zones (Trusted Sites, Local Intranet, and Internet) will be downloaded automatically or blocked
automatically.
See Also
Plan for limiting junk e-mail in Outlook 2007
Create and deploy Junk E-mail Filter lists in Outlook 2007 (http://technet.microsoft.com/en-
199
III. Security Technical Reference
Security policies and settings in the 2007

Office system
This section provides technical reference information for the security settings and privacy options
in the 2007 Microsoft Office system. You can use this information to determine:
• What a setting does.
• What the default configuration is for a setting.
• Which tool to use to configure a setting.
• Where to find the setting in the Office Customization Tool (OCT) or the Group Policy
Object Editor.
Note:
To use Group Policy to manage the 2007 Office system, you must load the Office
2007 Administrative Templates (that is, .adm files) into the Group Policy Object
Editor.
The following security settings and privacy options are discussed in this section:
Trusted locations and trusted publishers settings
ActiveX control settings
Add-in settings
Visual Basic for Applications (VBA) macro settings
Document protection settings
External content settings
Internet Explorer feature control settings
Privacy options
Trusted locations and trusted publishers settings

Trusted locations and trusted publishers settings enable you to specify trusted sources of active
content, such as ActiveX controls and Visual Basic for Applications (VBA) macros.
200
Trusted locations settings
You can configure trusted locations settings for the following applications: Microsoft Office Access
2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007,
and Microsoft Office Word 2007. There are two types of trusted locations settings: global settings,
which apply to all applications; and application-specific settings, which can be configured
separately for each application.
Global trusted locations settings

Global trusted locations settings apply to Office Access 2007, Office Excel 2007, Office
PowerPoint 2007, Office Visio 2007, and Office Word 2007. The settings are described in the
following table.
Setting name Default configuration Description
Allow mix of policy and user A mix of policy and user By default, a computer can
locations locations is allowed. have trusted locations that are
created by users through the
graphical user interface and
trusted locations that are
created by administrators
through Group Policy or the
OCT. Disabling this setting
prevents users from creating
trusted locations through the
graphical user interface and
disables all trusted locations
that are created by users
interface and all trusted
locations that are created by
administrators through the OCT.
Trusted Location #1 Trusted locations are not This setting enables you to
Trusted Location #2 specified (see note). specify trusted locations
globally for Office Access 2007,
Trusted Location #n
Office Excel 2007, Office
PowerPoint 2007, Office Visio
2007, and Office Word 2007.
only through Group Policy; you
cannot configure global trusted
locations through the OCT.
201
Remove all trusted locations This setting is not selected. If you select this setting, all
written by the OCT during trusted locations that are
installation specified by the OCT are
deleted. This setting can be
configured only on the Office
security settings page of the
OCT. You cannot configure this
setting through Group Policy.
Note:
Several trusted locations are specified by default during installation. These default trusted
locations do not appear in the OCT or in the Group Policy Object Editor. For more
information about default trusted locations, see "Default trusted location settings" in
Evaluate default security settings and privacy options for the 2007 Office system.
You can find the Allow mix of policy and user locations setting at the following location on the
Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings/Trust Center
You can find the Trusted Location #1…#n settings and the Allow mix of policy and user
locations setting at the following location in the User Configuration/Administrative Templates
node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings/Trust Center
202
Application-specific trusted locations settings
Application-specific trusted locations settings must be configured separately for Office Access
2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. The
settings are described in the following table.
Allow Trusted Locations not Trusted locations that are not By default, trusted locations
on the computer on the computer are not that are network shares are
allowed. disabled, but users can still
select the Allow Trusted
Locations on my network
check box in the Trust Center
graphical user interface. If this
setting is set to Disabled and a
user attempts to designate a
network share as a trusted
location, a warning informs the
user that the current security
settings do not allow the
creation of trusted locations
with remote paths or network
paths. If an administrator
designates a network share as
a trusted location through
Group Policy or by using the
OCT and this setting is
Disabled, the trusted location is
disabled and is not recognized
by an application.
203
Disable all trusted locations Trusted locations are enabled. Enabling this setting disables all
trusted locations, including
trusted locations that are:
• Created by default
during setup.
• Created by users
interface.
• Deployed through
Group Policy.
Enabling this setting also
prevents users from configuring
trusted locations settings in the
Trust Center.
Trusted Location #1 Trusted locations are not This setting allows you to
Trusted Location #2 specified (see Note). specify trusted locations
separately for Office Access
Trusted Location #n
2007, Office Excel 2007, Office
PowerPoint 2007, Office Visio
2007, and Office Word 2007.
through the OCT and through
Group Policy.
Note:
Several trusted locations are specified by default during installation. These default trusted
locations do not appear in the OCT or in the Group Policy Object Editor. For more
information about default trusted locations, see "Default trusted location settings" in
Evaluate default security settings and privacy options for the 2007 Office system.
You can find these settings at the following locations on the Modify user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations
Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
204
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office Access 2007/Security/Trust Center/Trusted Locations
Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
Trusted publishers settings

There is one setting for configuring trusted publishers. This setting enables you to add a
publisher's digital certificate to the Trusted Publishers list and can be configured only in the OCT.
The Office 2007 Administrative Templates do not provide a setting for adding publishers to the
Trusted Publishers list. You can find the trusted publishers setting on the Office security settings
page in the OCT, under Add the following digital certificates to the Trusted Publishers list.
By default, there are no publishers on the Trusted Publishers list.
The following applications use the Trusted Publishers list:
Office Access 2007
Office Excel 2007
Microsoft Office InfoPath 2007
Microsoft Office Outlook 2007
Microsoft Office Publisher 2007
Office Visio 2007
Office Word 2007
ActiveX control settings

You can use the ActiveX control settings to disable ActiveX controls and change the way ActiveX
controls are initialized.
Settings for disabling ActiveX controls

You can disable ActiveX controls by configuring the Disable All ActiveX setting, which exists in
the OCT and in the Group Policy Object Editor. This setting modifies a registry entry named
DisableAllActiveX. The 2007 Office system evaluates this registry entry to determine whether to
disable ActiveX controls when a user opens a file that contains ActiveX controls. When this
registry entry has a value of 1, ActiveX controls are disabled. When this registry entry has a value
of 0, ActiveX controls are enabled. This setting applies only to the 2007 Office system and does
not apply to earlier versions of Office.
205
Note:
ActiveX controls cannot be disabled in files that are saved in trusted locations. When a
file is opened from a trusted location, all active content in the file is initialized and allowed
to run without notification, even if DisableAllActiveX is set to 1.
When you use the OCT to disable ActiveX controls, the DisableAllActiveX registry entry is written
to:
HKEY_CURRENT_USER/Software/Microsoft/Office/Common/Security
When you use the Group Policy Object Editor to disable ActiveX controls, the DisableAllActiveX
registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security
There is one setting for disabling ActiveX controls. This setting is described in the following table.
Disable All ActiveX Disabled When you enable this setting,

