Microsoft Corporation
Published: December 2008
Author: Office IT and Servers User Assistance (o12ITdx@microsoft.com)
Abstract
This book provides prescriptive information for planning and deploying security and privacy
settings for the 2007 Microsoft Office system. This includes evaluating threats to laptops and
desktops that are running the 2007 Office release, evaluating default security and privacy
settings, and planning and configuring security settings to mitigate threats. It also includes
information for planning, configuring, and deploying cryptography and virus prevention scenarios
in Microsoft Office Outlook 2007. The audience for this book includes IT generalists, security
specialists, IT operations, help desk, and deployment staff, network architects and planners, IT
messaging administrators, and consultants.
The content in this book is a copy of selected content in the 2007 Office Resource Kit technical
library (http://go.microsoft.com/fwlink/?LinkID=84741&clcid=0x409) as of the publication date
above. For the most current content, see the technical library on the Web.
2
The information contained in this document represents the current view of Microsoft Corporation
on the issues discussed as of the date of publication. Because Microsoft must respond to
changing market conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the
date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into a
retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, email address, logo, person, place
or event is intended or should be inferred.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, Access, Active Directory, Excel, Groove, InfoPath, Internet Explorer, OneNote, Outlook,
PowerPoint, SharePoint, SQL Server, Visio, Windows, Windows Server, and Windows Vista are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or
other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
ii
Contents
Security for the 2007 Office System.........................................................................................1
Abstract..............................................................................................................................1
Contents...................................................................................................................................iii
Choose a deployment tool for security settings and privacy options in the 2007 Office system
............................................................................................................................................18
Office Customization Tool.......................................................................................................18
Requirements and limitations...........................................................................................19
Common scenarios..........................................................................................................20
Group Policy Administrative Templates...................................................................................20
Requirements and limitations...........................................................................................21
Common scenarios..........................................................................................................21
Choosing a tool.......................................................................................................................22
Evaluate security and privacy threats for the 2007 Office system..........................................24
Overview of security threats...................................................................................................25
Code and application threats..................................................................................................26
Document threats...................................................................................................................26
External threats......................................................................................................................27
iii
Internet Explorer threats.........................................................................................................28
Privacy threats........................................................................................................................28
Security vulnerabilities............................................................................................................29
Evaluate default security settings and privacy options for the 2007 Office system.................31
Evaluate default security settings for code and application threats........................................31
Default settings for ActiveX controls.................................................................................32
Default settings for add-ins...............................................................................................33
Default settings for trusted locations................................................................................33
Default settings for trusted publishers..............................................................................36
Default settings for macros...............................................................................................36
Evaluate default security settings for document threats.........................................................37
Evaluate default security settings for external threats............................................................38
Evaluate default security settings for Internet Explorer threats...............................................39
Evaluate default privacy options.............................................................................................40
Evaluate default security settings for security vulnerabilities..................................................41
Plan trusted locations and trusted publishers settings for the 2007 Office system.................42
Plan for trusted locations........................................................................................................42
Disabling trusted locations...............................................................................................43
Implementing trusted locations.........................................................................................43
Plan for trusted publishers......................................................................................................49
Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system...52
Plan security settings for ActiveX controls..............................................................................52
Disable ActiveX controls in all documents........................................................................52
Allow all ActiveX controls to initialize and run without notification....................................54
Modify the way ActiveX controls are initialized based on SFI and UFI parameters..........57
Plan security settings for add-ins............................................................................................59
Disable add-ins on a per-application basis.......................................................................59
Require that add-ins are signed by a trusted publisher....................................................61
Disable notifications for unsigned add-ins........................................................................63
Plan security settings for macros............................................................................................65
Change the default security settings for macros..............................................................66
Control the way VBA behaves..........................................................................................70
Change the way macros behave in applications that are started programmatically through
Automation....................................................................................................................71
Prevent encrypted macros from being scanned for viruses.............................................73
iv
Plan external content settings in the 2007 Office system.......................................................80
Suppress hyperlink warnings..................................................................................................80
Allow linked images to download automatically in Office PowerPoint 2007............................81
Plan Internet Explorer feature control settings in the 2007 Office system...............................83
Identify applications that host Internet Explorer......................................................................83
Determine which Internet Explorer feature control settings to implement...............................85
Identify conflicts with previous versions of Office....................................................................86
v
Provide a certificate in a digitally signed e-mail message..............................................124
Obtain a certificate from a directory service...................................................................124
Importing digital IDs..............................................................................................................124
Renewing keys and certificates............................................................................................125
Configure trusted locations and trusted publishers settings in the 2007 Office system........132
Before you begin..................................................................................................................132
Configure trusted locations by using the OCT......................................................................133
Disable trusted locations by using the OCT...................................................................133
Specify trusted locations by using the OCT....................................................................134
Restrict trusted locations by using the OCT...................................................................134
Delete all trusted locations created by using the OCT...................................................135
Configure trusted locations by using Group Policy...............................................................135
Disable trusted locations by using Group Policy............................................................135
Specify trusted locations by using Group Policy.............................................................136
Restrict trusted locations by using Group Policy............................................................137
Configure trusted publishers settings by using the OCT.......................................................138
Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office
system...............................................................................................................................139
Before you begin..................................................................................................................139
Configure settings for ActiveX controls.................................................................................140
Disable ActiveX controls.................................................................................................140
Change the way ActiveX controls are initialized.............................................................141
Configure settings for add-ins...............................................................................................141
Disable add-ins..............................................................................................................142
vi
Require that add-ins are signed by a trusted publisher..................................................142
Disable notifications for unsigned add-ins......................................................................143
Configure settings for macros...............................................................................................144
Configure default security settings for macros...............................................................145
Disable VBA...................................................................................................................146
Provide Automation clients programmatic access to VBA projects.................................146
Configure Automation security for macros.....................................................................147
Prevent encrypted macros from being scanned for viruses...........................................147
Configure Internet Explorer feature control settings in the 2007 Office system....................157
Before you begin..................................................................................................................157
Configure Internet Explorer feature control settings by using the OCT.................................158
Configure Internet Explorer feature control settings by using Group Policy..........................159
vii
Add or remove Level 1 file types..........................................................................................185
Add or remove Level 2 file types..........................................................................................185
Additional attachment security settings................................................................................186
viii
Privacy options.....................................................................................................................238
Document Inspector options...........................................................................................238
Metadata protection options...........................................................................................239
Office privacy options.....................................................................................................240
Application-specific privacy options................................................................................242
Block file format settings.......................................................................................................243
ix
I. Planning for Security
Secure by default
One of the primary principles of the 2007 Office system security model remains unchanged from
previous Microsoft Office releases: keep the system and the data secure by default. This principle
encompasses the fact that some features, although useful, have an inherently high probability of
attack (for example, macros). In many cases, these features have been configured so that
protection is paramount and functionality is secondary.
For example, documents and e-mail messages often contain links to images that are stored on a
remote computer. This makes it easy to update images and it makes documents and e-mail
messages smaller, putting less demand on disk space and network bandwidth. But spammers
and malicious attackers can use linked images to confirm that e-mail addresses are valid or to
obtain a computer’s IP address. To deal with this, linked images are blocked by default in the
2007 Office system, but users can still open e-mail messages and documents containing linked
images, giving users full access to the text. Thus, both protection and productivity are maximized.
2
users to make a security decision before working on the document. Instead, macro notifications
are contained in a notification bar that appears at the top of the document. Users can click the
notification bar to read the notification and enable macros. In addition, the notification now
provides information about what the risk is, why the risk is a threat to security, and what users can
do to mitigate the threat.
3
What's new and what's changed
Using the four principles described earlier, a new security model was developed for the 2007
Office system. The new security model includes new features, new settings, and new
functionality. In addition, the new security model can affect the way users respond to risk in their
individual work environments, and change the way administrators mitigate and manage security
threats throughout an organization. The primary changes in the new security model include:
• The user interface These changes help users better view and configure security
settings, and respond to security warnings and notifications.
• Administrative settings and features These changes help IT professionals design
and implement secure desktop configurations that better mitigate security threats.
• Default functionality These changes help boost user productivity while helping to
protect corporate resources and mitigate security threats.
4
Trust Center
The Trust Center is a central console that enables users to view and configure security settings
and privacy options. The following figure illustrates the Trust Center.
5
Document protection controls
Although the Trust Center contains most application-specific security and privacy settings, some
document-specific security settings have been intentionally left out of the Trust Center: most
notably, document protection settings that enable users to encrypt a document. Because
document protection settings tend to be used when a user saves or sends a document, the
settings are located with other document preparation settings. Users can access the document
preparation settings by clicking the Microsoft Office Button, and then clicking Prepare.
Message Bar
The Message Bar is a new user interface feature that provides users with notifications and
warnings when they open a document that contains potentially harmful content. The following
figure shows the Message Bar.
Note:
In Office Outlook 2007 and Office Publisher 2007, security alerts appear in dialog boxes,
not in the Message Bar.
The Message Bar informs users that some functionality in a document is blocked. In some ways,
the Message Bar replaces the warnings that appeared whenever a user opened an untrusted
document that contained macros. In the past, the warnings prevented users from accessing the
document until they responded to the warnings and either enabled or disabled the macros. With
the Message Bar, on the other hand, the document opens and users can work in the document
without responding to the Message Bar prompt. Untrusted ActiveX controls, macros, and other
potentially harmful content are disabled until users click the Message Bar and respond to a
notification or warning. The following figure shows the warning that users receive when they click
the Message Bar.
6
New and enhanced settings and features
The 2007 Office system contains new and enhanced settings and features, including:
• A new group of settings known as Trusted Locations settings.
• A new group of settings known as block file format settings.
• Changes in the way ActiveX controls, add-ins, and macros are managed.
The following sections describe the new and enhanced settings and features.
Add-in settings
The 2007 Office system does not have a Trust all installed add-ins and templates setting.
Instead, several new settings exist for controlling the behavior of add-ins, including:
• Disable all application add-ins Prevents all add-ins from running. Users are not
notified that the add-ins are disabled.
• Require that application add-ins are signed by a trusted publisher Checks for a
digital signature on the file that contains the add-in. If the publisher has not been trusted, the
program does not load the add-in, and the Message Bar displays a notification that the add-in
has been disabled.
• Disable Message Bar Notification for unsigned application add-ins Only relevant if
you are requiring that add-ins have a digital signature. In some situations, the file that
contains the add-in might be unsigned. In these cases, add-ins signed by a trusted publisher
are enabled, but unsigned add-ins are disabled without providing users with any notification.
8
Macros
Several new settings exist for controlling the behavior of macros. The settings enable you to
control macros in the following ways:
• Disable Visual Basic for Applications Disables Visual Basic for Applications for all
Office applications.
• Configure macro warning settings Specifies the conditions under which users are
notified about macros. The following four options are available:
• Always provide notification about macros.
• Always provide notification for digitally signed macros only.
• Do not provide notification and disable all macros.
• Do not perform any security checks and allow all macros to run.
• Force encrypted macros to be scanned in Microsoft Office Open XML Formats
documents Specifies that macro security checks are performed in encrypted files that use
the new Office Open XML Formats. This setting cannot be configured in the graphical user
interface; you can configure it only by using Administrative Templates (.adm files) or by using
the OCT. In addition, this setting is enabled by default: that is, encrypted macros in Office
Open XML Formats documents are scanned by default.
The following table summarizes how various combinations of security settings in Microsoft Office
2003 compare to the new security settings in the 2007 Office system.
Very High (Enabled) No warnings for all macros but disable all
Trust all installed add-ins and templates. macros. (Enabled)
(Enabled)
Very High (Enabled) No warnings for all macros but disable all
Trust all installed add-ins and templates. macros. (Enabled)
(Disabled) Disable all add-ins. (Enabled)
9
Office 2003 setting 2007 Office system setting
Document Inspector
Document Inspector is a new privacy tool that can help users remove personal information and
hidden information from a document. Document inspector is available by default in Office Excel
2007, Office PowerPoint 2007, and Office Word 2007, although each program uses a different set
of Inspector modules to remove different types of content. For example, Office Excel 2007 has an
Inspector module that enables users to remove hidden worksheets. Conversely, Office Word
2007 does not have that Inspector module because it is not relevant to Office Word 2007
documents.
Users can specify the type of content they want to remove from files, including:
• Comments, revision marks from tracked changes, versions, and ink annotations.
• Document properties and personal information (metadata).
• Headers, footers, and watermarks.
• Hidden text.
• Hidden rows, columns, and worksheets.
• Invisible content.
• Off-slide content.
10
• Presentation notes.
• Document server properties.
• Custom XML data.
You can enable and disable Inspector modules, but there are no administrative settings that
enable you to manage the way each Inspector module behaves. However, you can
programmatically create custom Inspector modules.
Note:
Documents in trusted locations have all external content enabled.
11
• If an ActiveX control is contained in a document that does not contain a VBA project, and
the ActiveX control is marked as Unsafe for Initialization (UFI), users are notified in the
Message Bar that an ActiveX control has been disabled. If a user clicks the Message Bar, a
dialog box appears asking whether the user wants to enable the ActiveX control. If the user
enables the ActiveX control, all ActiveX controls (those marked SFI and UFI) are loaded with
minimal restrictions.
• If an ActiveX control is contained in a document that also contains a VBA project, a
notification appears in the Message Bar informing users that an ActiveX control has been
disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user
wants to enable the ActiveX control. If the user enables the ActiveX control, all ActiveX
controls (those marked SFI and UFI) are loaded with minimal restrictions.
Note:
If an ActiveX control is contained in a document that is saved in a trusted location, the
ActiveX control is enabled by default and users are not prompted to enable the ActiveX
control.
12
Macros that are not trusted are not allowed to run until a user clicks the Message Bar and
chooses to enable the macro. In the past, unsigned macros were disabled and users did not have
an option to enable them. This behavior is different in the 2007 Office system. Users are now
notified when a document contains an unsigned macro, and they can enable the macro if they
want to.
See Also
Overview of security planning for the 2007 Office system
Planning for security and protection in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179213.aspx)
Security and protection in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179127.aspx)
13
Overview of security planning for the 2007
Office system
The 2007 Microsoft Office system has many new security settings that can help you mitigate
threats to your organization's business resources and processes. In addition, the 2007 Office
system has many new privacy options that help you mitigate threats to users' private and
personal information. Determining which new settings and options are appropriate for your
organization can be a complex task involving numerous critical planning decisions. To help you
minimize the time spent planning settings and options, use the four-step security planning
process described in this article. This systematic decision-making approach is designed to help
you choose settings and options that maximize protection and productivity in your organization.
14
The security planning process is shown in the following figure.
16
• Plan document protection settings in the 2007 Office system
• Plan Internet Explorer feature control settings in the 2007 Office system
• Plan privacy options in the 2007 Office system
• Plan block file format settings in the 2007 Office system
See Also
Overview of security in the 2007 Office system
Planning for security and protection in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179213.aspx)
17
Choose a deployment tool for security
settings and privacy options in the 2007
Office system
To create an effective security plan for the 2007 Microsoft Office system, you must first identify
the tools you are going to use to configure, deploy, and manage security settings in your
organization. In some cases, a single tool is adequate for configuring, deploying, and managing
settings. In other cases, you might need to use a combination of tools — one tool for configuring
and deploying an initial configuration, and one tool for managing settings on an ongoing basis.
Choosing the right tool is a critical step in the security planning process because it helps ensure
that the security settings you planned for are actually deployed and enforced throughout your
organization. It also helps ensure that you can modify security settings after the initial rollout,
enabling you to respond to sudden security threats.
Although you can use a wide range of tools and techniques to deploy and manage desktop
applications in enterprise environments, we recommend that you use only the Office
Customization Tool (OCT) and the 2007 Office system Group Policy Administrative Templates
(.adm files) to configure, deploy, and manage security settings in the 2007 Office system. Each
tool has different requirements and limitations, and provides different features and functionality.
Choosing the correct tool requires careful evaluation of your organization's existing deployment
and management infrastructure, your organization's security architecture, and your organization's
security needs. To determine which tool is appropriate for your organization, use the best
practices and recommendations that are provided in the following sections to evaluate each tool.
18
To use a configuration file to update or maintain existing installations, you perform the following
tasks:
1. Use the OCT graphical user interface to configure application settings in an existing or
new .msp file.
2. Save the new application settings in the .msp file.
3. Run Windows Installer on your client computer, using command-line parameters to
specify the .msp file that you want Windows Installer to use.
For more information about using the OCT, see Office Customization Tool in the 2007 Office
system (http://technet.microsoft.com/en-us/library/cc179097.aspx) and Customize the 2007 Office
system (http://technet.microsoft.com/en-us/library/cc179132.aspx).
19
Common scenarios
You can use the OCT and the Setup program to configure, deploy, and manage security settings
in many IT environments. The following sections describe scenarios in which the OCT and the
Setup program are particularly useful.
Unmanaged environments
The OCT is commonly used by organizations that do not centrally manage their desktop
applications or do not remotely manage their desktop environments. In these cases, you can use
the OCT and the Setup program to configure, deploy, and manage security settings without using
a remote administration tool such as Microsoft Systems Management Server 2003, or a policy-
based tool, such as Group Policy.
20
For computer policy settings:
• HKEY_LOCAL_MACHINE\Software\Policies (the preferred location)
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
For user policy settings:
• HKEY_CURRENT_USER\Software\Policies (the preferred location)
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
For more information about Administrative Templates, and Group Policy and OCT, see
Administrative Templates extension (http://technet.microsoft.com/en-us/library/cc759295.aspx),
and Office Customization Tool and Group Policy in Group Policy Overview
(http://technet.microsoft.com/en-us/library/cc179176.aspx). For more information about using
Administrative Templates to configure, deploy, and manage security settings, see Enforce settings
by using Group Policy in the 2007 Office system.
Common scenarios
Group Policy can be used to configure, deploy, and manage security settings in many IT
environments. The following sections describe scenarios in which Administrative Templates are
particularly useful.
21
Managed environments
Administrative Templates are useful in organizations that use Group Policy to manage their
desktop environments. This is true whether you have deployed Active Directory and you manage
your desktop environment with domain-based Group Policy, or you do not have Active Directory
installed but you manage your desktop environment with local Group Policy.