all ActiveX controls are disabled
and will not initialize when a
user opens a file that contains
ActiveX controls. Also, when
you enable this setting, users
are not notified that ActiveX
controls are disabled. This
OCT and with the Group Policy
Object Editor. This setting
applies only to applications in
the 2007 Office system. This
setting does not disable ActiveX
controls in files that are opened
by earlier versions of Office.
You can find the Disable All ActiveX setting at the following location on the Modify user settings
page of the OCT:
Microsoft Office 2007 system/Security Settings
You can also find the DisableAllActiveX setting at the following location in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
Note:
You can also disable ActiveX controls by configuring ActiveX control initialization settings.
These settings are discussed in the following section.
206
Settings for changing the way ActiveX controls are initialized
You can change the way ActiveX controls are initialized by configuring the Unsafe ActiveX
initialization setting in the OCT or by configuring the ActiveX Control Initialization setting in
Group Policy. Both settings modify a registry entry named UFIControls. The 2007 Office system
and earlier versions of Office evaluate this registry entry to determine how to initialize ActiveX
controls.
There are six possible values for the UFIControls registry entry. The values are described in the
following table.
UFIControls value Loads SFI controls in Initialization behavior Initialization behavior

safe mode? when a VBA project is when no VBA project is
present present
1 No Initializes SFI and UFI ActiveX controls are

controls with minimal initialized the same way
restrictions (that is, that they are when a
persisted values). If VBA project is present.
persisted values are
not available, the
using the InitNew
method. Users are not
notified that ActiveX
controls are enabled.
2 Yes Initializes SFI and UFI ActiveX controls are

controls with minimal initialized the same way
restrictions (that is, that they are when a
persisted values). If VBA project is present.
persisted values are
not available, the
using the InitNew
method. Users are not
notified that ActiveX
controls are enabled.
207
present present
3 No Prompts users to If the file contains only

enable or disable SFI controls, SFI
controls. If the user controls are initialized
enables controls, SFI with minimal
with minimal persisted values). If
restrictions (that is, persisted values are
with persisted values) not available, SFI
InitNew method. method. Users are not
prompted to enable SFI
controls.
If the file contains UFI
controls, users are
prompted to enable or
disable controls. If user
enables controls, SFI
with minimal
using the InitNew
method.
208
present present
4 Yes Prompts users to If the file contains only

with minimal persisted values). If
with persisted values) not available, SFI
InitNew method. method. Users are not
prompted to enable SFI
controls.
controls, users are
disable controls. If the
SFI controls are
initialized with minimal
using the InitNew
method.
209
present present
5 No Prompts users to If the file contains only

and UFI controls are restrictions (that is,
initialized with minimal persisted values). If
with persisted values). not available, SFI
If persisted values are controls are initialized
not available, controls with default values by
are initialized with using the InitNew
default values by using method. Users are not
the InitNew method. prompted to enable SFI
controls.
controls, users are
SFI and UFI controls
are initialized with
minimal restrictions
(that is, persisted
values). If persisted
values are not
available, controls are
initialized with default
values by using the
InitNew method.
210
present present
6 Yes Prompts users to If the file contains only

and UFI controls are restrictions (that is,
initialized with minimal persisted values). If
with persisted values). not available, SFI
If persisted values are controls are initialized
not available, controls with default values by
are initialized with using the InitNew
default values by using method. Users are not
the InitNew method. prompted to enable SFI
controls.
controls, users are
SFI and UFI controls
are initialized with
minimal restrictions
(that is, persisted
values). If persisted
values are not
available, controls are
initialized with default
values by using the
InitNew method.
When you configure the Unsafe ActiveX initialization setting in the OCT, the UFIControls
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security
When you configure the ActiveX Control Initialization setting through Group Policy, the
UFIControls registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security
211
The following table describes the Unsafe ActiveX initialization settings that are in the OCT. You
can find the Unsafe ActiveX initialization setting on the Office security settings page of the OCT.
Setting Initialization behavior when a Initialization behavior when no

VBA project is present VBA project is present
<do not configure> This is the default setting. This is the default setting.
Initialization behavior is the Initialization behavior is the
same as Prompt user to use same as Prompt user to use
persisted data. persisted data.
Prompt user to use control Prompts users to enable or If the file contains only SFI
defaults disable controls. If the user controls, SFI controls are
enables controls, SFI controls initialized with minimal
are initialized with minimal restrictions (that is, persisted
restrictions (that is, with values). If persisted values are
persisted values) and UFI not available, SFI controls are
controls are initialized with initialized with default values by
default values by using the using the InitNew method. SFI
InitNew method. SFI controls controls are initialized in safe
are initialized in safe mode. mode. Users are not prompted
to enable SFI controls.
If the file contains UFI controls,
users are prompted to enable
or disable controls. If the user
enables controls, SFI controls
are initialized with minimal
restrictions and UFI controls
are initialized with default
values by using the InitNew
method. SFI controls are
initialized in safe mode.
212
Prompt user to use persisted Prompts users to enable or If the file contains only SFI
data disable controls. If the user controls, SFI controls are
enables controls, SFI and UFI initialized with minimal
controls are initialized with restrictions (that is, persisted
minimal restrictions (that is, values). If persisted values are
with persisted values). If not available, SFI controls are
persisted values are not initialized with default values by
available, controls are using the InitNew method. SFI
initialized with default values controls are initialized in safe
by using the InitNew method. mode. Users are not prompted
SFI controls are initialized in to enable SFI controls.
safe mode. If the file contains UFI controls,
or disable controls. If the user
enables controls, SFI and UFI
minimal restrictions (that is,
persisted values). If persisted
values are not available,
default values by using the
InitNew method.
Do not prompt Initializes SFI and UFI controls SFI and UFI controls are
with minimal restrictions (that initialized with minimal
is, persisted values). If restrictions (that is, persisted
persisted values are not values). If persisted values are
available, the controls are not available, the controls are
initialized with default values initialized with default values by
by using the InitNew method. using the InitNew method.
Users are not notified that Users are not notified that
ActiveX controls are enabled. ActiveX controls are enabled.
SFI controls are not loaded in SFI controls are not loaded in
safe mode. safe mode.
213
Do not prompt and disable all All ActiveX controls are All ActiveX controls are
controls disabled and will not initialize disabled and will not initialize
when a user opens a file that when a user opens a file that
contains ActiveX controls. contains ActiveX controls.
Users are not notified that Users are not notified that
ActiveX controls are disabled. ActiveX controls are disabled.
This setting applies only to This setting applies only to
applications in the 2007 Office applications in the 2007 Office
system. This setting does not system. This setting does not
disable ActiveX controls in files disable ActiveX controls in files
that are opened by earlier that are opened by earlier
versions of Office. versions of Office.
You can find the ActiveX Control Initialization setting at the following location in the User
You can configure the ActiveX Control Initialization setting with a value from 1 to 6. These
values correspond to the values of the UFIControls registry entry that are described in a previous
table.
214
The following table shows how the OCT, Group Policy, and Trust Center settings correspond to
the values of the UFIControls and DisableAllActiveX registry entries.
Registry values Group Policy settings OCT settings Trust Center settings
UFIControls=1 ActiveX Control Unsafe ActiveX Enable all controls

DisableAllActiveX=0 Initialization: initialization without restriction and
Enabled dropdown box: Do without prompting (not
ActiveX Control not prompt recommended;
Initialization potentially dangerous
dropdown box: 1 controls can run)
Safe mode checkbox
(not selected)
UFIControls=2 ActiveX Control Cannot be Enable all controls