Locked-down environments
Administrative Templates are useful in locked-down environments in which users have little
control over their desktop configuration. In this scenario, all security settings are deployed and
managed through Group Policy. Any security settings that are configured during initial setup are
overridden by the Group Policy settings.
Choosing a tool
The following table compares the features and capabilities of the two recommended tools that
you can use to configure security settings in the 2007 Office system. Use the information in the
table to evaluate each tool and determine which tool is most appropriate for your organization.
22
Features and capabilities Administrative Templates OCT + Setup
Can be used to configure block Yes (all settings) Yes (however, only one
file format settings. setting)
See Also
Overview of security planning for the 2007 Office system
Overview of security in the 2007 Office system
23
Evaluate security and privacy threats for the
2007 Office system
In this article:
• Overview of security threats
• Code and application threats
• Document threats
• External threats
• Internet Explorer threats
• Privacy threats
• Security vulnerabilities
A secure desktop configuration is an important part of any organization's defense-in-depth
strategy. But before you can plan for a secure desktop configuration that includes the 2007
Microsoft Office system, you need to understand which security threats are relevant to the 2007
Office system, and then identify which of those security threats pose a risk to your organization's
business assets or business processes. You also need to identify which privacy threats pose a
risk to users' personal and private information.
24
Overview of security threats
The security model for the 2007 Office system helps you mitigate six types of security threats.
Each of these security threats includes several threat agents and can be exploited by a broad
range of security attacks. The following figure shows security threats and examples of the most
common threat agents.
Most organizations face some potential risk from each of the six security threats. However, not
every organization faces the same threat agents and not every organization faces the same
security attacks or exploits. As a first step in planning a secure desktop configuration that includes
the 2007 Office system, use the guidance provided in the following sections to determine:
• Which of the six security threats are relevant.
• Which threat agents pose a potential risk.
• How attackers might exploit these threat agents.
Your organization should have several documents that can help you identify threats in your
organization, including threat models, security plans, and operations plans. In addition to the
documents that you rely on, be sure to consider the following as you evaluate security threats:
• Network security architecture (for example, perimeter network design, extranet design,
firewall design, and proxy server design).
• Physical security policies (for example, building access restrictions, document retention
policies, and laptop security policies).
• Privacy policies (for example, definitions of personal and private information).
• Authentication and authorization infrastructure (for example, how are customers,
vendors, or partners granted access to your network).
25
• Readiness plan for dealing with sudden security threats.
• Personal-use policies for e-mail and Internet access.
In addition, be sure to update your organization's existing threat model or security plan if you
identify new threats or new threat agents.
Document threats
Document threats occur when unauthorized users attempt to gain access to your organization's
documents or the information that is contained in your organization's documents. When
unauthorized attackers or intruders gain access to a document, the results can include the loss
of:
• Confidentiality (document data is no longer proprietary).
• Integrity (document data is altered or corrupted).
• Content (document data is missing).
26
Most organizations face document threats, although many organizations choose not to mitigate
document threats because the threat is perceived to be minimal or the administrative cost for
mitigating the threat is perceived to be high. Nevertheless, document threats pose a risk to your
organization when any of the following is true:
• Your organization's network security architecture cannot keep intruders or attackers from
gaining access to your internal network, which increases the risk that intruders or attackers
might gain access to your organization's documents.
• Your organization allows users to send, receive, or share proprietary documents over the
Internet, including financial data, project plans, presentations, or drawings.
• Your organization allows users to connect laptop computers to public networks, which
increases the risk that unidentifiable attackers might gain access to the documents that are
saved on users' laptop computers.
• Your organization allows users to take documents that contain proprietary information out
of the office.
• You believe there is a chance that unauthorized attackers or intruders can gain access to
documents containing proprietary information.
If document threats pose a risk to your organization, see Evaluate default security settings and
privacy options for the 2007 Office system to determine whether you need to change the
default security settings for mitigating document threats.
External threats
External threats include any threat agent that links a document to another document, a database,
or a Web site across an intranet or a public network, such as the Internet. External threats are
exploited through the following threat agents:
• Hyperlinks Attackers typically exploit this threat agent by creating hyperlinks to
untrusted documents or Web sites that contain malicious code or content.
• Data connections Attackers typically exploit this threat agent by creating a data
connection to a data source or database, and then using that data connection to maliciously
manipulate or extract data.
• Web beacons Attackers typically exploit this threat agent by embedding an invisible link
to a remote image in an e-mail message. When a user opens the e-mail message, the link
activates and downloads the remote image. In doing so, user information can be sent to the
remote computer, such as the user's e-mail address and the IP address of the user's
computer.
• Packager objects Attackers can exploit this threat agent by having an embedded
object execute malicious code.
External threats pose a risk if your organization:
• Provides users with unrestricted access to public networks, such as the Internet.
• Allows users to receive e-mail messages containing embedded images and HTML.
• Allows users to use data connections in spreadsheets or other documents.
27
If external threats pose a risk to your organization, see Evaluate default security settings and
privacy options for the 2007 Office system to determine whether you need to change the
default security settings for mitigating external threats.
Privacy threats
Privacy threats include any threat agent that discloses or reveals personal or private information
without the user's consent or knowledge. Privacy threats can be exploited through several threat
agents, but the most common threat agent is hidden document data, called metadata. Metadata
enables users to record or track document properties, such as author name, organization name,
document editing time, or document version number. Metadata can be removed from a
document, but when it is not, anyone opening the document has access to the metadata.
Privacy threats can also be exploited when a document contains supplemental content that is
considered confidential or proprietary, such as comments, revisions, annotations, custom XML
data, hidden text, watermarks, and header and footer information. Unless this content is removed
from a document, anyone who has access to the document also has access to the supplemental
content.
In addition to privacy threats, there are instances in which private information can be disclosed or
revealed by enabling or using various application features or functionality. Although these
features and functionality are not considered threat agents, they can reveal or disclose personal
or private information that your organization deems confidential or proprietary.
For more information about privacy, see the "Privacy Statement for the 2007 Microsoft Office
System," which you can access from the Trust Center by clicking Privacy Options, and then
clicking Read our privacy statement.
28
Most organizations face privacy threats or want to actively manage the disclosure of private or
personal information. See Evaluate default security settings and privacy options for the 2007
Office system to determine whether you need to change the default privacy options or whether
you need to change the default security settings for mitigating privacy threats.
Security vulnerabilities
A security vulnerability is a special type of security threat that is addressed by a software update,
such as a Microsoft security bulletin or a service pack. Security vulnerabilities can include a wide
range of threat agents, such as:
• Remote code execution
• Elevation of privilege
• Information disclosure
Malicious programmers and malicious users can exploit security vulnerabilities through various
security attacks. Until a security bulletin or a service pack is released to respond to the security
vulnerability, the vulnerability can pose a potential threat to your organization. If security
vulnerabilities pose a potential threat to your organization, see “Evaluate default security
settings for security vulnerabilities” in Evaluate default security settings and privacy
options for the 2007 Office system to determine whether you need to change the default
security settings for security vulnerabilities.
See Also
Overview of security in the 2007 Office system
Overview of security planning for the 2007 Office system
29
B. Planning 2007 Office System Security
Settings
30
Evaluate default security settings and
privacy options for the 2007 Office system
The default security and privacy settings in the 2007 Office system can help you to mitigate six
main types of security and privacy threats. Some default security settings and privacy options
might not be sufficient to mitigate the threats in your organization, and other default settings and
options might provide more stringent mitigation than your organization requires. In either case,
you might have to modify the default settings and options to suit your organization's security
needs and requirements.
To determine whether you need to modify any default settings or options, do the following:
• Use your threat evaluation to identify the threats that you need to mitigate in your
organization. If you have not already evaluated threats in your organization, see Evaluate
security and privacy threats for the 2007 Office system.
• Use the guidance provided in this article to evaluate the default settings and options for
each threat that is relevant to your organization, and determine whether the default settings
and options are adequate for your organization.
If the default settings and options for a given threat are not adequate for your organization, you
can then move to the last step of the security planning process, in which you plan security
settings and privacy options.
31
Default settings for ActiveX controls
The default settings for ActiveX controls can cause ActiveX controls to behave in four different
ways based on the characteristics of the ActiveX control itself and the characteristics of the
document that contains the ActiveX control.
• If a kill bit is set in the registry for an ActiveX control, the control is not loaded and cannot
be loaded in any circumstances. A kill bit is a feature that prevents controls that have a known
exploit from being loaded.
• If an ActiveX control is contained in a document that does not contain a VBA project, and
the ActiveX control is marked as Safe for Initialization (SFI), the ActiveX control is loaded in
safe mode with minimal restrictions (that is, with persisted values). The Message Bar does
not appear, and users do not get any notifications about the presence of ActiveX controls in
their documents. All ActiveX controls in the document must be marked as SFI to not generate
a notification.
• If an ActiveX control is contained in a document that does not contain a VBA project, and
the document contains ActiveX controls that are Unsafe for Initialization (UFI), users are
notified in the Message Bar that ActiveX controls have been disabled. If a user clicks the
Message Bar, a dialog box appears asking whether the user wants to enable the ActiveX
controls. If the user enables the ActiveX controls, all ActiveX controls (those marked SFI and
UFI) are loaded with minimal restrictions (that is, with persisted values).
• If an ActiveX control is contained in a document that also contains a VBA project, a
notification appears in the Message Bar informing users that ActiveX controls have been
disabled. If a user clicks the Message Bar, a dialog box appears asking whether the user
wants to enable ActiveX controls. If the user enables ActiveX controls, all ActiveX controls
(those marked SFI and UFI) are loaded with minimal restrictions (that is, with persisted
values).
If the default settings for ActiveX controls are suitable for your organization, you do not need to
plan security settings for ActiveX controls. On the other hand, you must plan security settings for
ActiveX controls if you want to do any of the following:
• Disable ActiveX controls.
• Allow all ActiveX controls to run without notifying users.
• Modify the way ActiveX controls are initialized based on SFI, UFI, and safe mode
parameters.
To learn more about ActiveX control security settings, and plan security settings for ActiveX
controls, see Plan security settings for ActiveX controls, add-ins, and macros in the 2007
Office System.
32
Default settings for add-ins
By default, any add-in that is installed and registered is allowed to run without user intervention or
warning. Installed and registered add-ins can include:
• Component Object Model (COM) add-ins.
• Smart tags.
• Automation add-ins.
• RealTimeData (RTD) servers.
• Application add-ins (for example, .wll, .xll, and .xlam files).
• XML expansion packs.
• XML style sheets.
This default behavior is equivalent to selecting the Trust all installed add-ins and templates
setting, which exists in earlier versions of the Microsoft Office system.
If the default settings for add-ins are suitable for your organization, you do not need to plan
security settings for add-ins. On the other hand, you must plan security settings for add-ins if you
want to do any of the following:
• Disable add-ins on a per-application basis.
• Require that add-ins are signed by a trusted publisher.
• Disable notifications for unsigned add-ins.
To learn more about add-in security settings and plan security settings for add-ins, see Plan
security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Note:
You can configure trusted locations for only Microsoft Office Access 2007, Microsoft
Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and
Microsoft Office Word 2007.
33
The following list describes the default settings for trusted locations:
• Trusted locations are enabled.
• Users cannot designate network shares as trusted locations. However, users can change
this setting.
• Users can add folders to the Trusted Locations list.
• You can have a mix of user-defined and policy-defined trusted locations.
In addition, several folders are designated as trusted locations. The default folders for each
application are listed in the following tables. (Office Visio 2007 does not have any trusted
locations, by default.)
The following table lists the default trusted locations for Office Access 2007.
The following table lists the default trusted locations for Office Excel 2007.
34
The following table lists the default trusted locations for Office PowerPoint 2007.
The following table lists the default trusted locations for Office Word 2007.
If the default settings for trusted locations are suitable for your organization, you do not need to
plan security settings for trusted locations. However, you must plan security settings for trusted
locations if you want to do any of the following:
• Turn off trusted locations.
• Add folders to the Trusted Locations list on users' computers.
• Clear the Trusted Locations list on users' computers.
• Allow users to designate trusted locations on network shares.
• Prevent users from designating trusted locations on network shares.
• Prevent users from specifying trusted locations and manage trusted locations only
through Group Policy.
• Modify any of the default trusted locations.
To learn more about trusted location settings and plan security settings for trusted locations, see
Plan trusted locations and trusted publishers settings for the 2007 Office system.
35
Default settings for trusted publishers
Like previous Office releases, the 2007 Office system enables you to create a list of trusted
publishers. A publisher is any developer, software company, or organization that has created and
distributed an ActiveX control, add-in, or macro. A trusted publisher is any reputable publisher that
has been added to the Trusted Publishers list. By default, there are no publishers on the Trusted
Publishers list. However, there are several default settings that affect the way ActiveX controls
and macros behave when they are signed by a trusted publisher.
By default, ActiveX controls and macros that are signed by a publisher that is on the Trusted
Publishers list are enabled and will run without any warning if the following conditions are true:
• The ActiveX control or macro is signed with a digital signature.
• The digital signature is valid.
• This digital signature is current (not expired).
• The certificate associated with the digital signature was issued by a reputable certification
authority (CA).
If you do not intend to specify any trusted publishers or use the trusted publishers functionality,
you do not need to plan trusted publishers settings. However, you need to plan trusted publishers
settings if you want to add publishers to the list of trusted publishers. You also need to plan
trusted publishers settings if you require that all add-ins be signed by a trusted publisher. This is
because the 2007 Office system contains several add-ins that will not run unless you add the
appropriate Microsoft certificates to the trusted publishers list. To learn more about trusted
publishers settings and plan trusted publishers settings, see Plan trusted locations and trusted
publishers settings for the 2007 Office system.
36
If the default settings for macros are suitable for your organization, you do not need to plan
security settings for macros. However, you must plan security settings for macros if you want to
do any of the following:
• Make VBA unavailable.
• Make macros unavailable.
• Allow programmatic access to the VBA project.
• Modify the way users are notified about macros.
• Prevent encrypted macros from being scanned for viruses in Office Open XML Formats
files. By default, encrypted macros are scanned in Office Open XML Formats files.
• Change the way macros run when an application is started by Automation.
To learn more about macro security settings and plan security settings for macros, see Plan
security settings for ActiveX controls, add-ins, and macros in the 2007 Office System.
Note:
Information Rights Management (IRM) can also be used to help mitigate document
threats.
By default, Office Excel 2007, Office PowerPoint 2007, and Office Word 2007 use the following
settings when a user encrypts a document:
• For documents that are saved in the Office Open XML Formats, the cryptographic service
provider (CSP) is:
• Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype) on the
Microsoft Windows XP Professional operating system.
• Microsoft Enhanced RSA and AES Cryptographic Provider on the Windows Vista
operating system.
In both cases, the cryptographic algorithm is AES-128, and the cryptographic key length is
128-bit.
• For documents that are saved in the Office 97-2003 format, the Office 97/2000–
compatible encryption method is used, which is a proprietary encryption method.
37
Additionally, Office OneNote 2007 uses the following default encryption settings:
• Notes are encrypted by using a Triple Data Encryption Standard (DES) algorithm with a
192-bit key length. You cannot change the cryptographic algorithm or the key length that
Office OneNote 2007 uses to encrypt notes.
• Encrypted text that is idle for 10 minutes automatically locks and cannot be viewed until a
user enters a password and unlocks the text. Text is considered to be idle if a user does not
navigate to the text or edit the text.
• Add-ins are allowed to access sections of text that have been unlocked by a user.
• Users can create new encrypted sections of text, and they can encrypt existing sections
of text.
If the default encryption settings are suitable for your organization, you do not need to plan
security settings for document threats. However, you must plan security settings for document
threats if you want to do any of the following:
• Change the default CSP, cryptographic algorithm, or key length that is used by Office
Excel 2007, Office PowerPoint 2007, and Office Word 2007.
• Change the way Office OneNote 2007 behaves when sections of text are encrypted.
To learn more about document threat settings and plan security settings for document threats,
see Plan document protection settings in the 2007 Office system.
Note:
Links to external content are unblocked (that is, enabled) in documents that are stored in
trusted locations. Therefore, you need to evaluate the default settings for trusted
locations to determine whether the settings are adequate for protecting external threats.
See Default settings for trusted locations earlier in this article.
38
If the default external threat settings are suitable for your organization, you do not need to plan
security settings for external threats. However, you must plan security settings for external threats
if you want to do any of the following:
• Disable hyperlink warnings.
• Allow images to be downloaded automatically in Office PowerPoint 2007.
To learn more about external threat settings and plan security settings for external threats, see
Plan external content settings in the 2007 Office system.
39
Evaluate default privacy options
The 2007 Office system contains several settings that can help you mitigate privacy threats and
control the disclosure of private and personal information. The default settings are as follows:
• Document Inspector is enabled. Document Inspector is a new tool that helps users
mitigate privacy threats by removing metadata, revisions, comments, custom XML tags, and
other potentially private and personal content from a document. Document Inspector is
extensible and can be programmatically modified to suit the privacy needs of your
organization.
• Metadata is protected in an encrypted document. When a user encrypts a document
with the password protection feature, the metadata in the document is encrypted. This setting
applies only to Office Open XML Formats files.
• Metadata is not protected in a rights-managed document. When a user applies
restricted permissions to a document by using Information Rights Management (IRM), the
permissions do not apply to the metadata and the metadata is not encrypted. This setting
applies only to Office Open XML Formats files.
• The option to participate in the Customer Experience Improvement Program is not
selected. The Customer Experience Improvement Program allows Microsoft to automatically
and anonymously collect information from a user's computer, including the error messages
that are generated by the software, the kind of equipment that is installed in the computer,
whether the computer is having any difficulty running Microsoft software, and whether the
hardware and software responds well and performs rapidly.
• The option to download a file periodically that helps determine system problems is
not selected. This setting allows computers to receive updates that can help improve
application reliability by detecting when a computer becomes unstable or crashes and by
automatically running the Microsoft Office Diagnostics tool to help diagnose and repair the
problem. This setting also allows Microsoft to ask users to send error reports for certain types
of error messages that might appear.
• The online content options setting is selected. This setting allows the Help system to
automatically search Microsoft Office Online when users access online Help. It also allows
users to see links to content that is on the Web and it allows the downloading of updated
content. Note: This setting is not selected by default in the French, German, and Italian
versions of the 2007 Office system.