DisableAllActiveX=0 Initialization: configured in the without restriction and
Enabled OCT. without prompting (not
ActiveX Control recommended;
Initialization potentially dangerous
dropdown box: 2 controls can run)
Safe mode checkbox
(selected)
UFIControls=3 ActiveX Control Cannot be Prompt me before

DisableAllActiveX=0 Initialization: configured in the enabling Unsafe for
Enabled OCT. Initialization (UFI)
ActiveX Control controls with additional
Initialization restrictions and Safe
dropdown box: 3 for Initialization (SFI)
controls with minimal
restrictions
Safe mode checkbox
(not selected)
UFIControls=4 ActiveX Control Unsafe ActiveX Prompt me before

DisableAllActiveX=0 Initialization: initialization enabling Unsafe for
Enabled dropdown box: Initialization (UFI)
ActiveX Control Prompt user to use controls with additional
Initialization control defaults restrictions and Safe
dropdown box: 4 for Initialization (SFI)
controls with minimal
restrictions
Safe mode checkbox
(selected)
215
Registry values Group Policy settings OCT settings Trust Center settings
UFIControls=5 ActiveX Control Cannot be Prompt me before

DisableAllActiveX=0 Initialization: configured in the enabling all controls
Enabled OCT. with minimal
ActiveX Control restrictions
Initialization Safe mode checkbox
dropdown box: 5 (not selected)
UFIControls=6 ActiveX Control Unsafe ActiveX Prompt me before

DisableAllActiveX=0 Initialization: initialization enabling all controls
Enabled dropdown box: with minimal
ActiveX Control Prompt user to use restrictions
Initialization persisted data Safe mode checkbox
dropdown box: 6 (selected)
DisableAllActiveX=1 Disable All ActiveX: Unsafe ActiveX Disable all controls

Enabled initialization without notification
Disable All ActiveX dropdown box: Do Safe mode checkbox
checkbox (selected) not prompt and (unavailable)
disable all controls
Add-in settings
There are three main types of security settings for add-ins:
• Settings for disabling add-ins.
• Settings for requiring that add-ins are signed by a trusted publisher.
• Settings for disabling notifications for unsigned add-ins.
Settings for disabling add-ins

You can disable add-ins by configuring the Disable all application add-ins setting, which exists
in the OCT and the Group Policy Object Editor, or by configuring the Application add-ins
warnings options setting, which exists only in the OCT. Neither of these settings are global; both
settings must be configured on a per-application basis for the following applications:
Office Access 2007
Office Excel 2007
Office Publisher 2007
Office Visio 2007
Office Word 2007
216
The settings are described in the following table.
Disable all application add-ins Disabled When you enable this setting,
all add-ins are disabled and
users are not notified that add-
ins are disabled. This setting
can be configured in the OCT
and in the Group Policy Object
Editor. You must configure this
basis. This setting does not
exist for Office Publisher 2007.
To disable add-ins in Office
Publisher 2007, you must use
the Application add-ins
warnings options setting.
Application add-ins warnings Enable all installed application When you set this setting to
options add-ins (application default) Disable all application
extensions, all add-ins are
notified that add-ins are
disabled. This setting can be
configured only in the OCT. You
must configure this setting on a
per-application basis.
You can find the Disable all application add-ins setting at the following locations on the Modify
user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
217
You can find the Disable all application add-ins setting at the following locations in the User
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application
Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust
Center
You can find the Application add-ins warnings options settings on the Office security settings
page of the OCT, under Default security settings.
Settings for requiring that add-ins are signed by a trusted

publisher
You can require that add-ins are signed by a trusted publisher by configuring the Require that
application add-ins are signed by trusted publisher setting, which exists in the OCT and the
Group Policy Object Editor, or by configuring the Application add-ins warnings options setting,
which exists only in the OCT. Neither of these settings is global; both settings must be configured
on a per-application basis for the following applications:
Office Access 2007
Office Excel 2007
Office Visio 2007
Office Word 2007
218
Require that application add- Disabled When you enable this setting,
ins are signed by trusted add-ins that are signed by a
publisher publisher that is on the trusted
publishers list will run without
notification. Unsigned add-ins
and add-ins that are signed by
a publisher that is not on the
trusted publishers list are
the add-ins. This setting can be
the Group Policy Object Editor.
You must configure this setting
on a per-application basis.
options add-ins (application default) Require that application
extensions are signed by
trusted publisher, add-ins that
are signed by a publisher that
is on the trusted publishers list
will run without notification.
Unsigned add-ins and add-ins
that are signed by a publisher
that is not on the trusted
publishers list are disabled, but
or disable the add-ins. This
setting can be configured only
in the OCT. You must configure
this setting on a per-application
basis.
219
You can find the Require that application add-ins are signed by trusted publisher setting at
the following locations on the Modify user settings page of the OCT:
Microsoft Office Publisher 2007/Security/Trust Center
You can find the Require that application add-ins are signed by trusted publisher setting at
the following locations in the User Configuration/Administrative Templates node of the Group
Policy Object Editor:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application
Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust
Center
Settings for disabling notifications for unsigned add-ins

You can disable notifications for unsigned add-ins by configuring the Disable trust bar
notifications for unsigned application add-ins setting, which exists in the OCT and the Group
Policy Object Editor, or by configuring the Application add-ins warnings options setting, which
exists only in the OCT. Neither of these settings is global; both settings must be configured on a
per-application basis for the following applications:
Office Access 2007
Office Excel 2007
Office Visio 2007
Office Word 2007
220
Disable trust bar notification Disabled This setting must be used in

for unsigned application add- conjunction with the Require
ins that application add-ins are
signed by trusted publisher
setting. When you enable the
Disable trust bar notification
for unsigned application add-
ins setting, signed add-ins that
are not trusted are disabled,
but users are prompted to
enable or disable the add-ins.
Unsigned add-ins are also
disabled, but users are not
notified and they are not
OCT and in the Group Policy
Object Editor. You must
configure this setting on a per-
application basis.
options add-ins (application default) Require that extensions are
signed, and silently disable
unsigned extensions, signed
add-ins that are not trusted are
the add-ins. Unsigned add-ins
are also disabled, but users are
not notified and they are not
setting can be configured only
in the OCT. You must configure
this setting on a per-application
basis.
You can find the Disable trust bar notification for unsigned application add-ins setting at the
following locations on the Modify user settings page of the OCT:
221
You can find the Disable trust bar notification for unsigned application add-ins setting at the
following locations in the User Configuration/Administrative Templates node of the Group Policy
Object Editor:
VBA macro settings

Macro security settings enable you to change the way macros behave and the way users are
notified about macros. There are four main types of security settings for macros:
• Settings for changing the default behavior of macros.
• Settings for changing VBA.
• Settings for changing macro behavior in applications that are started programmatically
through Automation.
• Settings for preventing virus-scanning programs from scanning encrypted macros.
Settings for changing the default behavior of macros

You can change the default behavior of macros by configuring the VBA macro warning settings
setting in Group Policy, or the VBA macro warnings options setting in the OCT. These settings
must be configured on a per-application basis, and can be configured only for the following
applications:
222
Note:
You can also change the default macro security settings for Office Outlook 2007. See the
Office Outlook 2007 security documentation for more information.
The VBA macro warning settings and VBA macro warnings options settings modify a registry
entry named VBAWarnings. Each application evaluates this registry to determine how to run
macros. There are four possible values for the VBAWarnings registry entry. The values are
described in the following table.
VBAWarnings value Description
1 Untrusted and trusted macros are allowed to

run without notification.
2 All untrusted macros are disabled, but users are

notified about untrusted macros and can enable
or disable untrusted macros. Trusted macros
are allowed to run without notification. This is
the default setting.
3 Unsigned macros are disabled without

notification. Users are notified about signed
macros and can enable or disable signed
macros. Trusted macros are allowed to run
without notification.
4 Untrusted macros are disabled and users are

not notified that untrusted macros are disabled.
In addition, users cannot use the Message Bar
or any other dialog to enable untrusted macros.
Trusted macros are allowed to run without
notification.
When you configure the VBA macro warnings options setting in the OCT, the VBAWarnings
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/program name/Security
Where program name can be any of the following:
Access
Excel
PowerPoint
Publisher
Visio
Word
223
When you configure the VBA macro warning settings setting through Group Policy, the
VBAWarnings registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/12.0/program name/Security
Where program name can be any of the following:
Access
Excel
PowerPoint
Publisher
Visio
Word
The following table shows how the OCT, Group Policy, and Trust Center settings correspond to
the values of the VBAWarnings registry entry.
Registry values VBA macro warning VBA macro warnings Macro settings (Trust
settings (Group Policy) options (OCT) Center)
VBAWarnings=1 Enabled No security checks for Enable all macros (not

No security checks for VBA macros (not recommended;
macros (not recommended, code potentially dangerous
recommended, code in all documents can code can run)
in all documents can run)
run)
VBAWarnings=2 Enabled Disable all VBA Disable all macros

Trust Bar warning for macros with with notification
all macros notification
(application default)
VBAWarnings=3 Enabled Disable Trust Bar Disable all macros

Trust Bar warning for warning for unsigned except digitally signed
digitally signed VBA macros macros
macros only (unsigned code will be
(unsigned macros will disabled)
be disabled)
VBAWarnings=4 Enabled Disable all VBA Disable all macros

No warnings for all macros without notification
macros, but disable all
macros
You can find the VBA macro warnings options setting on the Office security settings page of the
OCT, under Default security settings.
224
You can find the VBA macro warning settings setting at the following locations in the User
Settings for changing VBA

VBA security settings enable you to change the way that VBA behaves. There are three main
types of VBA security settings:
• Settings for trusting programmatic access to VBA projects.
• Settings for disabling VBA.
• Settings for configuring VBA in Office Visio 2007.
Settings for trusting programmatic access to VBA projects

There is one setting that enables you to control access to VBA projects. This setting can be
configured only on a per-application basis for the following applications:
Office Excel 2007
Office Word 2007
The setting is described in the following table.
Trust access to Visual Basic Automation clients do not have When you enable this setting,
project programmatic access to VBA Automation clients have
projects. programmatic access to VBA
projects and can use the VBA
object model. When you disable
this setting, Automation clients
do not have programmatic
access to VBA projects. This
OCT and in the Group Policy
Object Editor.
You can find the Trust access to Visual Basic project setting at the following locations on the
225
You can find the Trust access to Visual Basic project setting at the following locations in the
User Configuration/Administrative Templates node of the Group Policy Object Editor:
Settings for disabling VBA

There is one setting that enables you to disable VBA. This setting can be configured only on a
global basis and applies to the following applications:
Office Excel 2007
Office Outlook 2007
Microsoft Office SharePoint Designer 2007
Office Word 2007
The setting is described in the following table.
Disable VBA for Office VBA is enabled if it is installed. When you enable this setting,
applications VBA will not function and users
will not be able to run macros
and other programmatic
content. This setting can be
configured in the OCT and in
the Group Policy Object Editor.
You can find the Disable VBA for Office applications setting at the following location on the
You can find the Disable VBA for Office applications setting at the following location in the User
Settings for configuring VBA in Office Visio 2007

There are three settings that enable you to change the way VBA behaves in Office Visio 2007.
These settings are described in the following table.
226
Enable Microsoft Visual Basic VBA is enabled. Enabling this setting allows
for Applications VBA to run. Disabling this
setting prevents VBA from
running, which can prevent
some drawing types from
having full functionality in
Office Visio 2007.
Load Microsoft Visual Basic for VBA projects are not loaded Enabling this setting allows
Applications projects from text from text. Office Visio 2007 to compile
VBA projects when you open a
file. This enables you to use
VBA projects that are saved in
earlier Office Visio 2007 file
formats. The compiled VBA
projects are not saved.
Disabling this setting prevents
VBA projects from being
loaded from text.
Enable Microsoft Visual Basic Users are allowed to create Enabling this setting allows
for Applications project VBA projects. users to create VBA projects.
creation Disabling this setting prevents
users from creating VBA
projects in files that do not
already have a VBA project.
You can find these settings at the following location on the Modify user settings page of the OCT:
Microsoft Office Visio 2007/Tools|Options/Security/Macro Security
You can find these settings at the following location in the User Configuration/Administrative
Microsoft Office Visio 2007/Tools|Options/Security/Macro Security
Settings for changing macro behavior in applications that are

started programmatically through Automation
There are two types of Automation security settings: global settings and application-specific
settings.
227
Global Automation security settings
You can change the way macros run in applications that are started programmatically through
Automation by configuring the Automation security setting. This setting is global in scope and
applies to the following applications:
Office Excel 2007
Office Word 2007
This setting has three possible configuration states. Each configuration state is described in the
following table.
Configuration state Description
Enabled Macros are disabled in the 2007 Office system

Disable macros by default applications that start programmatically through
Automation. Users are not notified that macros
are disabled and users are not prompted to
enable macros.
Enabled Macros are enabled and run without notification.

Macros enabled (default)
Enabled Macros run according to the security settings of

Use application macro security level the application that is started programmatically
through Automation.
You can find this setting at the following location on the Modify user settings page of the OCT:
You can find this setting at the following location in the User Configuration/Administrative
228
Application-specific Automation security settings
You can change the way macros run in Office Publisher 2007 when Office Publisher 2007 is
started programmatically through Automation. To do this, you use the Publisher automation
security level setting. This setting can be configured only through Group Policy and has three
possible configuration states. Each configuration state is described in the following table.
Configuration state Description
Enabled Macros are enabled and run without notification

Low (enabled) in instances of Office Publisher 2007 that are
started programmatically through Automation.
This is the default configuration state.
Enabled Users are prompted whether to enable or

By UI (prompted) disable macros in instances of Office Publisher
2007 that are started programmatically through
Automation.
Enabled Macros are disabled in instances of Office