If the default privacy options are suitable for your organization, you do not need to plan privacy
options. However, you must plan privacy options if you want to do any of the following:
• Make unavailable any Inspector modules that are used by Document Inspector.
• Protect metadata in documents that are rights-managed.
• Enforce participation in the Customer Experience Improvement Program.
• Enforce the periodic downloading of updates that improve reliability.
• Configure privacy options for Office PowerPoint 2007 or Office Word 2007.
• Prevent users from searching Microsoft Office Online and receiving Help updates when
they access the online Help.
40
• Suppress the Privacy Options dialog box that appears the first time users run an
application in the 2007 Office system.
• Suppress the first-run Sign up for Microsoft Update dialog box that appears the first
time users start an application in the 2007 Office system.
To learn more about privacy options and plan privacy options, see Plan privacy options in the
2007 Office system.
See Also
Overview of security in the 2007 Office system
Overview of security planning for the 2007 Office system
41
Plan trusted locations and trusted publishers
settings for the 2007 Office system
In this article:
• Plan for trusted locations
• Plan for trusted publishers
The trusted locations feature of the 2007 Microsoft Office system enables you to designate
folders on the hard disks of users' computers or on a network share as trusted file sources. When
a folder is designated as a trusted file source, any file that is saved in the folder is assumed to be
a trusted file. When a trusted file is opened, all content in the file is enabled and active, and users
are not notified about any potential risks that might be contained in the file, such as unsigned
macros, ActiveX controls, or links to content on the Internet.
In addition to trusted locations, you can use the Trusted Publishers list to designate content
publishers that you trust. A publisher is any developer, software company, or organization that has
created and distributed an ActiveX control, add-in, or macro. A trusted publisher is any publisher
that has been added to the Trusted Publishers list. When a file is opened, and the file contains
content that is created by a trusted publisher, all of the content is enabled and active and users
are not notified about any potential risks that might be contained in the file.
To plan for trusted locations and trusted publishers, use the best practices and recommended
guidelines in the following sections.
42
Disabling trusted locations
To disable trusted locations, configure the trusted locations settings as recommended in the
following table.
Disable all trusted locations Select this option: Disabled By default, trusted locations are
enabled. Selecting this option
enables all trusted locations,
including trusted locations that
were:
• Created by default
during setup.
• Created by users
through the graphical user
interface.
• Deployed through
Group Policy.
Enabling this option prevents
users from configuring trusted
locations settings in the Trust
Center. This is not a global
setting; you must select this
option on a per-application
basis for Microsoft Office
Access 2007, Microsoft Office
Excel 2007, Microsoft Office
PowerPoint 2007, Microsoft
Office Visio 2007, and Microsoft
Office Word 2007.
44
In addition, you must use the guidelines in the following sections if you want to:
• Use environment variables to specify trusted locations.
• Specify Web folders (that is, http:// paths) as trusted locations.
Important:
You cannot use environment variables when you specify trusted locations by using Group
Policy. You can use environment variables to specify trusted locations only by using the
Office Customization Tool (OCT).
To use environment variables to specify trusted locations, do the following:
1. Use the Registry Editor to locate the trusted location that is represented by an
environment variable.
Trusted locations that are configured by using the OCT are stored in the following location:
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/application_name/Security/Trusted
Locations
Where application_name can be Access, Excel, PowerPoint, Visio, or Word.
Trusted locations are stored in registry entries named Path, and they are stored as String
Value (REG_SZ) value types. Be sure to locate each Path entry that uses environment
variables to specify a trusted location.
2. Change the Path value type.
Applications in the 2007 Office system cannot recognize environment variables that are
stored as String Value (REG_SZ) value types. For applications to recognize environment
variables, you must change the value type of the Path entry so it is an Expandable String
Value (REG_EXPAND_SZ) value type. To do this, perform the following steps:
Note:
Incorrectly editing the registry might severely damage your system. Before making
changes to the registry, you should back up any valued data on the computer.
a. Write down or copy the value of the Path entry. This should be a relative path that
contains one or more environment variables.
b. Delete the Path entry.
45
c. Create a newPathentry of type Expandable String Value (REG_EXPAND_SZ).
d. Modify the new Path entry so that it has the same value that you wrote down or
copied in the first step.
Be sure to make this change for each Path entry that uses environment variables to specify a
trusted location.
Note:
Sites that are created with Windows SharePoint Services 3.0 and Microsoft Office
SharePoint Server 2007 can be designated as trusted locations.
46
need to modify files; and grant more restrictive permissions to those users who need only to
read files.
Allow mix of policy and user Select this option: Disabled By default, a computer can
locations have a combination of user-
created, OCT-created, and
Group Policy-created trusted
locations. Selecting this option
disables all trusted locations
that are not created by Group
Policy and prevents users from
creating new trusted locations
through the graphical user
interface in the Trust Center.
This is a global setting that
applies to all applications for
which you configure trusted
locations.
47
Setting name Recommended configuration Description
Allow Trusted Locations not Select this option: Disabled By default, trusted locations
on the computer that are network shares are
disabled, but users can still
select the Allow Trusted
Locations on my network
check box in the Trust Center
graphical user interface.
Selecting this option disables
trusted locations that are
network shares and prevents
users from selecting the Allow
Trusted Locations on my
network check box in the Trust
Center graphical user interface.
If you specify Disabled, and a
user attempts to designate a
network share as a trusted
location, a warning informs the
user that the current security
settings do not allow the
creation of trusted locations
with remote paths or network
paths. If an administrator
designates a network share as
a trusted location through
Group Policy or by using the
OCT, and this setting is
Disabled, the trusted location
is disabled and will not be
recognized by an application.
This is not a global setting; you
must configure this setting on a
per-application basis for Office
Access 2007, Office Excel
2007, Office PowerPoint 2007,
Office Visio 2007, and Office
Word 2007.
48
Note:
You can also use the Remove all trusted locations written by the OCT during
installation setting to delete all trusted locations that have been created by configuring
the OCT. For more information about this setting, see Security policies and settings in
the 2007 Office system.
Alternately, you can use this procedure to determine which certificates you need and then create
them from within Microsoft Office Word 2007.
Note:
SmartTags will be enabled again after you close and then restart Word.
b. On the Security Warning bar, click Options.
4. On the Security Alerts – Multiple Issues window, install each certificate to the
Trusted Publishers list by performing the following steps for each add-in that shows a
valid digital signature:
Note:
If you did not disable SmartTags in the previous step, you will see a different
window from which you will not be able to install certificates.
a. Click Show Signature Details.
b. In the Digital Signature Details window, click View Certificate.
c. In the Certificate window, click Install Certificate.
d. In the Certificate Import Wizard, click Next, click Place all certificates in the
following store, click Browse, click Trusted Publishers, click OK, click Next, and
then click Finish.
5. Prepare the certificate files for distribution:
a. In the Trusted Publishers box (click the Microsoft Office Button, click Word
Options, click Trust Center, click Trust Center Settings, and then click Trusted
Publishers), view the certificates that you installed.
b. For each certificate, double-click the certificate and then perform the following
steps:
50
a. In the Certificate window, on the Details tab, click Copy to File.
b. In the Certificate Export Wizard, click Next, and then click Next again to accept
the default file format, enter a file name, select a location to store the file, and then
click Finish.
See Also
Evaluate default security settings and privacy options for the 2007 Office system
Configure trusted locations and trusted publishers settings in the 2007 Office system
51
Plan security settings for ActiveX controls,
add-ins, and macros in the 2007 Office
system
The 2007 Microsoft Office system contains several settings that enable you to change the
behavior of ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros. To plan for
ActiveX controls, add-ins, and macros, use the best practices and recommended guidelines in the
following sections:
• Plan security settings for ActiveX controls
• Plan security settings for add-ins
• Plan security settings for macros
52
To disable ActiveX controls, configure any one of the settings as recommended in the following
table.
Unsafe ActiveX initialization Select this configuration: Do By default, the Unsafe ActiveX
not prompt and disable all initialization setting is Prompt
controls user to use persisted data.
When you select Do not
prompt and disable all
controls, all ActiveX controls
are disabled and are not
initialized when a user opens a
file containing ActiveX controls.
In addition, users are not
notified that ActiveX controls
are disabled. This setting exists
only in the OCT. This setting
applies only to applications in
the 2007 Office system. This
setting does not disable ActiveX
controls in files that are opened
by earlier versions of Office.
53
Note:
ActiveX controls cannot be disabled in files that are saved in trusted locations. When a
file is opened from a trusted location, all active content in the file is initialized and allowed
to run without notification even if you disable ActiveX controls.
If you disable ActiveX controls, be sure that you:
• Notify users that ActiveX controls are disabled and that no notifications will appear when
they open files that contain disabled ActiveX controls.
• Test the effect that disabling ActiveX controls might have on your organization. Because
many Office solutions are built with ActiveX controls, disabling ActiveX controls can cause
unexpected behavior and prevent applications from working properly.
• Record the settings in your security planning documents and in your security operations
documents.
Important:
We do not recommend that you allow ActiveX controls to initialize and run without
warning in a production environment. Allowing ActiveX controls to initialize and run
without warning can substantially increase your risk of attack and potentially weaken your
organization's security.
To allow ActiveX controls to initialize and run without notification, configure any one of the settings
as recommended in the following table.
54
Setting name Recommended configuration Description
Unsafe ActiveX initialization Select this configuration: Do By default, the Unsafe ActiveX
not prompt initialization setting is Prompt
user to use persisted data.
When you select Do not
prompt, all ActiveX controls are
enabled and are initialized with
minimal restrictions (that is,
persisted values) when a user
opens a file containing ActiveX
controls. Also, users are not
notified that ActiveX controls
are enabled and ActiveX
controls that are SFI are not
enabled in safe mode. This
setting exists only in the OCT.
This setting applies to the 2007
Office system and earlier
versions of Office.
ActiveX Control Initialization Select this configuration: 2 By default, this setting has a
value of 6. When you change
this to 2, SFI and UFI controls
are initialized with minimal
restrictions (that is, with
persisted values). If persisted
values are not available, the
controls are initialized with
default values by using the
InitNew method. SFI controls
are initialized in safe mode, and
users are not notified that
ActiveX controls are enabled.
This setting can be configured
only with the 2007 Office
system Administrative
Templates (.adm files). This
setting applies to the 2007
Office system and earlier
versions of Office.
When you change the setting, SFI and UFI controls are initialized with minimal restrictions (that
is, with persisted values). If persisted values are not available, the controls are initialized with
default values by using the InitNew method. SFI controls are initialized in safe mode, and users
55
are not notified that ActiveX controls are enabled. This setting can be configured only with the
2007 Office system Administrative Templates (.adm files). This setting applies to the 2007 Office
system and earlier versions of Office.
For a list of all configurations, see the 2007 Microsoft Office Security Guide (Threats and
Countermeasures: Security Settings in the 2007 Office System) (http://go.microsoft.com/?
linkId=7711534).
If you allow all ActiveX controls to initialize and run without notification, be sure that you:
• Notify users that ActiveX controls are enabled and that no notifications will appear when
they open files that contain ActiveX controls.
• Record the settings in your security planning documents and in your security operations
documents.
56
Modify the way ActiveX controls are initialized based on SFI and
UFI parameters
The 2007 Office system provides several settings that enable you to control the way ActiveX
controls are initialized based on SFI, UFI, and safe-mode parameters. SFI, UFI, and safe mode
are parameters that developers can configure when they create ActiveX controls. ActiveX controls
that are marked SFI use safe data sources to initialize. A safe data source is one that is trusted,
known, and does not cause a security breach. Controls that are not marked SFI are considered to
be UFI.
Safe mode is another security mechanism that developers can use to help ensure the safety of
ActiveX controls. When a developer creates an ActiveX control that implements safe mode, the
control can be initialized in two ways: in safe mode and in unsafe mode. When an ActiveX control
is initialized in safe mode, certain restrictions that limit functionality are imposed on the control.
Conversely, when an ActiveX control is initialized in unsafe mode, there are no restrictions on its
functionality. For example, an ActiveX control that reads and writes files might only be allowed to
read files if it is initialized in safe mode, and it might be able to read and write files when it is
initialized in unsafe mode. Only ActiveX controls that are SFI can be initialized in safe mode.
ActiveX controls that are UFI are always initialized in unsafe mode.
By default, ActiveX controls are initialized as follows in the 2007 Office system:
• If a file contains a VBA project, users are prompted to enable or disable the ActiveX
controls that are in the file. If users choose to enable the ActiveX controls, all SFI and UFI
controls are initialized with minimal restrictions (that is, with persistent values). If persistent
values are not available, the controls are initialized with default values by using the InitNew
method. SFI controls are initialized in safe mode.
• If the file does not contain a VBA project, and the file contains only SFI controls, the SFI
controls are initialized with minimal restrictions (that is, with persistent values). If persistent
values are not available, the controls are initialized with default values by using the InitNew
method. SFI controls are initialized in safe mode.
• If the file does not contain a VBA project, and the file contains both SFI and UFI controls,
users are prompted to enable or disable the ActiveX controls that are in the file. If users
choose to enable the ActiveX controls, SFI controls are initialized with minimal restrictions
(that is, with persistent values), and UFI controls are initialized with default values by using
the InitNew method. SFI controls are initialized in safe mode.
If this default behavior is not adequate for your organization but you do not want to disable
ActiveX controls, you can strengthen the way ActiveX controls are initialized by forcing UFI
controls to be initialized with default values instead of minimal restrictions when a file contains a
VBA project. To do this, configure either of the following settings as recommended in the following
table.
57
Setting name Recommended Initialization behavior Initialization behavior
configuration when a VBA project is when no VBA project is
present present
Unsafe ActiveX Select this Prompts users to If the file contains only
initialization configuration: Prompt enable or disable SFI controls, SFI
user to use control controls. If a user controls are initialized
defaults enables controls, SFI with minimal
controls are initialized restrictions (that is,
with minimal with persisted values).
restrictions (that is, If persisted values are
with persisted values), not available, SFI
and UFI controls are controls are initialized
initialized with default with default values by
values by using the using the InitNew
InitNew method. SFI method. SFI controls
controls are initialized are initialized in safe
in safe mode. This mode. Users are not
setting exists only in prompted to enable
the OCT. This setting controls.
applies to the 2007 If file contains UFI
Office system and controls, users are
earlier versions of prompted to enable or
Office. disable controls. If a
user enables controls,
SFI controls are
initialized with minimal
restrictions and UFI
controls are initialized
with default values by
using the InitNew
method. SFI controls
are initialized in safe
mode.
ActiveX Controls Select this Same as behavior for Same as behavior for
Initialization configuration: 4 Unsafe ActiveX Unsafe ActiveX
initialization setting. initialization setting.
You can configure ActiveX control settings to accommodate many more security scenarios. For
more information about ActiveX control settings in the 2007 Office system, including descriptions
of all settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security
policies and settings in the 2007 Office system. For more information about configuring
ActiveX control settings, see Configure security settings for ActiveX controls, add-ins, and
macros in the 2007 Office system.
58
Plan security settings for add-ins
The 2007 Office system provides several settings that enable you to change the way add-ins
behave. Add-ins, also known as application extensions, are supplemental programs or
components that extend the functionality of applications. Add-ins must be installed and registered,
and can include:
• Component Object Model (COM) add-ins.
• Smart tags.
• Automation add-ins.
• RealTimeData (RTD) servers.
• Application add-ins (for example, .wll, .xll, and .xlam files).
• XML expansion packs.
• XML style sheets.
By default, installed and registered add-ins are allowed to run without notification. However, you
can use the security settings for add-ins to change this behavior. Specifically, you can:
• Disable add-ins on a per-application basis.
• Require that add-ins are signed by a trusted publisher.
• Disable notifications for unsigned add-ins.
59
To disable add-ins, configure either of the settings as recommended in the following table.
Disable all application add-ins Not configured By default, add-ins are enabled.
When you select this option,
add-ins are disabled and users
are not notified that add-ins are
disabled. This setting can be
configured in the OCT and with
the 2007 Office system
Administrative Templates (.adm
files). You must configure this
setting on a per-application
basis.
60
Require that add-ins are signed by a trusted publisher
If you do not want to disable add-ins, but you still want to increase the security of add-ins, you
can require that add-ins are signed by a trusted publisher. When you do this, the following
behavior occurs:
• Trusted add-ins run without notification. A trusted add-in is an add-in that is saved in a
trusted location or an add-in that is signed by a publisher that is on the Trusted Publishers list.
• Unsigned add-ins are disabled, but users are prompted to enable or disable the add-ins.
• Add-ins that are signed by a publisher that is not on the Trusted Publishers list are
disabled, but users are prompted to enable or disable the add-ins.
You cannot globally configure a setting that requires add-ins to be signed by a trusted publisher.
You must configure this setting on a per-application basis, and you can configure it for only the
following applications:
• Office Access 2007
• Office Excel 2007
• Office PowerPoint 2007
• Office Publisher 2007
• Office Visio 2007
• Office Word 2007
To require that add-ins are signed by a trusted publisher, configure either of the settings as
recommended in the following table.
61
Setting name Recommended configuration Description
Require that application add- Not configured By default, add-ins are enabled.
ins are signed by trusted When you select this option,
publisher add-ins that are signed by a
publisher that is on the Trusted
Publishers list will run without
notification. Unsigned add-ins,
and add-ins that are signed by
a publisher that is not on the
Trusted Publishers list will be
disabled, but users will be
prompted to enable or disable
the add-ins. This setting can be
configured in the OCT and with
the 2007 Office system
Administrative Templates (.adm
files). You must configure this
setting on a per-application
basis.
Be sure to record these settings in your security planning documents and in your security
operations documents.
62
Disable notifications for unsigned add-ins
Even if you require that add-ins be signed by a trusted publisher, users can still enable unsigned
add-ins through the Message Bar. If you do not want users to enable unsigned add-ins, you can
disable notifications for unsigned add-ins. You can do this only on a per-application basis, and
you can configure it for only the following applications:
• Office Access 2007
• Office Excel 2007
• Office PowerPoint 2007
• Office Publisher 2007
• Office Visio 2007
• Office Word 2007
63
To do this, configure either of the settings as recommended in the following table.
Disable trust bar notification Not configured By default, add-ins are enabled.
for unsigned application add- When you select this option,
ins signed add-ins that are not
trusted are disabled, but users
are prompted to enable or
disable the add-ins. Unsigned
add-ins are also disabled, but
users are not notified and they
are not prompted to enable or
disable the unsigned add-ins.