High (disabled) Publisher 2007 that are started
programmatically through Automation. Users
are not notified that macros are disabled and
users are not prompted to enable macros.
You can find the Publisher automation security level setting at the following location in the
User Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office Publisher 2007/Security
229
Settings for preventing virus-scanning programs from scanning
encrypted macros
The three settings for preventing virus-scanning programs from scanning encrypted macros are
described in the following table.
Determine whether to force Encrypted macros are scanned Encrypted macros are not
encrypted macros to be by your virus-scanning scanned by your virus-
scanned in Microsoft Excel program when you open an scanning program when you
Open XML workbooks encrypted workbook that enable this setting, which
contains macros. means that encrypted macros
configured. This setting
applies only to Office Excel
2007.
scanned in Microsoft program when you open an scanning program when you
PowerPoint Open XML encrypted presentation that enable this setting, which
presentations contains macros. means that encrypted macros
applies only to Office
PowerPoint 2007.
scanned in Microsoft Word program when you open an scanning program when you
Open XML documents encrypted document that enable this setting, which
contains macros. means that encrypted macros
applies only to Office Word
2007.
230
Document protection settings

Document protection settings enable you to change the way files and text are encrypted with the
password protection feature. There are two types of document protection settings: global settings,
which apply to Office Excel 2007, Office PowerPoint 2007, and Office Word 2007; and
application-specific settings, which apply only to Microsoft Office OneNote 2007.
Global document protection settings

The two global document protection settings are described in the following table.
Encryption type for password On Microsoft Windows XP Enables you to specify the
protected Office open XML operating systems, the default encryption type for Office
files is Microsoft Enhanced RSA and Open XML Formats files that
AES Cryptographic Provider are encrypted.
(Prototype), AES-128, 128-bit.
On Windows Vista operating
systems, the default is Microsoft
Enhanced RSA and AES
Cryptographic Provider, AES-
128, 128-bit.
Encryption type for password Office 97/2000 Compatible Enables you to specify the
protected Office 97-2003 files encryption method, which is a encryption type for Office 97-
proprietary encryption method. 2003 format files that are
encrypted.
231
You can find these settings at the following location on the Modify user settings page of the OCT:
Application-specific document protection settings

By default, Office OneNote 2007 uses a Triple Data Encryption Standard (DES) algorithm with a
192-bit key length. You cannot change the cryptographic algorithm or the key length that Office
OneNote 2007 uses to encrypt notes. The four application-specific encryption settings for Office
OneNote 2007 are described in the following table.
Disallows add-ons access to Add-ins can access sections of Enabling this setting prevents
password protected sections text that have been unlocked add-ins from accessing sections
by a user. of text that have been unlocked
by a user.
Disable password protected Encrypted sections of text are When you enable this setting,
sections not disabled (that is, users can users cannot:
use the password protection • Encrypt new and
feature to lock and unlock existing sections of text.
sections of text and change
• Disable encryption on
password settings).
an encrypted section of
text.
• Change the password
that is used to encrypt a
section of text.
When this setting is enabled,
users can still enter a password
to access sections of text that
are encrypted.
Lock password protected Encrypted sections of text Enabling this setting ensures
sections as soon as I remain unlocked for a period of that encrypted sections of text
navigate away from them time after a user navigates become locked as soon as a
away from the unlocked text. user navigates away from the
text.
232
Lock password protected Encrypted sections of text You can change the number of
sections after user hasn't remain unlocked for 10 minutes minutes that unlocked sections
worked on them for a time after a user navigates away remain unlocked by enabling
from the unlocked text or a this setting and choosing a new
user stops editing the unlocked time in Time interval (minutes)
text. to lock password protected
sections.
If you do not want unlocked
sections of text to automatically
lock after a user unlocks them,
you can disable this setting or
you can enable this setting and
clear the Check to lock
sections checkbox. In either
case, be sure that you do not
enable the Lock password
protected sections as soon
as I navigate away from them
setting. Doing so causes
unlocked sections to lock as
soon as a user navigates away
from the sections, regardless of
how you have configured the
Lock password protected
sections after user hasn't
worked on them for a time
setting.
Microsoft Office OneNote 2007/Tools|Options/Password
Microsoft Office OneNote 2007/Tools|Options/Password
External content settings

External content settings enable you to change the way hyperlink warnings appear and to change
the behavior of linked images in Office PowerPoint 2007.
Hyperlink warnings settings

You can disable hyperlink warnings by using the setting that is described in the following table.
233
Disable hyperlink warnings By default, users are notified Enabling this setting
about unsafe hyperlinks. In suppresses hyperlink warnings
addition, unsafe hyperlinks are for the following:
disabled until they are enabled • Hyperlinks that use
by a user. unsafe protocols, such as
msn, nntp, mms, outlook,
and stssync.
• Hyperlinks from a
remote file to the local
computer.
This setting applies only to the following applications:

Office Access 2007
Office Excel 2007
Office InfoPath 2007
Office OneNote 2007
Office Outlook 2007
Microsoft Office Project 2007
Office Visio 2007
Office Word 2007
Microsoft Office System 2007/Security Settings
Microsoft Office System 2007/Security Settings
234
Linked images settings
You can enable the automatic downloading of images in Office PowerPoint 2007 by using the
setting that is described in the following table.
Unblock automatic download By default, images that are • Enabling this setting
of linked images saved on an external computer allows linked images on
do not display in slides. external Web sites to
download and appear in
slides.
Microsoft Office PowerPoint 2007/PowerPoint Options/Security
Internet Explorer feature control settings

Internet Explorer feature control settings enable you to mitigate threats that can occur when an
application programmatically uses Internet Explorer functionality. You can configure 15 feature
control settings in the 2007 Office system. The 15 feature control settings restrict a wide range of
Internet Explorer functionality. The settings are described in the following table.
Internet Explorer feature control setting Description
Add-on Management Prevents add-ons disabled by the user or Group

Policy from running or installing.
Bind to object Performs additional safety checks when ActiveX

controls are initialized. Specifically, prevents the
control from being created if the kill bit is set in
the registry. Also checks the security settings for
the zone of the URL in which the control is
instantiated to determine whether the control
can be safely initialized.
Block pop-ups Enables Internet Explorer's default pop-up

blocker.
235
Consistent Mime Handling Checks the following when a file is downloaded:

• File extension
• Content Type and Content Disposition
in the HTTP header
• File signature bits
Files with inconsistent information may be
renamed to a safer file extension. Files that
remain mismatched may be blocked from
running on the user's system.
Disable user name and password Invalidates URL syntax that may include a
username and password, such as
http://username:password@server/.
Information Bar Shows the default Internet Explorer Information

Bar when file download or code installation is
restricted.
Local Machine Zone Lockdown Security Applies Local Machine Zone settings to all local
content.
Mime Sniffing Safety Feature Checks the signature bits of downloaded files to
determine the file's type and render the type
properly.
Navigate URL Blocks navigation to any page with a badly

formed URL.
Object Caching Protection Blocks access to objects instantiated and

cached from a different security context than the
current page.
Protection from Zone Elevation Prevents navigation to a page in the Trusted

Sites or My Computer zone if the current page
is not already in that zone.
Restrict ActiveX Install Allows applications to opt in to blocking new