This setting must be used in
conjunction with the Require
that application add-ins are
signed by trusted publisher
setting. This setting can be
configured in the OCT and with
the 2007 Office system
Administrative Templates (.adm
files). You must configure this
setting on a per-application
basis.
Application add-ins warnings Require that extensions are By default, the Application
options signed, and silently disable add-ins warnings options
unsigned extensions setting is Enable all installed
application add-ins. When you
select Require that
extensions are signed, and
silently disable unsigned
extensions, signed add-ins
that are not trusted are
disabled, but users are
prompted to enable or disable
the add-ins. Unsigned add-ins
are also disabled, but users are
not notified and they are not
prompted to enable or disable
the unsigned add-ins. This
setting exists only in the OCT.
You must configure this setting
on a per-application basis.
64
If you disable notifications for unsigned add-ins, be sure that you:
• Notify users that unsigned add-ins are silently disabled.
• Record the settings in your security planning documents and in your security operations
documents.
For more information about add-in settings in the 2007 Office system, including descriptions of
settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security
policies and settings in the 2007 Office system. For more information about configuring add-in
settings, see Configure security settings for ActiveX controls, add-ins, and macros in the
2007 Office system.
65
• Change the way that macros behave in applications that are started programmatically
through Automation.
• Prevent encrypted macros from being scanned for viruses.
To plan security settings for macros, use the best practices and recommended guidelines in the
following sections.
Note:
The default security setting for macros is different in Microsoft Office Outlook 2007. For
more information, see the Office Outlook 2007 security documentation.
If the default security settings for macros do not meet the needs of your organization, you can do
either of the following:
• Disable untrusted macros without notification.
• Disable notifications for unsigned macros, but allow notifications for signed macros.
66
Disable untrusted macros without notification
When you disable untrusted macros without notification, untrusted macros are not loaded and
users are not notified that untrusted macros are disabled. Trusted macros are allowed to run
without notification. This setting is useful if your organization has a restricted security model and
you do not want users to run untrusted macros.
To disable untrusted macros without notification, configure either of the settings that are
described in the following table. These settings must be configured on a per-application basis,
and can be configured for only the following applications:
• Office Access 2007
• Office Excel 2007
• Office PowerPoint 2007
• Office Publisher 2007
• Office Visio 2007
• Office Word 2007
VBA macro warning settings Select this option: Enabled By default, users are notified
Select this configuration: No about the presence of untrusted
warnings for all macros but macros in a file, and users can
disable all macros enable or disable the untrusted
macros. When you select
Disable all VBA macros and
No warnings for all macros
but disable all macros,
untrusted macros are disabled,
users are not notified that
untrusted macros are disabled,
and users cannot enable
untrusted macros. Trusted
macros are allowed to run
without notification. This setting
can be configured only with the
2007 Office system
Administrative Templates (.adm
files).
67
Disable notifications for unsigned macros
When you disable notifications for unsigned macros, unsigned macros are silently disabled, but
users are notified about signed macros and they can enable or disable signed macros. Trusted
macros are allowed to run without notification. This setting is useful if your environment requires
protection from unsigned macros.
To disable notifications for unsigned macros, configure either of the settings that are described in
the following table. These settings must be configured on a per-application basis, and can be
configured for only the following applications:
• Office Access 2007
• Office Excel 2007
• Office PowerPoint 2007
• Office Publisher 2007
• Office Visio 2007
• Office Word 2007
68
Setting name Recommended configuration Description
VBA macro warning settings Select this option: Enabled By default, users are notified
Select this configuration: Trust about untrusted macros in a file
Bar warning for digitally signed and users can enable or disable
macros only (unsigned macros the untrusted macros. When
will be disabled) you select Trust Bar warning
for digitally signed macros
only (unsigned macros will be
disabled), the following occurs:
• Unsigned macros are
silently disabled.
• Users are notified about
the presence of signed
macros.
• Users can enable or
disable signed macros.
• Trusted macros are
allowed to run without
notification.
This setting can be configured
only with the 2007 Office system
Administrative Templates (.adm
files).
When you select Disable Trust
Bar warning for unsigned
VBA macros (unsigned code
will be disabled), the following
occurs:
• Unsigned macros are
silently disabled.
• Users are notified about
the presence of signed
macros.
• Users can enable or
disable signed macros.
• Trusted macros are
allowed to run without
notification.
This setting can be configured
only in the OCT.
69
Control the way VBA behaves
The 2007 Office system provides two settings that enable you to control the way VBA behaves.
By default, VBA is enabled, if it is installed, and Automation clients do not have programmatic
access to VBA projects. You can change this behavior in the following ways:
• You can provide Automation clients programmatic access to VBA projects.
• You can disable VBA.
In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several
settings that enable you to control the way VBA behaves in Office Visio 2007. For more
information, see Security policies and settings in the 2007 Office system.
Trust access to Visual Basic Select this option: Disabled By default, Automation clients do
project not have programmatic access to
VBA projects. When you select
this option, Automation clients
can programmatically access the
VBA object model. This setting
can be configured in the OCT
and with the 2007 Office system
Administrative Templates (.adm
files).
Important:
If you provide Automation clients programmatic access to VBA projects, you can increase
your risk of attack from unauthorized programs that build self-replicating code.
Disable VBA
When you disable VBA, macros and other programmatic content will not run. This is useful if you
have a restricted security model and you do not want users to run macros, or if your organization
is under a security attack and you want to temporarily prevent macros from running.
70
To disable VBA, configure the setting that is described in the following table. This is a global
setting that applies to the following applications:
• Office Excel 2007
• Office Outlook 2007
• Office PowerPoint 2007
• Office Publisher 2007
• Microsoft Office SharePoint Designer 2007
• Office Word 2007
Disabling VBA prevents macros and other content from running. For more information about the
consequences of disabling VBA, see the following article in the Microsoft Knowledge Base:
Considerations for disabling VBA in Office (http://go.microsoft.com/fwlink/?
LinkId=85867&clcid=0x409).
If you disable VBA, be sure that you:
• Notify users that VBA is disabled.
• Record the settings in your security planning documents and in your security operations
documents.
In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several
settings that enable you to change the way VBA behaves Office Visio 2007. For more information,
see Security policies and settings in the 2007 Office system.
71
2007. By default, when an application uses Automation to start an application in the 2007 Office
system, macros are enabled and allowed to run without any security checks. You can change this
behavior in two ways:
• You can disable macros in the application that is started programmatically. When you do
this, users are not notified that macros are disabled and users are not prompted to enable or
disable macros. This setting is useful if your organization has a restricted security model and
you do not allow users to run macros.
• You can run macros according to the security settings that are configured in the
application that is started programmatically. When you do this, macro behavior is dictated by
the security settings that are configured in the application that is started programmatically. For
example, if you require that all macros be digitally signed in Office Excel 2007, and an
application uses Automation to start Office Excel 2007, macros will not run unless they are
digitally signed. This setting is useful if you want your organization's security settings for
macros to extend to applications that are started through Automation.
To change the default behavior of macros in applications that are started programmatically
through Automation, use either of the settings that are recommended in the following table. You
can configure these settings in the OCT and with the 2007 Office system Administrative
Templates (.adm files). These settings are global and apply to the following applications:
• Office Excel 2007
• Office PowerPoint 2007
• Office Word 2007
Determine whether to force Select this option: Disabled By default, encrypted macros
encrypted macros to be are scanned by your virus-
scanned in Microsoft Excel scanning program when you
Open XML workbooks open an encrypted workbook
that contains macros. When
you enable this option,
encrypted macros are not
scanned by your virus-
scanning program, which
means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting applies
only to Office Excel 2007. You
can configure this setting in the
OCT and with the 2007 Office
system Administrative
Templates (.adm files).
73
Setting name Recommended configuration Description
Determine whether to force Select this option: Enabled By default, encrypted macros
encrypted macros to be are scanned by your virus-
scanned in Microsoft scanning program when you
PowerPoint Open XML open an encrypted
presentations presentation that contains
macros. When you select this
option, encrypted macros are
not scanned by your virus-
scanning program, which
means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting applies
only to Office PowerPoint 2007.
You can configure this setting
in the OCT and with the 2007
Office system Administrative
Templates (.adm files).
Determine whether to force Select this option: Enabled By default, encrypted macros
encrypted macros to be are scanned by your virus-
scanned in Microsoft Word scanning program when you
Open XML documents open an encrypted document
that contains macros. When
you select this option,
encrypted macros are not
scanned by your virus-
scanning program, which
means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting applies
only to Office Word 2007. You
can configure this setting in the
OCT and with the 2007 Office
system Administrative
Templates (.adm files).
If you change the default settings for scanning encrypted macros, be sure that you:
• Record the settings in your security planning documents.
• Record the settings in your security operations documents.
74
See Also
Evaluate default security settings and privacy options for the 2007 Office system
Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office
system
GPOAccelerator (http://go.microsoft.com/fwlink/?LinkId=103576)
75
Plan document protection settings in the
2007 Office system
The 2007 Microsoft Office system contains several settings that enable you to control the way
documents are encrypted. By using these settings, you can:
• Specify the cryptographic service provider (CSP), cryptographic algorithm, and key length
that are used to encrypt documents in Microsoft Office Excel 2007, Microsoft Office
PowerPoint 2007, and Microsoft Office Word 2007.
• Change the way sections of text are encrypted with the password protection feature in
Microsoft Office OneNote 2007.
For detailed explanations of each encryption setting, see "Document protection settings" in
Security policies and settings in the 2007 Office system.
As you plan your encryption settings, keep the following guidelines in mind:
• There is no administrative setting that enables you to force users to encrypt documents.
• There are separate encryption settings for files that are saved in the Office 97-2003
format and in the new Office Open XML Formats.
• Disabling notifications in the Message Bar has no effect on encryption settings.
• We recommend that you do not change the default CSP, cryptographic algorithm, or key
length unless you are an expert in cryptography and encryption and your organization's
security model requires encryption settings that are different from the default settings.
• You can encrypt documents in only the following applications: Office Excel 2007, Office
OneNote 2007, Office PowerPoint 2007, and Office Word 2007.
• Saving documents in trusted locations has no effect on encryption settings. If a document
is encrypted, and it is saved in a trusted location, a user must provide a password to open the
document.
Although you can configure encryption settings to address a wide variety of scenarios, these
settings are most commonly used to:
• Change encryption settings for Office Excel 2007, Office PowerPoint 2007, and Office
Word 2007.
• Change the encryption settings for Office OneNote 2007.
76
Change encryption settings for Excel 2007,
PowerPoint 2007, and Word 2007
To change the CSP, cryptographic algorithm, and key length that are used to encrypt documents
in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007, configure the settings that
are listed in the following table.
Encryption type for password-protected Office Specify a CSP, cryptographic algorithm, and key
Open XML files length for encrypted files that are saved in
Office Open XML Formats.
Encryption type for password-protected Office Specify a CSP, cryptographic algorithm, and key
97-2003 files length for encrypted files that are saved in the
Office 97-2003 format.
If you change the default settings for the CSP, cryptographic algorithm, and key length, be sure
that:
• Users have the proper support for the settings that you specify installed on their
computers.
• You record the settings in your security planning documents and in your security
operations documents.
In addition, if your organization uses the Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint File Formats to encrypt Office Open XML Formats files, you should review the
following:
• By default the Compatibility Pack uses the following settings to encrypt Office Open XML
Formats files:
• Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128
(on the Microsoft Windows XP Professional operating system).
• Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128 (on
Microsoft Windows Server 2003 and Windows Vista operating systems).
• Users are not notified that the Compatibility Pack uses these encryption settings.
• The graphical user interface on earlier versions of the Office system might show incorrect
encryption settings for Office Open XML Formats files if the Compatibility Pack is installed.
• Users cannot use the graphical user interface in earlier versions of the Office system to
change the encryption settings for Office Open XML Formats files.
• If you use the Encryption type for password-protected Office Open XML files policy
setting to change encryption settings, and the policy setting is applied to a computer on which
the Compatibility Pack is installed, the Compatibility Pack will encrypt Office Open XML
77
Formats files with the encryption settings that you specified in the Encryption type for
password-protected Office Open XML files policy setting.
78
Strengthen password protection feature settings
To strengthen the password protection feature settings for Office OneNote 2007, use the settings
that are listed in the following table.
Disallows add-ons access to Select this option: Enabled By default, add-ins can access
password protected section encrypted sections of text that
are unlocked. Selecting this
option prevents add-ins from
accessing encrypted sections
of text even when the text is
unlocked by a user.
Lock password protected Select this option: Enabled By default, encrypted sections
sections as soon as I of text remain unlocked for a
navigate away from them period of time after a user
enters a password to unlock
the text. Selecting this option
ensures that encrypted
sections of text become locked
as soon as a user navigates
away from the text.
If you change these settings from their default state, be sure that you:
• Notify users about the more restrictive settings.
• Record the settings in your security planning documents and in your security operations
documents.
See Also
Evaluate default security settings and privacy options for the 2007 Office system
Configure document protection settings in the 2007 Office system
79
Plan external content settings in the 2007
Office system
The 2007 Microsoft Office system contains several settings that enable you to control the way
external threats are mitigated. By default, links to external content are disabled. This includes
links to data sources, hyperlinks to Web sites and documents, and links to images and media.
When a user opens a document that contains links to external content, the Message Bar notifies
the user that the links are disabled. Users can enable the links by clicking the Message Bar. You
can modify this default behavior by configuring security settings for external content. These
settings enable you to:
• Suppress hyperlink warnings.
• Allow the automatic downloading of linked images in Microsoft Office PowerPoint 2007.
For detailed explanations of each external content setting, see "External content settings" in
Security policies and settings in the 2007 Office system.
To plan security settings for external content, use the best practices and recommended guidelines
in the following sections.
80
Setting name Configuration Description
Note:
Links to images on internal Web sites are not blocked. An internal Web site is any Web
site that is behind your perimeter firewall.
You can change this default behavior so that linked images download automatically. When you do
this, users are not warned or notified about the potentially harmful nature of the external image. In
addition, users could be exposed to malicious image content and Web beacons. Web beacons
are a special type of threat agent that can enable malicious users to identify personal and private
information, such as a computer's IP address.
81
To allow linked images to download automatically in Office PowerPoint 2007, configure the setting
that is described in the following table.
See Also
Configure external content settings in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
Security policies and settings in the 2007 Office system
82
Plan Internet Explorer feature control
settings in the 2007 Office system
Internet Explorer feature control settings enable you to mitigate threats that can occur when an
application programmatically uses Internet Explorer functionality. It is important to mitigate
Internet Explorer threats because any threats that exist for Internet Explorer also exist for any
application that is hosting Internet Explorer.
You can configure 15 Internet Explorer feature control settings in the 2007 Office system. For
more information about the Internet Explorer feature control settings, see Security policies and
settings in the Office 2007 system. Each setting restricts a specific type of Internet Explorer
behavior or functionality. To enable the restrictive behavior or functionality for a particular setting,
you opt in applications. When an application is opted in to a particular Internet Explorer feature
control setting, the more restrictive behaviors specified by the setting are enforced whenever the
application hosts Internet Explorer. Conversely, when an application is opted out of a particular
setting, the more restrictive behaviors specified by the setting are not enforced whenever the
application hosts Internet Explorer.
To design Internet Explorer feature control settings, you must:
• Identify applications that host Internet Explorer.
• Determine which Internet Explorer feature control settings to implement.
• Identify potential conflicts with previous versions of the Office system.
83
Use the following guidelines to help identify other applications that host Internet Explorer or could
potentially host Internet Explorer.
• Applications that enable users to run untrusted ActiveX controls, add-ins, or macros can
potentially host Internet Explorer.
• Applications that enable users to run ActiveX controls, add-ins, or macros that render
HTML or provide browser functionality typically host Internet Explorer.
• Applications that you have configured to render HTML or provide browser functionality
typically host Internet Explorer.
• Applications that provide users access to VBA projects or allow users to create VBA
macros can potentially host Internet Explorer.
• Applications that allow users to access external documents and data can potentially host
Internet Explorer.
We recommend that you opt in any applications that host Internet Explorer or any applications
that can potentially host Internet Explorer. Be sure to record the application name and the
corresponding executable file name in your security planning documents. You will need to know
the executable file name to configure Internet Explorer feature control settings by using the Office
Customization Tool (OCT) or Group Policy.
84
The following table lists the executable file names for the applications that you can opt in to the
Internet Explorer feature control settings for the 2007 Office system.
85
Although we recommend that you opt in applications to all 15 Internet Explorer feature control
settings, there are cases where you might need to opt out of specific settings. You might have to
opt out of a setting if:
• The restrictions of a particular setting prevent an application from behaving as expected.
For example, if you know that an application uses Internet Explorer to download files without
user intervention, you might have to opt out of the Restrict File Download setting.
• The restrictions of a particular setting are not necessary because the specific threat that
the setting mitigates poses little or no risk in your organization. For example, if users cannot
access public networks such as the Internet, you might not need to opt in to the Block pop-
ups setting.
• The restrictions of a particular setting cause a decrease in performance. For example, the
Saved from URL setting can cause a decrease in performance. If the loss in performance is
great, you might have to opt out of that setting.
Be sure to record in your security planning documents the applications that you want to opt in to
all 15 Internet Explorer feature control settings. Also be sure to record any Internet Explorer
feature control settings that you need to opt out of.
Note:
Office InfoPath 2007 is a special case and cannot be opted in to or opted out of individual
Internet Explorer feature control settings. You can only configure which Office InfoPath
2007 components are opted in to or opted out of the entire group of Internet Explorer
feature control settings. Be sure to record in your security planning documents any Office
InfoPath 2007 components that you want to opt out. We recommend that you leave the
default settings as they are and opt in all Office InfoPath 2007 components. For more
information about the Office InfoPath 2007 settings, see Security policies and settings
in the 2007 Office system.
To identify potential problems with side-by-side installations, we recommend that you test each
Internet Explorer feature control setting with the earlier versions of applications that appear in the
preceding table. The Internet Explorer feature control settings are supported only on the 2007
Office system. The Internet Explorer feature control settings are not supported in earlier Office
releases and might cause applications in earlier Office releases to behave unpredictably.
See Also
Configure Internet Explorer feature control settings in the 2007 Office system
Evaluate default security and privacy settings for the 2007 Office System
Evaluate security and privacy threats for the 2007 Office system
87
Plan privacy options in the 2007 Office
system
The 2007 Microsoft Office system contains settings and options that can help you mitigate privacy
threats and control the disclosure of private and personal information. These settings and options
can be categorized into four main groups as shown in the following table.
Document Inspector settings Disable the Inspector modules that are included
with the new Document Inspector tool.
For detailed explanations, see "Privacy options" in Security policies and settings in the 2007
Office system. As you plan your privacy options, keep the following guidelines in mind:
• We recommend that you do not disable the default Inspector modules for Document
Inspector unless you are replacing an Inspector module with a custom Inspector module. For
a description of each Inspector module, see Remove hidden data and personal information
from Office documents (http://go.microsoft.com/fwlink/?LinkID=78523).
• You cannot disable the Inspector module for Comments, Revisions, Versions, and
Annotations or the Inspector module for Document Properties and Personal Information.
• We recommend that you enable all three of the Office privacy options. By selecting these
options, you enable users to access the most current Help topics, increase the reliability and
stability of your Office installations, and help Microsoft create better applications.
88
• Be sure to inform users about any changes you make to the application-specific privacy
options for Office PowerPoint 2007 and Office Word 2007. Changing the default settings for
these privacy options can disable functionality that users might expect.
Although you can configure these settings and options for a wide variety of privacy scenarios,
these settings and options are most commonly used to:
• Maximize the protection of private and personal information that is contained in
documents.
• Suppress the first-run Privacy Options dialog box that appears the first time users start
an application in the 2007 Office system.
• Suppress the first-run Sign up for Microsoft Update dialog box that appears the first
time users start an application in the 2007 Office system.
For more information about how to configure privacy options and settings, see Configure
privacy options in the 2007 Office system.
89
• Create custom Inspector modules that address your organization's specific privacy
concerns. Document Inspector is extensible and can be programmatically modified to suit
the privacy needs of your organization. For more information, see Customizing the 2007
Office System Document Inspector (http://go.microsoft.com/fwlink/?
LinkId=78577&clcid=0x409).
• Enable the metadata protection settings that are listed in the following table.
90
• Configure the Office privacy options as recommended in the following table.
91
Privacy option name Recommended configuration Description
Online content options Select this option: Enabled By default, the Help system
Select this configuration: automatically searches
Search online content Microsoft Office Online for
whenever available Help content when a computer
is connected to the Internet.
Selecting this option and
selecting Never show online
content or entry points
prevents the Help system from
accessing Office Online. It also
prevents the Help system from
displaying links to content that
is on Office Online and it
prevents the Help system from
downloading updated Help
content.
Note:
By default, in the
French, German, and
Italian versions of the
2007 Office system,
the Help system does
not access Office
online and it does not
display links to content
that is on Office online.
92
• Configure the application-specific privacy options as recommended in the following
table.
Warn before printing, saving, Select this option: Enabled By default, users are not
or sending a file that contains warned before printing, saving,
tracked changes or comments or sending a file that contains
tracked changes or comments.
Selecting this option warns
about tracked changes
(revisions) and comments
before users print, send, or
save a document. This setting
can be configured only for
Office Word 2007.
Make hidden markup visible Select this option: Enabled By default, hidden markup is
invisible. Selecting this option
displays all tracked changes
before users open or save
documents. This setting can
be configured only for Office
PowerPoint 2007 and Office
Word 2007.
Store random number to Select this option: Enabled By default, a random number
improve merge accuracy is not stored to improve merge
accuracy. Selecting this option
improves the accuracy of
merging tracked changes by
multiple authors. This setting
can be configured only for
Office Word 2007.
93
Suppress the first-run Privacy Options dialog box
The Privacy Options dialog box appears the first time users start an application in the 2007
Office system. Users can select the following three privacy options in the Privacy Options dialog
box:
• Get online Help This corresponds to the Online content options privacy option, which
enables you to control how a computer searches Help content on the Microsoft Office Online
Web site and choose whether updated Help content is downloaded to users' computers.
• Keep your system running This corresponds to the Automatically receive small
updates to improve reliability privacy option, which enables you to control whether a
computer automatically receives updates that help track and solve crashes, hangs, and
system failures.
• Make Office better This corresponds to the Enable Customer Experience
Improvement Program (CEIP) privacy option, which controls whether users participate in
the CEIP program.
You can prevent the first-run Privacy Options dialog box from appearing by configuring Office
Customization Tool (OCT) settings or Group Policy settings. You can also prevent the first-run
Privacy Options dialog box from appearing by configuring the ShowOptIn registry entry. To
learn more about using the ShowOptIn registry entry, see the following article in the Microsoft
Knowledge Base: How to prevent the "Welcome to the 2007 Microsoft Office system" dialog box
from opening when a 2007 Office suite is started for the first time (http://go.microsoft.com/fwlink/?
LinkId=85502&clcid=0x409).
94
To use only the OCT to suppress the first-run Privacy Options dialog box, configure the options
that are recommended in the following table.
Automatically receive small Not configured Selecting this option allows the
updates to improve reliability downloading of a small file that
enables Microsoft to provide
users with help if they are
experiencing an abnormal
number of program errors.
Selecting this option also
allows the IP address of a
user's computer to be revealed
to Microsoft.
Enable Customer Experience Select this option: Enabled Selecting this option allows
Improvement Program participation in the Customer
Experience Improvement
Program, which can reveal the
IP address of a user's
computer to Microsoft.
95
To use only Group Policy to suppress the first-run Privacy Options dialog box, configure the
settings that are recommended in the following table.
Note:
By default, in the
French, German, and
Italian versions of the
2007 Office system,
the Help system does
not access Office
online and it does not
display links to content
that is on Office online.
96
Privacy option name Recommended configuration Description
Note:
You can also suppress the first-run Privacy Options dialog box by using a combination
of OCT and Group Policy settings. However, the combination of settings must follow the
recommendations described in the previous tables.
97
To prevent the Sign up for Microsoft Update dialog box from appearing, you must enable one of
the following Group Policy settings:
• Computer Configuration/Administrative Templates/System/Internet Communication
Management/Internet Communication settings/Turn off access to all Windows update
features
• User Configuration/Administrative Templates/Windows Components/Windows
Update/Remove access to use all Windows Update features
• User Configuration/Administrative Templates/Start Menu and Taskbar/Remove links and
access to Windows Update
Note:
You can suppress the first-run Sign up for Microsoft Update dialog box only by
configuring Group Policy settings. There are no settings in the OCT that enable you to
suppress the first-run Sign up for Microsoft Update dialog box.
See Also
Evaluate default security and privacy settings for the 2007 Office System
Configure privacy options in the 2007 Office system
GPOAccelerator (http://go.microsoft.com/fwlink/?LinkId=103576)
98
Plan block file format settings in the 2007
Office system
Block file format settings prevent users from opening or saving specific file types and file formats
in Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, and Microsoft Office Word
2007. The only block file format setting that is configured by default is the Block opening of files
before version setting. This setting prevents users from opening Office Word 2007 files that have
been saved in a format that is earlier than the Word 6.0 format. Files that have been saved using
a beta version of Word 6.0 are considered to be earlier than the Word 6.0 format and cannot be
opened by default. You can use block file format settings to help:
• Enforce file type and file format requirements in your organization.
• Manage file usage during and after a migration.
• Mitigate security threats that target specific file types and formats.
There are two types of block file format settings: block open settings and block save settings.
Block open settings prevent users from opening various file types and formats; block save
settings prevent users from saving files in various file types and formats.
The following table lists file types and file formats that are blocked by each block open setting.
The file name extensions that are listed are not a complete list of the file types and formats that
are blocked by a specific setting. The table lists file name extensions for the most common
examples of the file types and formats that are blocked.
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
99
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
100
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
101
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
For a detailed description of each block open setting, see "Block file format settings" in Security
policies and settings in the Office 2007 system.
The following table lists the file types and file formats that are blocked for each block save setting.
The file name extensions listed are not a complete list of the file types and formats that are
blocked by a specific setting. The table lists file name extensions for the most common examples
of the file types and formats that are blocked.
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
102
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
103
Setting name File types blocked in File types blocked in File types blocked in
Office Excel 2007 Office PowerPoint 2007 Office Word 2007
For a detailed description of each block save setting, see Security policies and settings in the
Office 2007 system.
When a user attempts to open a file type or file format that is blocked, the block file format
mechanism evaluates the file at the parser level (when the file is loading), which provides a more
thorough determination of file type and format than simple file-name extension checking. Because
of this, changing the file name extension on a file will not affect the blocking mechanism. For
example, if a file is saved in the Word 2003 binary format with a .doc extension, and you rename
the file so that the extension is .rtf, any setting that blocks the opening of Word 2003 binary files
will prevent users from opening the file even though it has an .rtf extension.
When a user attempts to save a file by using a file type or file format that is blocked, an error
message appears. The error message explains that you are attempting to save a file that has
been blocked by a system administrator. The error message also provides a link to the following
Microsoft Knowledge Base article: You receive an error message when you try to open or save a
file in one of the 2007 Office programs or in one of the Office 2003 programs
(http://go.microsoft.com/fwlink/?LinkId=79656&clcid=0x409).
Keep the following overall considerations in mind as you plan your block file format settings.
These considerations apply any time you use block file format settings.
• You can configure block file format settings only for Office Excel 2007, Office PowerPoint
2007, and Office Word 2007 files.
• Block save settings can be configured only through Group Policy. You cannot use the
Office Customization Tool (OCT) to configure block save settings.
• Most block open settings can be configured only through Group Policy. There is one
block open setting that can be configured by using the OCT.
• Block open settings do not apply to files that are opened from trusted locations.
104
• Block file format settings are application-specific. You cannot prevent users from
using other applications to open or save file types or formats that are blocked. For
example, you can enable block file format settings that prevent users from opening .dot
files in Office Word 2007, but users will still be able to open .dot files with Microsoft Office
Publisher 2007, which uses a converter to read the .dot file.
• Disabling notifications in the Message Bar has no effect on block file format settings. The
block file format warning dialog box appears before any notification appears in the Message
Bar.
Although you can use block file format settings to manage file usage in many scenarios, these
settings are most commonly used to:
• Force an organization to use the new file formats that are included in the 2007 Office
system.
• Mitigate zero-day security attacks by temporarily preventing users from opening specific
types of files.
• Prevent an organization from opening files that have been saved in earlier Office Word
formats.
• Prevent an organization from using pre-release (that is, beta) file formats.
105
Setting name Recommended configuration Description
Block saving of Binary file Select this option: Enabled By default, this setting is
types disabled and does not prevent
users from saving binary format
files. Selecting this option
prevents users from saving files
in the binary formats that are
used by earlier versions of the
Office system. This setting must
be configured for Office Excel
2007, Office PowerPoint 2007,
and Office Word 2007, unless
you do not want to enforce the
new file format across all
applications.
Block saving of Open XML Select this option: Disabled By default, users are allowed to
file types save Office Open XML Formats
files and you do not need to
select this option to enforce the
use of the new file format.
However, selecting this option is
a recommended best practice if
you want to help ensure that
users save files in the new file
formats. This option must be
selected for Office Excel 2007,
Office PowerPoint 2007, and
Office Word 2007, unless you
do not want to enforce the new
file format across all
applications.
106
Setting name Recommended configuration Description
Block opening of Open XML Select this option: Disabled By default, users are allowed to
file types open Office Open XML Formats
files and you do not need to
select this option to enforce the
use of the new file types.
However, selecting this option is
a recommended best practice if
you want to help ensure that
users open files that are saved
in the new file types. This option
must be selected for Office
Excel 2007, Office PowerPoint
2007, and Office Word 2007,
unless you do not want to
enforce the new file format
across all applications.
107
The settings listed in the previous table do not restrict users from saving or opening files in text
formats, such as .txt, .rtf, .csv, or .xml. To prevent users from opening or saving files in these
formats, configure the block open and block save settings that are listed in the following table.
Block opening of XLL file type Enabled Office Excel 2007 and Office
Word 2007
Block saving of Text file types Enabled Office Excel 2007 and Office
Word 2007
Be sure to record each of your settings in your security planning documents. You will need to
know the name of the setting and the configuration state to configure block file format settings
with the OCT or with Group Policy.
108
For more information about Office Open XML Formats, see FAQ: File format
(http://technet.microsoft.com/en-us/library/cc179106.aspx).
109
The following table lists the 24 versions of Word that you can specify by using the Block opening
of files before version setting.
Word 1.x for Windows Prevents the opening of all Word formats that
are earlier than the specified version.
Word 4.x for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word 1.2 for Windows Japan Prevents the opening of all Word formats that
are earlier than the specified version.
Word 1.2 for Windows Korea Prevents the opening of all Word formats that
are earlier than the specified version.
Word 5.x for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word 1.2 for Windows Taiwan Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2.x for Windows Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2.x for Windows BiDi Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2.x for Windows Japan Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2.x for Windows Korea Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2.x for Windows Taiwan Prevents the opening of all Word formats that
are earlier than the specified version.
Word 6.0 for Windows Prevents the opening of all Word formats that
are earlier than the Word 6.0 format. This is the
default setting.
Word 6.0 for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
110
Setting (as it appears in the graphical user Description
interface)
Word 97 for Windows Prevents the opening of all Word formats that
are earlier than the specified version.
Word 98 for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word 2001 for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word X for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word 9 for Windows Prevents the opening of all Word formats that
are earlier than the specified version.
Word 10 for Windows Prevents the opening of all Word formats that
are earlier than the Word XP format.
Word 11 for Windows Prevents the opening of all Word formats that
are earlier than the Word 2003 format.
Word 2004 for Macintosh Prevents the opening of all Word formats that
are earlier than the specified version.
Word 11 saved by Word 12 Prevents the opening of all Word formats that
are earlier than the Word 2003 format saved by
Office Word 2007.
Be sure to record your settings in your security planning documents. You will need to know the
setting name, configuration state, and the version of Word as it appears in the graphical user
interface to configure block file format settings with the OCT or with Group Policy.
111
Preventing an organization from using pre-release
(beta) file formats
To prevent an organization from using pre-release (beta) file formats, use the settings that are
listed in the following table.
Block opening of pre-release Select this option: Enabled By default, users are allowed to
versions of the file formats open pre-release (beta)
that are new to Office 2007 versions of Office Open XML
Formats files. Selecting this
option prevents users from
opening Office Open XML
Formats files if the files have
been saved by using a pre-
release (beta) version of the
2007 Office system. This
setting must be configured for
Office Excel 2007, Office
PowerPoint 2007, and Office
Word 2007.
Block opening of Internal file Select this option: Enabled By default, users are allowed to
types open pre-release (beta) Word
binary file types. Selecting this
option prevents users from
opening Word files if the files
have been saved in pre-
release (beta) binary formats.
This includes all pre-release
binary formats of Word 2003
and all earlier Word versions.
You can configure this setting
only for Office Word 2007.
You cannot prevent users from opening binary format files if the files have been saved by using
pre-release versions of Office Excel 2007 and Office PowerPoint 2007. However, you can use the
Block opening of Binary file types setting to prevent users from opening all files that have been
saved in a binary format.
Be sure to record all of your settings in your security planning documents. You will need to know
the setting name and configuration state to configure block file format settings with the Office
Customization Tool (OCT) or with Group Policy.
112
See Also
Configure block file format settings in the 2007 Office system
Evaluate default security and privacy settings for the 2007 Office System
Evaluate security and privacy threats for the 2007 Office system
113
C. Planning Outlook 2007 Security
114
Use Outlook 2007 to help protect messages
You have two main options for helping to protect messages in Microsoft Office Outlook 2007 from
unauthorized use, tampering, or change: 1) cryptographic messaging using the S/MIME standard,
and 2) Information Rights Management (IRM). While both of these options can help protect
messages your users send and receive, they work differently and are each best suited for
different scenarios.
S/MIME is a standard for sending digitally signed and encrypted e-mail messages. Using S/MIME
in Outlook is the preferred way to:
• Sign a message to prove the identity of the sender. S/MIME is the only option the 2007
Microsoft Office system supports for digital signatures. It is not possible to tamper with an
IRM message, and in this way it is similar to a signed message. But IRM protection is more
limited because there are no authorities that attest to the identities of the senders, and the
Outlook user interface does not show information about the identity of the sender.
• Help ensure that Internet e-mail messages are not vulnerable to attackers that use
software to monitor and intercept e-mail traffic over the Internet. The focus is on the Internet,
as that is where point-to-point encryption is most valuable and where interoperability
standards are most important.
The biggest value in using S/MIME is when users send and receive e-mail messages outside
corporate boundaries, where they are not protected by the corporate firewall.
Another feature that can help to protect messages in Outlook is IRM. IRM gives organizations
and information workers greater control over sensitive information. IRM is the preferred way to
help to:
• Protect e-mail conversations containing sensitive information by restricting the ability to
forward or copy the messages in an e-mail thread. The reasons to use IRM have little to do
with whether an unauthorized person outside the organization—for example, a hacker on the
Internet—will intercept the communication. Instead, IRM is used most efficiently when the
sender is concerned that the intended recipient will share the information inappropriately.
• Prevent people from using out-of-date information by enforcing message expiration. With
IRM, expiration dates on messages are enforced, unlike expiration dates set on messages
without IRM.
The biggest value for IRM is within the corporation, where employees need to share information
while maintaining some control over who has access to this information IRM is especially helpful
in ensuring that this information does not leak outside the corporate firewall.
See Also
Plan for e-mail messaging cryptography
115
Plan for limiting junk e-mail in Outlook 2007
Microsoft Office Outlook 2007 includes features that can help users avoid receiving and reading
junk e-mail messages, including the Junk E-mail Filter and disabling automatic content download
from external servers.
Note:
This topic is for Outlook administrators. To configure Outlook junk e-mail options on your
computer, see Junk E-mail Filter options (http://go.microsoft.com/fwlink/?
LinkId=81371).
The filtering manager helps users avoid reading junk e-mail messages. The filter is on by default
and the protection level is set to Low, which is designed to filter the most obvious junk e-mail
messages. The filter replaces the rules for processing junk e-mail messages in previous versions
of Outlook (prior to Microsoft Outlook 2003). The filter incorporates technology built into the
software to evaluate e-mail messages to determine if the messages are likely to be junk e-mail, in
addition to filtering lists that automatically block or accept messages to or from specific senders.