ActiveX controls and prevents installation of
updates for ActiveX controls that are not already
installed.
Restrict File Download Prevents file downloads that are not initiated by
the user.
236
Saved from URL Evaluates the saved from URL information for
files on a Universal Naming Convention (UNC)
share. This feature increases security on UNC
paths, but at a performance cost.
Scripted Window Security Restrictions Forces pop-up windows to remain in the

viewable desktop area, display a status bar, and
not draw their borders outside the viewable area
of the screen. Ensures that browser windows
cannot overlay important information in their
parent windows, or in system dialogs.
By default, Microsoft Office Groove 2007 (Groove.exe), Office Outlook 2007 (Outlook.exe), and
Microsoft Office SharePoint Designer 2007 (Spdesign.exe) are opted in to all 15 feature control
settings. Office InfoPath 2007 (Infopath.exe) is also opted in to all 15 feature control settings and
the following three Office InfoPath 2007 components: Document Information Panel, Workflow
forms, and third-party hosting.
Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be
found at the following location on the Modify user settings page of the OCT:
Microsoft Office 2007 system (machine)/Security Settings/IE Settings
Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be
found at the following location in the Group Policy Object Editor:
(machine)/Security Settings/IE Settings
Office InfoPath 2007 is a special case and cannot be configured by using the standard Internet
Explorer feature control settings. Instead, you use the Windows Internet Explorer Feature
Control Opt-In setting to configure Internet Explorer feature control settings for Office InfoPath
2007. This setting can be configured as follows:
None. Opts out Infopath.exe and its associated components (Document Information Panel,
Workflow forms, and third-party hosting) from all 15 Internet Explorer feature control settings.
Infopath.exe, Document Information Panel, and Workflow forms. Opts-in everything except
the third-party hosting component to all 15 Internet Explorer feature control settings.
Infopath.exe, Document Information Panel, Workflow forms, and third-party hosting. This
is the default setting. Infopath.exe and all three associated components are opted in to all 15
Internet Explorer feature control settings.
You can find the Windows Internet Explorer Feature Control Opt-In setting at the following
location on the Modify user settings page of the OCT:
Microsoft Office InfoPath 2007 (machine)/Security
237
You can find the Windows Internet Explorer Feature Control Opt-In setting at the following
location in the Group Policy Object Editor:
Computer Configuration/Administrative Templates/Microsoft Office InfoPath 2007
(machine)/Security
Privacy options
Privacy options help you protect personal and private information. You can configure four main
categories of privacy options in the 2007 Office system. The options can be configured in the
OCT and through Group Policy. The four categories of privacy options are discussed below.
Document Inspector options

There is one Document Inspector option, which is described in the following table.
Option name Default configuration Description
Document Inspector All Inspector modules are You can disable the Inspector
enabled. modules that are used by
Document Inspector by
enabling this option and adding
the CLSID for an Inspector to
the list of disabled Inspector
modules.
You can find the CLSID for an Inspector module by looking at the registry entries that are listed
under the following registry keys:
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Excel/Document Inspectors
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/PowerPoint/Document Inspectors
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Word/Document Inspectors
Note:
You cannot disable the Inspector module for Comments, Revisions, Versions, and
Annotations, or the Inspector module for Document Properties and Personal Information.
That is, there is no CLSID for these Inspector modules.
You can find the Document Inspector option at the following location on the Modify user settings
page of the OCT:
Microsoft Office 2007 system (machine)/Miscellaneous
You can find the Document Inspector option at the following location in the Group Policy Object
Editor:
(machine)/Miscellaneous
238
Metadata protection options
Metadata protection options are described in the following table.
Protect document metadata Metadata is not protected in Enabling this option encrypts
for rights managed Office rights-managed Office Open metadata, such as author
Open XML files XML Formats files. name, hyperlink references,
and number of words, in Office
Open XML Formats files that
are restricted using IRM.
Protect document metadata Metadata is protected in Disabling this option prevents

for password protected files encrypted Office Open XML metadata, such as author
Formats files. name, hyperlink references,
and number of words, from
being encrypted in Office Open
XML Formats files that are
encrypted.
You can find these options at the following location on the Modify user settings page of the OCT:
You can find these options at the following location in the Group Policy Object Editor:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
239
Office privacy options
Office privacy options are described in the following table.
Enable Customer Experience This option is not enabled (that Enabling this option opts users
Improvement Program is, users are not enrolled in the in to the Customer Experience
Customer Experience Improvement Program (CEIP),
Improvement Program). which can reveal the IP
address of a user's computer
to Microsoft.
Automatically receive small This option is not enabled (that Enabling this option allows a
updates to improve reliability is, users do not automatically small file to be downloaded
receive small updates to that enables Microsoft to
improve reliability). provide users with help if they
experience an abnormal
number of program errors.
Enabling this option can also
reveal the IP address of a
user's computer to Microsoft.
240
Online content options Searches Microsoft Office Enabling this option and
Online for Help content when a choosing the Never show
computer is connected to the online content or entry
Internet. points setting prevents the
Help system from accessing
Office Online. It also prevents
the Help system from
displaying links to content that
is on Office Online and
downloading updated Help
content.
Enabling this option and
choosing the Search only
offline content whenever
available setting forces the
Help system to search only
offline Help files, even when a
computer is connected to the
Internet.
Enabling this option and
choosing the Search online
content whenever available
setting enables the Help
system to search Office Online
for updated Help when a
computer is connected to the
Internet. This is the default
setting.
Note: This option is disabled by
default in the French, German,
and Italian versions of the 2007
Office system.
You can find these options at the following locations on the Modify user settings page of the OCT:
Microsoft Office 2007 system/Privacy/Trust Center
Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content
241
You can also find these options at the following locations in the User Configuration/Administrative
Microsoft Office 2007 system/Privacy/Trust Center
Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content
Application-specific privacy options