Automatic picture download settings help reduce the risk of Web beacons activating in e-mail
messages by automatically blocking the download of pictures, sounds, and other content from
external servers in e-mail messages. Automatic content download is disabled by default.
Configure junk e-mail settings in Outlook 2007 contains more information about configuring
how external content is downloaded.
This topic discusses how the Outlook Junk E-mail Filter works, and how you can configure the
Junk E-mail Filter to meet the needs of your organization. For example, you can configure the
filter to be more aggressive, though this might also cause it to filter more legitimate messages.
Rules that are not part of junk e-mail management are not affected.
116
When Outlook users are upgraded to Office Outlook 2007 , existing Junk E-mail Filter lists are
maintained, unless you deploy new lists to users.
117
Senders list, mail moves to the Junk E-mail folder on the server and is not evaluated by
Office Outlook 2007.
118
Providing default Junk E-mail Filter lists
You can deploy default Junk E-mail Filter lists to your users. The Junk E-mail Filter uses these
lists as follows:
• Safe Senders list
E-mail messages received from the e-mail addresses in the list or from any e-mail address
that includes a domain name in the list are never treated as junk e-mail.
• Safe Recipients list
E-mail messages sent to the e-mail addresses in the list or to any e-mail address that
includes a domain name in the list are never treated as junk e-mail.
• Blocked Senders list
E-mail messages received from the e-mail addresses in the list or from any e-mail address
that includes a domain name in the list are always treated as junk e-mail.
If a domain name or e-mail address is on both the Blocked Senders list and the Safe Senders list,
the Safe Senders list takes precedence over the Blocked Senders list. This reduces the risk that
mail that users want might be treated as junk e-mail by mistake. The lists are stored on the server
and are available if users roam.
To deploy the Junk E-mail Filter lists, you create the lists on a test computer and distribute the
lists to your users. The lists you provide are default lists; they cannot be locked down by policy.
For more information about deploying default lists, see Create and deploy Junk E-mail Filter lists
in Outlook 2007 (http://technet.microsoft.com/en-us/library/cc179056.aspx).
See Also
Configure junk e-mail settings in Outlook 2007
Create and deploy Junk E-mail Filter lists in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179056.aspx)
119
Plan for e-mail messaging cryptography
Microsoft Office Outlook 2007 supports security-related features to help users send and receive
cryptographic e-mail messages. These features include cryptographic e-mail messaging, security
labels, and signed receipts.
Note:
To obtain full security functionality in Outlook, you must install Outlook with local
administrative rights.
120
In Outlook, users are required to have a security profile to use cryptographic features. A security
profile is a group of settings that describes the certificates and algorithms used when a user
sends messages that use cryptographic features. Security profiles are configured automatically if
the profile is not already present when:
• The user has certificates for cryptography on his or her computer.
• The user begins to use a cryptographic feature.
You can customize these security settings for users in advance. You can use registry settings or
Group Policy settings to customize Outlook to meet your organization's cryptographic policies and
to configure (and enforce, with Group Policy) the settings you want in the security profiles. These
settings are described in the table in Set consistent Outlook 2007 cryptography options for
an organization.
121
if it is not yet read) and the signature is verified, a receipt implying that the message was read is
returned to the user's Inbox. If the user's signature is not verified, no receipt is sent. When the
receipt is returned, because the receipt is also signed, you have verification that the user received
and verified the message.
Additional resources
The Outlook Security Labels application programming interface (API) creates security label policy
modules that define the sensitivity of message content in your organization. For a detailed
description of creating policy modules and code samples, see the MSDN article Creating
Security Label Policy Modules.
Public key cryptography can help you maintain security-enhanced e-mail systems. For more
information about the use of public key cryptography in Outlook, search for the Outlook 98
Security whitepaper in the Knowledge Base search page of the Microsoft Product Support
Services Web site.
Microsoft Exchange Key Management Server version 5.5 issues keys for Microsoft Exchange
Server security only. Microsoft Exchange Key Management Server 5.5 Service Pack 1 supports
both Exchange security and S/MIME security. For more information, see the Microsoft Exchange
Server version 5.5 Resource Guide in the Microsoft BackOffice Resource Kit, Second Edition.
122
How users manage cryptographic digital IDs
in Outlook 2007
Microsoft Office Outlook 2007 provides ways for users to manage their digital IDs—the
combination of a user's certificate and public and private encryption key set. Digital IDs help to
keep users' e-mail messages secure by letting them exchange cryptographic messages.
Managing digital IDs includes:
• Obtaining a digital ID. For more information about how users can acquire a digital ID, see
the Outlook Help topic Get a Digital ID.
• Storing a digital ID, so you can move the ID to another computer or make it available to
others.
• Providing a digital ID to others.
• Exporting a digital ID to a file. This is useful when the user is creating a backup or moving
to a new computer.
• Importing a digital ID from a file into Outlook. A digital ID file might be a user's backup
copy or might contain a digital ID from another user.
• Renewing a digital ID that has expired.
A user who performs cryptographic messaging at more than one computer must copy his or her
digital ID to each computer.
123
Internet directory service (LDAP)
External directory services, certificate authorities, or other certificate providers can publish their
users' certificates through an LDAP directory service. Outlook allows access to these certificates
through LDAP directories.
Windows file
Digital IDs can be stored on users' computers. Users export their digital ID to a file by using the
Import/Export option in the Trust Center under the Tools menu option. They can encrypt the file
when they create it by providing a password.
124
Renewing keys and certificates
A time limit is associated with each certificate and private key. When the keys provided by the
Microsoft Exchange Key Management Server approach the end of the designated time period,
Outlook displays a warning message and offers to renew the keys. Outlook prompts the user,
offering to send the renewal message to the server on each user's behalf.
If users do not choose to renew a certificate before it expires, or if they use another certificate
authority rather than KMS, the user must contact the certificate authority to renew the certificate.
125
Plan for configuring security settings in
Outlook 2007
You can customize many of the security-related features in Microsoft Office Outlook 2007,
including limiting automated access to address books and managing users' access to
attachments.
Caution:
Outlook is configured with high security-related settings by default. High security levels
can result in limitations to Outlook functionality, such as restrictions on e-mail message
attachment file types. Be aware that lowering any default security settings might increase
the risk of virus execution or propagation. Use caution and read the documentation
before you modify these settings.
126
Scenarios for using Group Policy security settings
• A Microsoft Exchange 2007 environment without public folders. All client computers use
Outlook.
• An Exchange 2007 environment without public folders. Client computers with Office
Outlook 2007 use Group Policy security settings, and client computers with other versions of
Outlook depend on default security or the security form.
• An environment without Exchange Server. All client computers use Outlook.
127
You can also customize how Outlook runs ActiveX controls in one-off forms. For more information
about customizing how ActiveX controls behave in one-off forms, see Customize ActiveX and
custom forms security settings in Outlook 2007.
128
How administrator and user security settings
interact in Outlook 2007
Security settings defined by the user through the Microsoft Office Outlook 2007 user interface
work as if they are included in the Group Policy settings you define as the administrator. When
there is a conflict between the two, settings with a higher security level override settings with a
lower security level.
The following list describes specific interactions between Group Policy security settings and
security settings that a user defines in Outlook.
• Display Level 1 attachments. When this Group Policy is set, all file types that were set
to Level 1 security are set to Level 2 security. If a user wants to block a file type, the user can
customize the list in Outlook to block access to specific types of attachments.
• Add file extensions to block as Level 1. If you use this Group Policy setting to create a
list of Level 1 file types, the list overrides the default list provided with Outlook and overrides
user's settings for Level 1 file types. Even if you allow users to remove file types from the
default Level 1 group of excluded file types, users cannot use Group Policy to remove file
types that were added to the list.
For example, if the user wants to remove the file types EXE, REG, and COM from the Level 1
group, but you use the Add Level 1 file extensions Group Policy setting to add EXE as a
Level 1 file type, the user can only remove REG and COM files from the Level 1 group in
Outlook.
• Remove file extensions blocked as Level 1. The user's list is combined with the list
you set in Group Policy to determine which Level 1 items are set to Level 2.
• Add file extensions to block as Level 2. If a user changes Level 1 files to Level 2 files,
and those file types are listed in Group Policy as Level 2 extensions, the files are treated as
Level 2 attachments.
• Remove file extensions blocked as Level 2. There is no interaction with this setting.
• Allow users to demote attachments to Level 2. This setting allows a user to change a
Level 1 attachment to Level 2. If you do not configure this Group Policy setting, the default
behavior in Outlook is to ignore the user's list.
See Also
Attachment file types restricted by Outlook 2007
129
Plan for Outlook 2007 security in special
environments
When you use Group Policy to configure security settings for Microsoft Office Outlook 2007, there
are issues to consider when your environment includes one or more of the following:
• Users who access their mailboxes by using a hosted Exchange Server.
• Users with administrative rights on their computers.
• Users who access Exchange mailboxes by using Outlook Web Access.
130
Users with an Outlook Web Access environment
Outlook and Outlook Web Access (OWA) do not use the same security model. OWA has separate
security settings stored on the OWA server.
131
II. Deploying security settings
132
To perform these actions You must be a member of these groups
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
133
Specify trusted locations by using the OCT
You can specify trusted locations only on a per-application basis by using the OCT. There is no
single OCT setting that enables you to specify a global trusted location that applies to all
applications. To specify a global trusted location that applies to all applications, you must specify
the trusted location separately for each application or use Group Policy settings.
If you specify a network share as a trusted location, you must enable the Allow Trusted
Locations not on the computer setting. In addition, you can use environment variables to
represent trusted locations; however, you must modify the registry so that the environment
variables are recognized. Also, you can specify Web folders (that is, http:// paths) as trusted
locations, but not all Web folders are recognized as trusted locations. For more information about
using environment variables to specify trusted locations and specifying Web folders as trusted
locations, see Plan trusted locations and trusted publishers settings for the 2007 Office
system.
134
locations options for the application you want to configure.
3. In the Specify Security Settings dialog box, click Allow Trusted Locations on the
users machine only (application default) and click OK.
You can deploy trusted locations by using the Setup program or by using the Windows Installer
program. For more information, see Run Setup for the 2007 Office system on users' computers
(http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users' configurations after
installing the 2007 Office system (http://technet.microsoft.com/en-us/library/cc179141.aspx).
135
2007/PowerPoint Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center/Trusted Locations
2. In the details pane, double-click Disable all trusted locations, click Enabled and
click OK.
If you specify a network share as a trusted location, you must enable the Allow Trusted
Locations not on the computer setting. In addition, you cannot use environment variables to
represent trusted locations in Group Policy. You can specify Web folders (that is, http:// paths) as
trusted locations, but not all Web folders are recognized as trusted locations. For more
information about using environment variables to specify trusted locations and specifying Web
folders as trusted locations, see Plan trusted locations and trusted publishers settings for
the 2007 Office system.
137
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center/Trusted Locations
2. In the details pane, double-click Allow Trusted Locations not on the computer,
click Disabled and click OK.
Add digital certificates to the trusted publishers list by using the OCT
1. In the left pane of the OCT, click Office security settings.
2. In the details pane, under Add the following digital certificates to the Trusted
Publishers list, click Add.
3. In the Add Digital Certificates dialog box, click the digital certificate that you want to
add and click Add.
See Also
Plan trusted locations and trusted publishers settings for the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
138
Configure security settings for ActiveX
controls, add-ins, and macros in the 2007
Office system
You can configure settings for ActiveX controls, add-ins, and Visual Basic for Applications (VBA)
macros by using the Office Customization Tool (OCT) and the Group Policy Object Editor.
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
139
Use the following sections to determine how to configure settings for:
ActiveX controls
Add-ins
Macros
Note:
You can also disable ActiveX controls by setting the Unsafe ActiveX initialization setting
in the OCT to Do not prompt and disable all controls.
140
Change the way ActiveX controls are initialized
The following procedures show how to use the OCT and the Group Policy Object Editor to
change the way ActiveX controls are initialized. ActiveX control initialization depends on several
factors, including whether there is a VBA project present in a document and whether a control is
marked safe for initialization (SFI) or unsafe for initialization (UFI).
Change the way ActiveX controls are initialized by using the OCT
1. In the left pane of the OCT, click Office security settings.
2. In the details pane, in Unsafe ActiveX initialization, click one of the following:
Prompt user to use control defaults. This setting initializes ActiveX controls with default
values and might require user input before ActiveX controls are initialized.
Prompt user to use persisted data. This setting initializes ActiveX controls with
persisted values and might require user input before ActiveX controls are initialized.
Do not prompt. This setting initializes all controls and does not require user input.
Change the way ActiveX controls are initialized by using the Group Policy Object Editor
1. In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007
system/Security Settings
2. In the details pane, double-click ActiveX Control Initialization and click Enabled. In
ActiveX Control Initialization, click the initialization setting that you want.
There are six possible initialization settings for ActiveX controls. Some settings might
require user input before ActiveX controls are initialized.
3. Click OK.
141
Disable add-ins
You can use the following procedures to disable add-ins. When you disable add-ins, users are not
notified that add-ins are disabled. Also, add-ins can be disabled only on a per-application basis.
There is no global setting that disables add-ins.
Note:
You can also disable add-ins by setting the Disable all application add-ins setting to
Enabled in the OCT.
142
Use the OCT to require add-ins to be signed by a trusted publisher
1. In the left pane of the OCT, click Office security settings.
2. In the details pane, under Default security settings, double-click Application add-
ins warnings options for the application you want to configure.
3. In the Specify Security Settings dialog box, click Require that application
extensions are signed by trusted publisher and click OK.
Use the Group Policy Object Editor to require add-ins to be signed by a trusted
publisher
1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access
2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher
2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
2. In the details pane, double-click Require that application add-ins are signed by
trusted publisher, click Enabled and click OK.
143
Disable notifications for unsigned add-ins by using the Group Policy Object Editor
1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access
2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher
2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
2. In the details pane, double-click Disable trust bar notifications for unsigned
application add-ins, click Enabled and click OK.
Note:
You must use the Disable trust bar notifications for unsigned application add-ins
setting in conjunction with the Require that application add-ins are signed by trusted
publisher setting.
144
Configure default security settings for macros
You can use the following procedures to configure default security settings for macros. You can
configure this setting only on a per-application basis.
Configure default security settings for macros by using the Group Policy Object Editor
1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access
2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher
2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
2. In the details pane, double-click VBA macro warning settings, click Enabled, and
choose the default security setting that you want.
3. Click OK.
Note:
You can also change the default security setting for macros in Microsoft Office Outlook
2007. For more information, see the security documentation for Office Outlook 2007.
145
Disable VBA
You can use the following procedures to disable VBA. You can configure this setting only on a
global basis.
Provide Automation clients programmatic access to VBA projects by using the OCT
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, navigate to one of the following locations:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
3. In the details pane, double-click Trust access to Visual Basic project.
4. Click Enabled and click OK.
146
Provide Automation clients programmatic access to VBA projects by using the Group
Policy Object Editor
1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
2. In the details pane, double-click Trust access to Visual Basic project.
3. Click Enabled and click OK.
Configure Automation security for macros by using the Group Policy Object Editor
1. In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007
system/Security Settings
2. In the details pane, double-click Automation security and click Enabled.
3. In Set the Automation security level, click the setting that you want and click OK.
Prevent encrypted macros from being scanned for viruses by using the OCT
1. In the left pane of the OCT, under Features, click Modify user settings.
147
2. In the tree view of the OCT, navigate to one of the following locations:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
3. In the details pane, double-click one of the following based on the application that
you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft
PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word
Open XML documents
4. Click Enabled and click OK.
Prevent encrypted macros from being scanned for viruses by using the Group Policy
Object Editor
1. Depending on which application you want to configure, navigate to one of the
following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
2. In the details pane, double-click one of the following based on the application that
you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel
Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft
PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word
Open XML documents
3. Click Enabled and click OK.
See Also
Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
148
Configure document protection settings in
the 2007 Office system
You can configure document protection settings by using the Office Customization Tool (OCT) or
by using the Group Policy Object Editor.
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
149
Configure document protection settings by using
the OCT
Use the following procedure to configure encryption settings for Office Open XML Formats files.
Before you perform this procedure, you must know the cryptographic service provide (CSP), the
cryptographic algorithm, and the key length that you want to use for encryption settings. The
following registry key contains a list of the CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
Use the following procedure to configure encryption settings for Office 97-2003 format files.
Before you perform this procedure, you must know the CSP, the cryptographic algorithm, and the
key length that you want to use for encryption settings. The following registry key contains a list of
the CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
150
Cryptographic algorithm
Key length
5. Verify that your entry looks like the following example (no spaces are allowed on
either side of the commas):
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128
6. Click OK to save your settings.
Use the following procedure to configure Microsoft Office OneNote 2007 encryption settings.
You can deploy document protection settings by using the Setup program or by using the
Windows Installer program. For more information, see Run Setup for the 2007 Office system on
users' computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'
configurations after installing the 2007 Office system (http://technet.microsoft.com/en-
us/library/cc179141.aspx).
151
Cryptographic algorithm
Key length
4. Verify that your entry looks like the following example (no spaces are allowed on
either side of the commas):
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128
5. Click OK to save your settings.
Use the following procedure to configure encryption settings for Office 97-2003 format files.
Before you perform this procedure, you must know the CSP, the cryptographic algorithm, and the
key length that you want to use for encryption settings. The following registry key contains a list of
the CSPs that are installed on a computer:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Cryptography/Defaults/Provider
152
Use the following procedure to configure Office OneNote 2007 encryption settings.
See Also
Plan document protection settings in the 2007 Office system
Evaluate default security and privacy settings for the 2007 Office System
153
Configure external content settings in the
2007 Office system
You can configure external content settings by using the Office Customization Tool (OCT) or by
using the Group Policy Object Editor.
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
155
Configure linked images settings by using the Group Policy Object Editor
1. In the Group Policy Object Editor tree, navigate to the following:
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security
2. In the details pane, double-click Unblock automatic download of linked images.
3. Click Enabled and click OK to save your settings.
See Also
Plan external content settings in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
156
Configure Internet Explorer feature control
settings in the 2007 Office system
You can configure Internet Explorer feature control settings by using the Office Customization
Tool (OCT) or by using the Group Policy Object Editor.