Application-specific privacy options are described in the following table.
Option name Default state Description
Make hidden markup visible Hidden markup is not visible. Enabling this option displays all
tracked changes before users
open or save documents. Can
be configured only for Office
PowerPoint 2007 and Office
Word 2007.
Warn before printing, saving, No warning is displayed when Enabling this option warns
or sending a file that contains a user prints or saves a file about tracked changes
tracked changes or comments that contains tracked changes (revisions) and comments
or comments. before users print, send, or
save a document. Can be
configured only for Office Word
2007.
Store random number to A random number is not stored Enabling this option improves
improve merge accuracy to improve merge accuracy. the accuracy of merging
tracked changes by multiple
authors. Can be configured
only for Office Word 2007.
You can find these options at the following locations on the Modify user settings page of the OCT:
Microsoft Office Word 2007/Word Options/Security
You can find these options at the following locations in User Configuration/Administrative
Microsoft Office Word 2007/Word Options/Security
242
Block file format settings enable you to prevent users from opening or saving various file types
and file formats. There are two types of block file format settings: block open settings and block
save settings. You can configure block file format settings in the OCT and through Group Policy;
however, you can configure only a single block open setting in the OCT and the majority of the
settings can be configured only through Group Policy. In addition, you can configure block file
format settings only for the following applications: Office Excel 2007, Office PowerPoint 2007, and
Office Word 2007.
The following table provides a description of each block open setting for Office Excel 2007.
Setting name Description
Block opening of pre-release versions of the file Enabling this setting prevents the opening of
formats new to Excel 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .xlsb, .xlsx, .xlsm, .xltx,
.xltm, and .xlam files. You can configure this
setting in the OCT and through Group Policy.
Block opening of Open XML file types Enabling this setting prevents the opening of
Office Open XML Formats files, such as .xlsx,
.slxm, .xltx, .xltm, and .xlam files. You can
configure this setting only through Group Policy.
Block opening of Binary 12 file types Enabling this setting prevents the opening of
Office 2007 binary format files, such as .xlsb
files. You can configure this setting only through
Group Policy.
Block opening of Binary file types Enabling this setting prevents the opening of
binary format files, such as .xls, .xla, .xlt,
.xlm, .xlw, and .xlb files. You can configure this
setting only through Group Policy.
Block opening of HTML and XMLSS file types Enabling this setting prevents the opening of
HTML and XML file types, such as .mht, .mhtml,
.htm, .html, .xml, and .xmlss files. You can
Block opening of XML file types Enabling this setting prevents the opening of
XML file types, such as .xml files. You can
243
Block opening of DIF and SYLK file types Enabling this setting prevents the opening of
DIF and SYLK file types, such as .dif and .slk
Group Policy.
Block opening of Text file types Enabling this setting prevents the opening of
text file types, such as .txt, .csv, and .prn files.
You can configure this setting only through
Group Policy.
Block opening of XLL file types Enabling this setting prevents the opening of
XLL file types, such as .xll files. You can
The following table provides a description of each block open setting for Office PowerPoint 2007.
formats new to PowerPoint 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .pptx, .pptm, .potx, .potm,
.ppsx, and .ppsm files. You can configure this
setting in the OCT and through Group Policy.
Office Open XML Formats files, such as
.pptx, .pptm, .potx, .potm, .ppsx, .ppsm,
.ppam, .thmx, and .xml files. You can configure
this setting only through Group Policy.
Office binary file types, such as .ppt, .pot, .pps,
and .ppa files. You can configure this setting
only through Group Policy.
Block opening of HTML file types Enabling this setting prevents the opening of
HTML file types, such as .htm, .html, .mht,
and .mhtml files. You can configure this setting
Block opening of Outlines Enabling this setting prevents the opening of

files as outlines, such as .rtf, .txt, .doc, .wpd,
.docx, .docm, and .wps files. You can configure
244
Block opening of Converters Enabling this setting prevents the opening of

files that have a format that is previous to the
PowerPoint 97 format, such as .ppt, .pot, .pps,
The following table provides a description of each block open setting for Office Word 2007.
formats new to Word 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .docx, .docm, .dotx,
and .dotm files. You can configure this setting in
the OCT and through Group Policy.
.docx, .dotx, .docm, .dotm, and .xml files. You
can configure this setting only through Group
Policy.
Office binary file types, such as .doc and .dot
Group Policy.
Block opening of HTML file types Enabling this setting prevents the opening of
Block opening of Word 2003 XML file types Enabling this setting prevents the opening of
Office 2003 XML file types, such as .xml files.
Group Policy.
Block opening of RTF file types Enabling this setting prevents the opening of
RTF file types, such as .rtf files. You can
Block open Converters Enabling this setting prevents the opening of

files through external converters, such as those
for WordPerfect, that are installed with the 2007
Office system. You can configure this setting
245
Block opening of Text file types Enabling this setting prevents the opening of
TXT file types, such as .txt files. You can
Block opening of Internal file types Enabling this setting prevents the opening of
pre-release binary format files. You can
Block opening of files before version Enabling this setting enables you to prevent file
formats that are older than a specific Office
release from opening. You can configure this
The following table provides a description of each block save setting for Office Excel 2007.
Block saving of Open XML file types Enabling this setting prevents the saving of
Office Open XML Formats files, such as .xlsx,
.xlsm, .xltx, .xltm, and .xlam files. You can
Block saving of Binary 12 file types Enabling this setting prevents the saving of
Office 2007 binary file types, such as .xlsb files.
Group Policy.
Block saving of Binary file types Enabling this setting prevents the saving of
Office binary file types, such as .xls, .xla, .xlt,
.xlm, .xlw, and .xlb files. You can configure this
Block saving of HTML and XMLSS file types Enabling this setting prevents the saving of
HTML and XML files types, such as .mht,
.mhtml, .htm, .html, .xml, and .xmlss files. You
Policy.
Block saving of XML file types Enabling this setting prevents the saving of XML
file types, such as .xml files. You can configure
Block saving of DIF and SYLK file types Enabling this setting prevents the saving of DIF
and SYLK file types, such as .dif and .slk files.
Group Policy.
246
Block saving of Text file types Enabling this setting prevents the saving of text
file types, such as .txt, .csv, and .prn files. You
Policy.
The following table provides a description of each block save setting for Office PowerPoint 2007.
.pptx, .pptm, .potx, .potm, .ppsx, .ppsm,
.ppam, .thmx, and .xml files. You can configure
Office binary file types, such as .ppt, .pot, .pps,
Block saving of HTML file types Enabling this setting prevents the saving of
Block saving of outlines Enabling this setting prevents the saving of files
as outlines, such .rtf, .txt, .doc, .wpd, .docx,
.docm, and .wps files. You can configure this
Block saving of GraphicFilters Enabling this setting prevents the saving of

graphic file types, such as .jpg, .png, .tif,
.bmp, .wmf, and .emf files. You can configure
The following table provides a description of each block save setting for Office Word 2007.
.docx, .dotx, .docm, .dotm, and .xml files. You
Policy.
247
Office binary file types, such as .doc and .dot
Group Policy.
Block saving of HTML file types Enabling this setting prevents the saving of
Block saving of Word 2003 XML file types Enabling this setting prevents the saving of
Office 2003 XML format files, such as .xml files.
Group Policy.
Block saving of RTF file types Enabling this setting prevents the saving of RTF
file formats, such as .rtf files. You can configure
Block saving of converters Enabling this setting prevents the saving of files
through converters, such as the WordPerfect
converter that is included in the 2007 Office
system. You can configure this setting only
through Group Policy.
Block saving of Text file types Enabling this setting prevents the saving of TXT
file types, such as .txt files. You can configure
By default, users cannot open files that have been saved in a format previous to the Word 6.0
format. Files that have been saved using a beta version of Word 6.0 are considered to be
previous to the Word 6.0 format and cannot be opened by default.
Microsoft Office Excel 2007/Block file formats
Microsoft Office PowerPoint 2007/Block file formats
Microsoft Office Word 2007/Block file formats
Microsoft Office PowerPoint 2007/Block file formats
248
See Also
249
Attachment file types restricted by Outlook
2007
There is restricted access to some attachments in items (such as e-mail messages or
appointments) in Microsoft Office Outlook 2007. Files with specific file types can be categorized
as Level 1 (the user cannot view the file) or Level 2 (the user can open the file after saving it to
disk).
Note:
This topic is for Outlook administrators. To learn more about why some Outlook
attachments are blocked, see Blocked attachments: The Outlook feature you love to
hate (http://go.microsoft.com/fwlink/?LinkId=81268). Or learn how to share files with
restricted file types by reading Blocked attachments in Outlook
(http://go.microsoft.com/fwlink/?LinkId=81269).
By default, Outlook classifies a number of file type extensions as Level 1 and blocks files with
those extensions from being received by users. As an administrator, you can use Group Policy to
manage how a file type is categorized for e-mail attachment blocking. For example, you can
change a file type categorization from Level 1 to Level 2 or create a list of Level 2 file types.
Note:
There are no Level 2 file types by default.
You can find links to more information about customizing attachment settings in Outlook in the
See Also section, which is visible when you are connected to the Internet.
The following table lists Level 1 file types that are blocked under a default installation of Outlook.
File type File description
.ade Access Project Extension (Microsoft)
.adp Access Project (Microsoft)
.app Executable Application
.asp Active Server Page
.bas BASIC Source Code
.bat Batch Processing
.cer Internet Security Certificate File
.chm Compiled HTML Help
.cmd DOS CP/M Command File, Command File for Windows NT
.com Command
250
.cpl Windows Control Panel Extension (Microsoft)
.crt Certificate File
.csh csh Script
.der DER Encoded X509 Certificate File
.exe Executable File
.fxp FoxPro Compiled Source (Microsoft)
.hlp Windows Help File
.hta Hypertext Application
.inf Information or Setup File
.ins IIS Internet Communications Settings (Microsoft)
.isp IIS Internet Service Provider Settings (Microsoft)
.its Internet Document Set, International Translation
.js JavaScript Source Code
.jse JScript Encoded Script File
.ksh UNIX Shell Script
.lnk Windows Shortcut File
.mad Access Module Shortcut (Microsoft)
.maf Access (Microsoft)
.mag Access Diagram Shortcut (Microsoft)
.mam Access Macro Shortcut (Microsoft)
.maq Access Query Shortcut (Microsoft)
.mar Access Report Shortcut (Microsoft)
.mas Access Stored Procedures (Microsoft)
.mat Access Table Shortcut (Microsoft)
.mau Media Attachment Unit
.mav Access View Shortcut (Microsoft)
.maw Access Data Access Page (Microsoft)
.mda Access Add-in (Microsoft), MDA Access 2 Workgroup (Microsoft)
.mdb Access Application (Microsoft), MDB Access Database (Microsoft)
251
.mde Access MDE Database File (Microsoft)
.mdt Access Add-in Data (Microsoft)
.mdw Access Workgroup Information (Microsoft)
.mdz Access Wizard Template (Microsoft)
.msc Microsoft Management Console Snap-in Control File (Microsoft)
.msh Windows PowerShell
.msh1 Windows PowerShell
.msh2 Windows PowerShell
.mshxml Windows PowerShell
.msh1xml Windows PowerShell
.msh2xml Windows PowerShell
.msi Windows Installer File (Microsoft)
.msp Windows Installer Patch
.mst Windows SDK Setup Transform Script
.ops Office Profile Settings File
.pcd Visual Test (Microsoft)
.pif Windows Program Information File (Microsoft)
.plg Developer Studio Build Log
.prf Outlook Profile file
.prg Program File
.ps1 Windows PowerShell
.ps1xml Windows PowerShell
.ps2 Windows PowerShell
.ps2xml Windows PowerShell
.psc1 Windows PowerShell
.psc2 Windows PowerShell
.pst MS Exchange Address Book File, Outlook Personal Folder File

(Microsoft)
.reg Registration Information/Key for W95/98, Registry Data File
252
.scf Windows Explorer Command
.scr Windows Screen Saver
.sct Windows Script Component, Foxpro Screen (Microsoft)
.shb Windows Shortcut into a Document
.shs Shell Scrap Object File
.tmp Temporary File/Folder
.url Internet Location
.vb VBScript File or Any VisualBasic Source
.vbe VBScript Encoded Script File
.vbs VBScript Script File, Visual Basic for Applications Script
.vsmacros Visual Studio .NET Binary-based Macro Project (Microsoft)
.vsw Visio Workspace File (Microsoft)
.ws Windows Script File
.wsc Windows Script Component
.wsf Windows Script File
.wsh Windows Script Host Settings File
.xnk Exchange Public Folder Shortcut
See Also
Customize attachment settings in Outlook 2007
253

AM102222941033

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

AM102222941033

Diunggah oleh

Hak Cipta:

Format Tersedia

Security for the 2007 Office System

I. Planning for Security.............................................................................................................1

A. Understanding Security in the 2007 Office System..............................................................1

Overview of security in the 2007 Office system........................................................................1

Overview of security planning for the 2007 Office system......................................................14

B. Planning 2007 Office System Security Settings.................................................................30

Plan document protection settings in the 2007 Office system................................................76

Plan privacy options in the 2007 Office system......................................................................88

Plan block file format settings in the 2007 Office system........................................................99

C. Planning Outlook 2007 Security.......................................................................................114

Use Outlook 2007 to help protect messages........................................................................115

Plan for limiting junk e-mail in Outlook 2007.........................................................................116

Plan for e-mail messaging cryptography..............................................................................120

How users manage cryptographic digital IDs in Outlook 2007..............................................123

Plan for configuring security settings in Outlook 2007..........................................................126

How administrator and user security settings interact in Outlook 2007................................129

Plan for Outlook 2007 security in special environments.......................................................130

II. Deploying security settings...............................................................................................132

A. Configuring 2007 Office System Security Settings...........................................................132

Configure document protection settings in the 2007 Office system......................................149

Configure external content settings in the 2007 Office system.............................................154

Configure privacy options in the 2007 Office system............................................................160

Configure block file format settings in the 2007 Office system.............................................166

B. Configuring Outlook 2007 Security Settings.....................................................................169

Set consistent Outlook 2007 cryptography options for an organization................................170

Specify the method Outlook uses to manage virus prevention features...............................181

Customize attachment settings in Outlook 2007...................................................................183

Customize programmatic settings in Outlook 2007..............................................................188

Customize ActiveX and custom forms security settings in Outlook 2007..............................190

Manage trusted add-ins for Outlook 2007.............................................................................193

Configure security for Outlook 2007 folder home pages.......................................................195

Configure junk e-mail settings in Outlook 2007....................................................................196

III. Security Technical Reference..........................................................................................200

Security policies and settings in the 2007 Office system......................................................200

Attachment file types restricted by Outlook 2007..................................................................250

A. Understanding Security in the 2007 Office

Overview of security in the 2007 Office

Underlying security principles

Avoid asking questions

Maintain user productivity

Provide a flexible security model

Changes to the user interface

Users can configure the following settings in the Trust Center:

Trusted Locations settings

Settings for ActiveX controls, add-ins, and macros

ActiveX controls settings

Office 2003 setting 2007 Office system setting

High (Enabled) Warn for digitally signed macros only. (Enabled)

High (Enabled) Warn for digitally signed macros only. (Enabled)

Medium (Enabled) Do not configure any security settings in the

Medium (Enabled) Require that all add-ins be signed by a trusted

Low (Enabled) No security check for macros. (Enabled)

Block file format settings

New default behavior and functionality

Documents always open

External content is always blocked

ActiveX controls are allowed to run under certain circumstances

Installed and registered add-ins are allowed to run

Only trusted macros are allowed to run

The security planning process

Step 1: Choose a deployment tool for security settings and

Step 3: Evaluate default security settings and privacy options

Step 4: Plan security settings and privacy options