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
Important:
Internet Explorer feature control settings are supported only on the 2007 Office system. If
you have a side-by-side installation of the 2007 Office system and an earlier version of
157
the Office release (such as Office 2003), the Internet Explorer feature control settings
might cause unexpected behavior in applications that are not part of the 2007 Office
system.
Configure Internet Explore feature control settings for all applications except Office
InfoPath 2007
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office 2007 system (machine), open
Security Settings, and click IE Security.
3. In the details pane, double-click the Internet Explorer feature control setting that you
want to configure.
4. To opt in or opt out specific applications, click Enabled, and do the following:
Select the check boxes next to the applications that you want to opt in.
Clear the check boxes next to the applications that you want to opt out.
5. To opt out all applications, click Disabled.
6. Click OK to save your settings.
Use the following procedure to configure Internet Explorer feature control settings for Office
InfoPath 2007.
Configure Internet Explorer feature control settings for Office InfoPath 2007
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office InfoPath 2007 (machine), and
click Security.
3. In the details pane, double-click Windows Internet Explorer Feature Control Opt-
In.
4. Click Enabled, and choose a setting from the drop-down combo box.
5. Click OK to save your settings.
158
You can use the Setup program or the Windows Installer program to deploy Internet Explorer
feature control settings. For more information, see Run Setup for the 2007 Office system on
users' computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'
configurations after installing the 2007 Office system (http://technet.microsoft.com/en-
us/library/cc179141.aspx).
Configure Internet Explorer feature control settings for all applications except Office
InfoPath 2007
1. In the Group Policy Object Editor tree, navigate to the following:
Computer Configuration/Administrative Templates/Microsoft Office 2007 system
(machine)/Security Settings/IE Security
2. In the details pane, double-click the Internet Explorer feature control setting that you
want to configure.
3. To opt in or opt out of specific applications, click Enabled, and do the following:
Select the check boxes next to the applications that you want to opt in.
Clear the check boxes next to the applications that you want to opt out of.
4. To opt out of all applications, click Disabled.
5. Click OK to save your settings.
Use the following procedure to configure Internet Explorer feature control settings for Office
InfoPath 2007.
Configure Internet Explorer feature control settings for Office InfoPath 2007
1. In the Group Policy Object Editor tree, navigate to the following:
Computer Configuration/Administrative Templates/Microsoft Office InfoPath 2007
(machine)/Security
2. In the details pane, double-click Windows Internet Explorer Feature Control Opt-
In.
3. Click Enabled, and choose a setting from the drop-down combo box.
4. Click OK to save your settings.
See Also
Plan Internet Explorer feature control settings in the 2007 Office system
Evaluate default security and privacy settings for the 2007 Office System
159
Configure privacy options in the 2007 Office
system
You can configure privacy options by using the Office Customization Tool (OCT) and the Group
Policy Object Editor.
The recommended guidelines in the following sections are based on the Enterprise Client (EC)
environment rather than the Specialized Security Limited Functionality (SSLF) environment. The
EC environment represents an organization that has typical security needs. It is suitable for
midsize and large organizations that seek to balance security and functionality. The SSLF
environment represents a less typical organization, one in which security is paramount. It is
suitable only for midsize and large organizations that have stringent security standards, for which
security is more important than application functionality.
For a list of all configurations, see the 2007 Microsoft Office Security Guide (Threats and
Countermeasures: Security Settings in the 2007 Office System) (http://go.microsoft.com/?
linkId=7711534).
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
160
• Tool requirements It is assumed that you:
• Understand how to use the OCT to customize the 2007 Microsoft Office system. For
more information about the OCT, see Office Customization Tool in the 2007 Office system
(http://technet.microsoft.com/en-us/library/cc179097.aspx).
• Have created a network installation point from which you can run the OCT.
• Understand what Administrative Templates (that is, .adm files) are.
• Have loaded the Office 2007 Administrative Templates into the Group Policy Object
Editor.
Maximize the protection of private and personal information in the Office 2007 release
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office 2007 system, open Privacy, and
click Trust Center.
3. In the details pane, double-click Enable Customer Experience Improvement
Program, click Disabled, and click OK.
4. In the details pane, double-click Automatically receive small updates to improve
reliability, click Disabled, and click OK.
5. In the tree view of the OCT, open Microsoft Office 2007 system, open Tools|
Options|General|Services Options, and click Online Content.
6. In the details pane, double-click Online content options, click Enabled, and in
Online content options, click Never show online content or entry points.
7. Click OK.
161
Maximize the protection of private and personal information in Office Word 2007
documents
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office Word 2007, open Word Options,
and click Security.
3. In the details pane, double-click Warn before printing, saving, or sending a file
that contains tracked changes or comments, click Enabled, and click OK.
4. In the details pane, double-click Make hidden markup visible, click Enabled, and
click OK.
5. In the details pane, double-click Store random number to improve merge
accuracy, click Enabled, and click OK.
Maximize the protection of private and personal information in Office PowerPoint 2007
documents
1. In the left pane of the OCT, under Features, click Modify user settings.
2. In the tree view of the OCT, open Microsoft Office PowerPoint 2007, open
PowerPoint Options, and click Security.
3. In the details pane, double-click Make hidden markup visible, click Enabled, and
click OK.
The following procedure shows how to use the OCT to suppress the first-run Privacy Options
dialog box.
You can deploy privacy options by using the Setup program or by using the Windows Installer
program. For more information, see Run Setup for the 2007 Office system on users' computers
(http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users' configurations after
installing the 2007 Office system (http://technet.microsoft.com/en-us/library/cc179141.aspx).
162
Configure privacy options by using Group Policy
The following procedures show how to use the Group Policy Object Editor to maximize the
protection of private and personal information.
Maximize the protection of private and personal information in the Office 2007 release
1. In the Group Policy Object Editor tree, navigate to the following:
User Configuration/Administrative Templates/Microsoft Office 2007
system/Privacy/Trust Center
2. In the details pane, double-click Enable Customer Experience Improvement
Program, click Disabled, and click OK.
3. In the details pane, double-click Automatically receive small updates to improve
reliability, click Disabled, and click OK.
4. In the Group Policy Object Editor tree, navigate to the following:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Tools|
Options|General|Services Options/Online Content
5. In the details pane, double-click Online content options, click Enabled, and in
Online content options, click Never show online content or entry points.
6. Click OK.
Maximize the protection of private and personal information in Office Word 2007
documents
1. In the Group Policy Object Editor tree, navigate to the following:
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security
2. In the details pane, double-click Warn before printing, saving, or sending a file
that contains tracked changes or comments, click Enabled, and click OK.
3. In the details pane, double-click Make hidden markup visible, click Enabled, and
click OK.
4. In the details pane, double-click Store random number to improve merge
accuracy, click Enabled, and click OK.
163
Maximize the protection of private and personal information in Office PowerPoint 2007
documents
1. In the Group Policy Object Editor tree, navigate to the following:
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/PowerPoint Options/Security
2. In the details pane, double-click Make hidden markup visible, click Enabled, and
click OK.
The following procedures show how to use the Group Policy Object Editor to suppress the first-
run Privacy Options dialog box and the first-run Sign up for Microsoft Update dialog box.
164
Suppress the first-run Sign up for Microsoft Update dialog box
1. In the Group Policy Object Editor tree, navigate to any of the following settings:
Computer Configuration/Administrative Templates/System/Internet Communication
Management/Internet Communication settings/Turn off access to all Windows
update features
User Configuration/Administrative Templates/Windows Components/Windows
Update/Remove access to use all Windows Update features
User Configuration/Administrative Templates/Start Menu and Taskbar/Remove
links and access to Windows Update
2. In the details pane, double-click the setting to which you navigated.
3. Click Enabled, and then click OK.
See Also
Plan privacy options in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
Security policies and settings in the 2007 Office system
GPOAccelerator (http://go.microsoft.com/fwlink/?LinkId=103576)
165
Configure block file format settings in the
2007 Office system
You can configure block file format settings by using the Office Customization Tool (OCT) or the
Group Policy Object Editor.
Configure local Group Policy settings with the Administrators group on the local computer
Group Policy Object Editor
Configure domain-based Group Policy settings Domain Admins, Enterprise Admins, or Group
with the Group Policy Object Editor Policy Creator Owners
166
Configure block file format settings by using the
OCT
Use the following procedure to configure block file format settings by using the OCT.
You can deploy block file format settings by using the Setup program or by using the Windows
Installer program. For more information, see Run Setup for the 2007 Office system on users'
computers (http://technet.microsoft.com/en-us/library/cc179093.aspx) and Change users'
configurations after installing the 2007 Office system (http://technet.microsoft.com/en-
us/library/cc179141.aspx).
167
Configure block file format settings by using
Group Policy
Use the following procedures to configure block file format settings by using Group Policy.
Configure block file format settings by using the Group Policy Object Editor
1. In the Group Policy Object Editor tree, navigate to one of the following:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Block file
formats
User Configuration/Administrative Templates/Microsoft Office PowerPoint
2007/Block file formats
User Configuration/Administrative Templates/Microsoft Office Word 2007/Block file
formats
2. In the details pane, double-click Open to configure block open settings, or double-
click Save to configure block save settings.
3. In the details pane, double-click the setting that you want to configure.
4. To enforce the block file format setting, click Enabled.
5. To disable the block file format setting, click Disabled.
6. Click OK to save your settings.
See Also
Evaluate default security and privacy settings for the 2007 Office System
Plan block file format settings in the 2007 Office system
168
B. Configuring Outlook 2007 Security
Settings
169
Set consistent Outlook 2007 cryptography
options for an organization
You can control many aspects of Microsoft Office Outlook 2007 cryptography features to help
configure more secure messaging and message encryption for your organization. For example,
you can configure a Group Policy setting that requires a security label on all outgoing mail or a
setting that disables publishing to the Global Address List.
You can lock down the settings to customize cryptography by using the Outlook Group Policy
template (Outlk12.adm). Or you can configure default settings by using the Office Customization
Tool (OCT), in which case users can change the settings. The OCT settings are in corresponding
locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
To customize cryptographic options by using Group Policy
1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm).
2. To customize cryptographic settings, under User Configuration\Administrative
Templates\Microsoft Office Outlook 2007\Security\Cryptography, double-click the policy
setting you want to set. For example, double-click Do not display 'Publish to GAL' button.
(Some options are included in the Signature Status dialog box folder.)
3. Click Enabled. When appropriate, choose an option that displays on the Setting tab.
4. Click OK.
The settings you can configure for cryptography are shown below.
Minimum encryption settings Set to the minimum key length for an encrypted
e-mail message.
S/MIME interoperability with external clients: Specify the behavior for handling S/MIME
messages.
Always use Rich Text formatting in S/MIME Always use Rich Text for S/MIME messages
messages instead of the format specified by the user.
170
Cryptography option Description
Message when Outlook cannot find the digital Enter a message to display to users.
ID to decode a message
Do not provide Continue option on Encryption Disable the Continue button on encryption
warning dialog boxes settings warning dialog boxes.
Run in FIPS compliant mode Put Outlook into FIPS 140-1 mode.
Do not check e-mail address against address of Do not verify user's e-mail address with address
certificates being using (sic) of certificates used for encryption or signing.
Send all signed messages as clear signed Use Clear Signed for signed outgoing e-mail
messages messages.
Request an S/MIME receipt for all S/MIME Request a security-enhanced receipt for
signed messages outgoing e-mail messages.
URL for S/MIME certificates Provide a URL at which users can obtain an
S/MIME receipt. The URL can contain three
variables (%1, %2, and %3), that will be
replaced by the user's name, e-mail address,
and language, respectively.
Ensure all S/MIME signed messages have a Require all S/MIME-signed messages to have a
label security label.
Do not display 'Publish to GAL' button Disable the 'Publish to GAL' button on the E-
mail Security page of the Trust Center.
Require SUITEB algorithms for S/MIME Use only Suite-B algorithms for S/MIME
operations operations.
171
Cryptography option Description
Retrieving CRLs (Certificate Revocation Lists) Specify how Outlook behaves when CRL lists
are retrieved.
Promote Level 2 errors as errors, not warnings Specify the Outlook response for Level 2 errors:
display error or warning (default).
Attachment Secure Temporary Folder Specify a folder path for the Secure Temporary
Files Folder. This overrides the default path and
is not recommended.
172
Value name Value data Description Corresponding UI option
(Data type)
173
Value name Value data Description Corresponding UI option
(Data type)
174
Value name Value data Description Corresponding UI option
(Data type)
175
Value name Value data Description Corresponding UI option
(Data type)
176
Value name Value data Description Corresponding UI option
(Data type)
EnrollPageURL String URL for the default Get Digital ID button (E-
certificate authority mail Security page).
(internal or external)
from which you wish
your users to obtain
new digital IDs. Note:
Set in
HKEY_CURRENT_U
SER\Software\Micros
oft\Office\12.0\Outloo
k\Security subkey if
you do not have
administrator rights
on the user's
computer.
When you specify a value for PromoteErrorsAsWarnings, potential Error Level 2 conditions
include the following:
• Unknown Signature Algorithm
• No Signing Certification Found
• Bad Attribute Sets
• No Issuer Certificate Found
• No CRL Found
• Out of Date CRL
• Root Trust Problem
• Out of Date CTL
177
When you specify a value for EnrollPageURL, use the following parameters to send information
about the user to the enrollment Web page.
For example, to send user information to the Microsoft enrollment Web page, set the
EnrollPageURL entry to the following value, including the parameters:
www.microsoft.com/ie/certpage.htm?name=%1&email=%2&helplcid=%3
For example, if the user's name is Jeff Smith, e-mail address is someone@example.com, and
user interface language ID is 1033, the placeholders are resolved as follows:
www.microsoft.com/ie/certpage.htm?name=Jeff
%20Smith&email=someone@example.com&helplcid=1033
178
Value name Value data (Data Description Corresponding UI
type) option
179
Security policy settings for KMS-issued certificates
The values in the following table only apply to certificates issued by Microsoft Exchange Key
Management Service (KMS). The table shows additional Windows registry settings that you can
use for your custom configuration. These settings are contained in the following subkey:
HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Defaults\Provider
180
Specify the method Outlook uses to manage
virus prevention features
With Microsoft Office Outlook 2007, you can use new Group Policy settings to configure security
options that help prevent viruses. With previous versions of Outlook, you modified security
settings by using the Outlook security template and publishing the settings to a form in a top-level
folder in Exchange Server public folders. Users who needed these settings required the
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key
to be set on their computers for the settings to apply.
The CheckAdminSettings registry key is no longer used to determine users' security settings.
Instead, you configure a new Group Policy setting: Outlook Security Mode. The option you
choose in this setting determines which security settings are enforced in Outlook:
• Default security settings in the product
• Security settings in the Exchange Server security form
• Group Policy security settings
To configure the method that Outlook uses for security settings
1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm) and go to User
Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security Form
settings\Microsoft Office Outlook 12.0 Security.
2. Double-click Outlook Security Mode, and click Enabled.
3. In the Outlook Security Policy drop-down list, select the method that you want Outlook
to use for enforcing security settings.
4. Click OK.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
To continue using the Exchange Server security form for Outlook security settings, you must
configure the new Group Policy setting. If you do not configure the setting, Outlook uses default
security settings. If you do not enable the Outlook Security Mode setting, default security settings
in the product are enforced.
181
Migrating to Group Policy settings
If you previously used the Exchange Server security form to manage security settings and now
choose to use Group Policy with Outlook, you must manually migrate the settings that you
configured earlier to the corresponding Group Policy settings for Outlook.
182
Customize attachment settings in Outlook
2007
In Microsoft Office Outlook 2007, you can specify that attachments to Outlook items (such as e-
mail messages or appointments) are restricted based on the file type of the attachment. A file type
can have either a Level 1 or Level 2 restriction. You can also configure what users can do with
attachment restrictions. For example, you might allow users to change the restrictions for a group
of attachment file types from Level 1 (user cannot view the file) to Level 2 (user can open the file
after saving it to disk).
Note:
This topic is for Outlook administrators. To learn more about why some Outlook
attachments are blocked, see Blocked attachments: The Outlook feature you love to
hate (http://go.microsoft.com/fwlink/?LinkId=81268). Or learn how to share files with
restricted file types by reading Blocked attachments in Outlook
(http://go.microsoft.com/fwlink/?LinkId=81269).
You can configure attachment settings by using Group Policy. In Group Policy, load the Outlook
template (Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office
Outlook 2007\Security\Security Form Settings\Attachment Security. These settings cannot be
configured by using the Office Customization Tool.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
Note:
To use Group Policy to configure these attachment settings, you must first configure the
method that Outlook uses for security settings correctly. For more information about
setting the Outlook security settings method, see Plan for configuring security settings
in Outlook 2007.
183
The following table describes the Group Policy options for attachments.
Item Description
Display Level 1 Enables users to access all attachments with Level 1 file types by first
attachments saving the attachments to disk, and then opening them (as with Level 2
attachments).
Allow users to demote Enables users to create a list of attachment file types to demote from
attachments to Level 2 Level 1 to Level 2. The registry key in which users create the list of file
types to demote is:
HKCU\Software\Microsoft\Office\12.0\Outlook\Security\Level1Remove.
In the registry key, users specify the file types (usually three letters) to
remove from the Level 1 file list, separated with semicolons.
Disable the prompt Prevents users from receiving a warning when they send an item
about Level 1 containing a Level 1 attachment. This option affects only the warning.
attachments when Once the item is sent, the user cannot view or gain access to the
sending an item attachment. If you want users to be able to post items to a public folder
without receiving this prompt, you must select both this check box and
the Do not prompt about Level 1 attachments when closing an item
check box.
Disable the prompt Prevents users from receiving a warning when they close an e-mail
about Level 1 message, appointment, or other item containing a Level 1 attachment.
attachments when This option affects only the warning. Once the item is closed, the user
closing an item cannot view or gain access to the attachment. If you want users to be
able to post items to a public folder without receiving this prompt, you
must select both this check box and the Do not prompt about Level 1
attachments when sending an item check box.
Allow in-place activation Allows users to double-click an embedded object, such as a Microsoft
of embedded OLE Excel spreadsheet, and open it in the Outlook editor.
objects
Display OLE package Displays OLE objects that have been packaged. A package is an icon
objects that represents an embedded or linked OLE object. When you double-
click the package, the program used to create the object either plays
the object (for example, if the object is a sound file) or opens and
displays the object. Allowing Outlook to display OLE package objects
can be problematic, because the icon can be easily changed and used
to disguise malicious files.
184
Add or remove Level 1 file types
Level 1 files are hidden from the user. The user cannot open, save, or print a Level 1 attachment.
(If you specify that users can demote a Level 1 attachment to a Level 2 attachment, Level 2
restrictions apply to the file.) The InfoBar at the top of the item displays a list of the blocked files.
(The InfoBar does not appear on a custom form.) The default list of Level 1 file types is provided
in Attachment file types that are restricted by Outlook in the See Also section, which is visible
when you are connected to the Internet.
When you remove a file type from the Level 1 list, attachments with that file type are no longer
blocked.
The following table describes how to add or remove Level 1 file types from the default list. You
can use Group Policy to configure these settings. In Group Policy, load the Outlook template
(Outlk12.adm) and go to User Configuration\Administrative Templates\Microsoft Office Outlook
2007\Security\Security Form Settings\Attachment Security. These settings cannot be configured
by using the Office Customization Tool.
Note:
To use Group Policy to configure these attachment settings, you must first configure the
method that Outlook uses for security settings correctly. For more information about
setting the Outlook security settings method, see Plan for configuring security settings
in Outlook 2007.
Action Description
Add file types to block as Level 1 Specifies the file types (usually three letters)
you want to add to the Level 1 file list. Do not
enter a period before each file type. If you enter
multiple file types, separate them with
semicolons.
Remove file types blocked as Level 1 Specifies the file types (usually three letters)
you want to remove from the Level 1 file list. Do
not enter a period before each file type. If you
enter multiple file types, separate them with
semicolons.
Note:
To use Group Policy to configure these attachment settings, you must first configure the
method that Outlook uses for security settings correctly. For more information about
setting the Outlook security settings method, see Plan for configuring security settings
in Outlook 2007.
Action Description
Add file types to block as Level 2 Specifies the file types (usually three letters)
you want to add to the Level 2 file list. Do not
enter a period before each file type. If you enter
multiple file types, separate them with
semicolons.
Remove file types blocked as Level 2 Specifies the file types (usually three letters)
you want to remove from the Level 2 file list. Do
not enter a period before each file type. If you
enter multiple file types, separate them with
semicolons.
Note:
If you are using only Group Policy to manage Outlook security, these options are
configured by using new Group Policy settings (described earlier in this topic). If you are
using the Exchange Server security form, you might still want to configure these legacy
settings.
If you are using the Exchange Server security form to manage Outlook security, you can
configure these legacy settings in combination with settings on the security form.
The following table describes the way legacy Group Policy settings for attachment security
interact. To configure these settings, load the Outlook template (Outlk12.adm) in Group Policy. Go
to User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security. These
settings cannot be configured by using the Office Customization Tool.
186
Action Description
Prevent users from customizing attachment When enabled, users cannot customize the list
security settings of file types that are allowed as attachments in
Outlook, regardless of how you have configured
other Outlook security settings.
Allow access to e-mail attachments Specifies the file types (usually three letters)
you want to remove from the Level 1 file list. Do
not enter a period before each file type. If you
enter multiple file types, separate them with
semicolons.
If you configure the Allow access to e-mail attachments Group Policy setting, the final list of
restricted file types is based on other attachment security settings:
• If you use the Exchange Server security form to configure security settings, file types on
the Level 1 list created by using the Exchange Server security form are still restricted.
• If you use Group Policy to configure security settings, the list of Level 1 file types you
have specified by using the Group Policy setting Add file extensions to block as Level 1 are
still restricted.
• If you use default security settings, all files types listed in this Group Policy setting are no
longer restricted.
187
Customize programmatic settings in Outlook
2007
As an administrator of Microsoft Office Outlook 2007, you can configure programmatic security
settings to manage restrictions for the following technologies: the Outlook object model,
Collaboration Data Object (CDO), and Simple MAPI. These technologies are defined as follows:
• Outlook object model—The Outlook object model allows you to programmatically
manipulate data stored in Outlook folders.
• CDO—Collaboration Data Object (CDO) libraries are used to implement messaging and
collaboration functionality in a custom application. CDO is a COM wrapper of the MAPI library
and can be called from any development language that supports Automation. CDO
implements most but not all MAPI functionality, but more than Simple MAPI.
• Simple MAPI—Simple MAPI enables developers to add basic messaging functionality,
such as sending and receiving messages, to their Microsoft Windows-based applications. It is
a subset of MAPI, which provides complete access to messaging and information exchange
systems.
You can use Group Policy to configure programmatic security settings. In Group Policy, load the
Outlook template (Outlk12.adm). The attachment options settings are located under User
Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security
Form Settings\Programmatic Security. These settings cannot be configured by using the Office
Customization Tool.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
Note:
To use Group Policy to configure programmatic security settings, you must first configure
the method that Outlook uses for security settings correctly. For more information about
setting the Outlook security settings method, see Plan for configuring security settings
in Outlook 2007.
The following table describes the Group Policy options for programmatic settings. You can
choose one of the following settings for each item:
• Prompt user—Users receive a message allowing them to choose whether to allow or
deny the operation. For some prompts, users can choose to allow or deny the operation
without prompts for up to 10 minutes.
• Automatically approve—The operation is allowed and the user does not receive a
prompt.
• Automatically deny—The operation is not allowed and the user does not receive a
prompt.
188
Item Description
Configure Outlook object model prompt when Specifies what happens when a program
sending mail attempts to send mail programmatically by
using the Outlook object model.
Configure Simple MAPI sending prompt Specifies what happens when a program
attempts to send mail programmatically by
using Simple MAPI.
Configure Outlook object model prompt when Specifies what happens when a program
accessing an address book attempts to gain access to an address book by
using the Outlook object model.
Configure Simple MAPI name resolution prompt Specifies what happens when a program
attempts to gain access to an address book by
using Simple MAPI.
Configure Outlook object model prompt when Specifies what happens when a program
reading address information attempts to gain access to a recipient field, such
as To, by using the Outlook object model.
Configure Simple MAPI message opening Specifies what happens when a program
prompt attempts to gain access to a recipient field, such
as To, by using Simple MAPI.
Configure Outlook object model prompt when Specifies what happens when a program
responding to meeting and task requests attempts to send mail programmatically by
using the Respond method on task requests
and meeting requests. This method is similar to
the Send method on mail messages.
Configure Outlook object model prompt when Specifies what happens when a program
executing Save As attempts to programmatically use the Save As
command on the File menu to save an item.
Once an item has been saved, a malicious
program could search the file for e-mail
addresses.
Configure Outlook object model prompt when Specifies what happens when a user adds a
accessing the Formula property of a Combination or Formula custom field to a
UserProperty object custom form and binds it to an Address
Information field. By doing this, code can be
used to indirectly retrieve the value of the
Address Information field by getting the Value
property of the field.
Configure Outlook object model prompt when Specifies what happens when a program
accessing address information via attempts to search mail folders for address
UserProperties.Find information by using the Outlook object model.
189
Customize ActiveX and custom forms
security settings in Outlook 2007
You can specify ActiveX and custom forms security settings for Microsoft Office Outlook 2007
users. Custom forms security settings include options for changing how Office Outlook 2007
restricts scripts, custom controls, and custom actions.
Option Description
Allows all ActiveX Controls Allows all ActiveX controls to run without
restrictions.
Allows only Safe Controls Allows only safe ActiveX controls to run. An
ActiveX control is safe if it is signed with
Authenticode and the signer is listed in the
Trusted Publishers List.
190
Option Description
Load only Outlook Controls Outlook loads only the following controls. These
are the only controls that can be used in one-off
forms.
• Controls from fm20.dll
• Microsoft Office Outlook Rich Format
Control
• Microsoft Office Outlook Recipient
Control
• Microsoft Office Outlook View Control
If you do not configure any of these options, the default is to load only Outlook controls.
Note:
To use Group Policy to configure Custom Form Security, you must first configure the
method that Outlook uses for security settings correctly. See the following topic for more
information about setting this option: Specify the method Outlook uses to manage
virus prevention features.
The settings you can configure for scripts, custom controls, and custom actions are shown below:
Option Description
Allow scripts in one-off Outlook forms Run scripts in forms where the script and the
layout are contained in the message. If users
receive a one-off form that contains script, users
are prompted to ask if they want to run the
script.
191
192
Manage trusted add-ins for Outlook 2007
If you use default Microsoft Office Outlook 2007 security settings, all Component Object Model
(COM) add-ins installed in Office Outlook 2007 are trusted by default. If you customize security
settings by using Group Policy, you can specify COM add-ins that are trusted and that can run
without encountering the Outlook object model blocks.
To trust a COM add-in, you include the file name for the add-in in a Group Policy setting with a
calculated hash value for the file. Before you can specify an add-in as trusted by Outlook, you
must install a program to calculate the hash value.
To compute the hash value for a trusted add-in
1. Download the hash calculation program - the Outlook 2007 Security Hash Generator Tool
- from the Microsoft Office Download Center (http://go.microsoft.com/fwlink/?LinkId=75742).
2. Extract the contents to a local folder (such as C:\hashtool).
3. Run the command prompt for your computer: Click Start, All Programs, Accessories,
Command Prompt.
Note:
On Windows Vista requires an additional step. Right-click Command Prompt, then
select Run as administrator.
4. Change directories to the folder where you extracted the hash tool files.
5. Type: createhash.bat /register and press Enter. (This step needs to be
completed only once.)
6. Type: createhash.bat filename where filename is the full path and file name of the
add-in file you are creating the hash number for.
7. Press Enter.
8. Copy and save the value that is displayed on the screen to the clipboard. This is the
value that you will add to the Group Policy setting (see the following procedure).
Specify the add-in as trusted by entering in Group Policy the value generated by the program,
paired with the add-in file name.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
To specify the trusted add-in in Group Policy
1. In Group Policy, load the Office Outlook 2007 template (Outlk12.adm) and go to User
Configuration\Administrative Templates\Microsoft Office Outlook
2007\Security\Security Form Settings\Programmatic Security\Trusted Add-ins.
2. Double-click Configure trusted add-ins, and click Enabled.
3. Click Show.
4. In the Show contents dialog box, click Add.
193
5. In the Add item dialog box, in the Enter the name of the item to be added field, type
the file name of the COM add-in.
6. In the Enter the value to be added field, paste the hash value of the COM add-in that
you saved when you ran the hash value calculation program.
7. Click OK three times.
The COM add-in can now run without prompts for Office Outlook 2007 users who use this
security setting.
To remove a file from the list of trusted add-ins, update the Group Policy setting by deleting the
entry for the add-in.
Note:
To use Group Policy instead of the Exchange security form to configure trusted add-ins,
you must first configure the method that Outlook uses for security settings correctly. For
more information about setting the Outlook security settings method, see Specify the
method Outlook uses to manage virus prevention features.
194
Configure security for Outlook 2007 folder
home pages
In Microsoft Office Outlook 2007, you can view Web pages without leaving Outlook. You do this
by assigning a Web page as a home page for a folder. You can associate a Web page with any
personal or public folder. When you click the folder, Outlook displays the folder home page
assigned to it. Although this feature provides the opportunity to create powerful public folder
applications, scripts can be included on the Web page that access the Outlook object model. This
exposes users to security risks.
You can improve security by using Group Policy to disable folder home pages for all of your
users.
You can lock down this setting (recommended) by using the Outlook Group Policy template
(Outlk12.adm). Or you can configure a default setting by using the Office Customization Tool
(OCT), in which case users can change the setting. The OCT settings are in corresponding
locations on the Modify user settings page of the OCT.
The Outlook template and other ADM files can be downloaded from 2007 Office System
Administrative Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft
Download Center.
To disable folder home pages by using Group Policy
1. In Group Policy, load the Microsoft Office Outlook 2007 template (Outlk12.adm).
2. Under User Configuration\Administrative Templates\Microsoft Office Outlook
2007\Folder Home Pages for Outlook Special Folders\Settings for Disable Folder Home
Pages, double-click Do not allow Home Page URL to be set in folder Properties.
3. Click Enabled.
4. Click OK.
195
Configure junk e-mail settings in Outlook
2007
Microsoft Office Outlook 2007 provides features that can help users avoid receiving and reading
junk e-mail messages, including the Junk E-mail Filter and the disabling of automatic content
download from external servers.
You can configure settings to deploy these features to meet the needs of your organization. For
example, you can configure the Junk E-mail Filter to be more aggressive, though in that case it
might catch more legitimate messages as well. Rules that are not part of the junk e-mail
management built into the software are not affected.
Note:
This topic is for Outlook administrators. To learn more about configuring junk e-mail
settings in Outlook on your desktop, see Change the level of protection in the Junk E-Mail
Filter (http://go.microsoft.com/fwlink/?LinkId=81273).
Note:
If you decide to configure Junk E-mail Filter settings in the OCT, see the procedure To
ensure default Junk E-mail settings are applied using the OCT later in this topic for an
additional setting that must be configured.
Use the following procedure to configure Junk E-mail Filter options in Outlook. The Outlook
template and other ADM files can be downloaded from 2007 Office System Administrative
Templates (ADM) (http://go.microsoft.com/fwlink/?LinkId=78161) on the Microsoft Download
Center.
196
option from a drop-down list.
5. Click OK.
You can configure the following settings for the Outlook Junk E-mail filter.
Hide Junk Mail UI Disable junk e-mail filtering and hide related
settings in Outlook.
Junk E-mail protection level Select the level of junk e-mail protection for
users: No Protection, Low, High, Trusted Lists
Only.
Add e-mail recipients to users' Safe Senders Automatically add all e-mail recipients to users'
Lists Safe Senders Lists.
Overwrite or Append Junk Mail Import List Change default from overwrite Junk Mail Import
list to append to the list.
Specify path to Safe Senders list Specify a text file containing a list of e-mail
addresses to append to or overwrite the Safe
Senders list.
Specify path to Safe Recipients list Specify a text file containing a list of e-mail
addresses to append to or overwrite the Safe
Recipients list.
Specify path to Blocked Senders list Specify a text file containing a list of e-mail
addresses to append to or overwrite the
Blocked Senders list.
If you configure default values by using the OCT (rather than using Group Policy to lock down
settings), a specific Junk E-mail setting must be configured so the new defaults can be applied.
To ensure default Junk E-mail settings are applied using the OCT
1. In the OCT, on the Modify user settings page, under Microsoft Office Outlook
2007\Tools | Options\Preferences\Junk E-mail, double-click Junk Mail Import list.
2. Click Enabled.
3. Click OK.
197
Configuring automatic picture download
To help protect users' privacy and to combat Web beacons—functionality embedded within items
to detect when recipients have viewed an item—Office Outlook 2007 is configured by default to
not automatically download pictures or other content from external servers on the Internet.
You can lock down the settings to customize automatic picture download by using the Outlook
Group Policy template (Outlk12.adm). Or you can configure default settings by using the OCT, in
which case users can change the settings. The OCT settings are in corresponding locations on
the Modify user settings page of the OCT.
You can configure the following settings for automatic picture download.
Display pictures and external content in HTML Enable this option to automatically display
e-mail external content in HTML mail.
Automatically download content for e-mail from Enable this option to automatically download
people in Safe Senders and Safe Recipients content when e-mail message is from someone
lists in the user's Safe Senders list or to someone in
the user's Safe Recipients list.
Do not permit download of content from safe Disable this option to automatically download
zones content for sites in Safe Zones (as defined by
Trusted Zones, Internet, and Intranet settings).
Block Trusted Zones Disable this option to include Trusted Zones in
the Safe Zones for Automatic Picture Download.
Include Internet in Safe Zones for Automatic Automatically download pictures for all Internet
Picture Download e-mail.
Include Intranet in Safe Zones for Automatic Automatically download pictures for all Intranet
Picture Download e-mail
198
More about automatic picture download
Messages in HTML format often include pictures or sounds. Sometimes these pictures or sounds
are not included in the message, but are instead downloaded from a Web server when the e-mail
message is opened or previewed. This is typically done by legitimate senders to avoid sending
extra-large messages.
However, junk e-mail senders can use a link to content on external servers to include a Web
beacon in e-mail messages, which notifies the Web server when users read or preview the
message. The Web beacon notification validates the user's e-mail address to the junk e-mail
sender, which can result in more junk e-mail being sent to the user.
This feature to not automatically download pictures or other content can also help users to avoid
viewing potentially offensive material (for external content linked to the message) and, if they are
on a low bandwidth connection, to decide whether an image warrants the time and bandwidth to
download it. Users can view the blocked pictures or content in a message by clicking the InfoBar
under the message header or by right-clicking the blocked image.
By default, Outlook does not download pictures or other content automatically, except when the
external content comes from a Web site in the Trusted Sites zone or from an address or domain
specified in the Safe Senders List. You can change this behavior so that content from any of the
zones (Trusted Sites, Local Intranet, and Internet) will be downloaded automatically or blocked
automatically.
See Also
Plan for limiting junk e-mail in Outlook 2007
Create and deploy Junk E-mail Filter lists in Outlook 2007 (http://technet.microsoft.com/en-
us/library/cc179056.aspx)
199
III. Security Technical Reference
Note:
To use Group Policy to manage the 2007 Office system, you must load the Office
2007 Administrative Templates (that is, .adm files) into the Group Policy Object
Editor.
The following security settings and privacy options are discussed in this section:
Trusted locations and trusted publishers settings
ActiveX control settings
Add-in settings
Visual Basic for Applications (VBA) macro settings
Document protection settings
External content settings
Internet Explorer feature control settings
Privacy options
Block file format settings
200
Trusted locations settings
You can configure trusted locations settings for the following applications: Microsoft Office Access
2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007,
and Microsoft Office Word 2007. There are two types of trusted locations settings: global settings,
which apply to all applications; and application-specific settings, which can be configured
separately for each application.
Allow mix of policy and user A mix of policy and user By default, a computer can
locations locations is allowed. have trusted locations that are
created by users through the
graphical user interface and
trusted locations that are
created by administrators
through Group Policy or the
OCT. Disabling this setting
prevents users from creating
trusted locations through the
graphical user interface and
disables all trusted locations
that are created by users
through the graphical user
interface and all trusted
locations that are created by
administrators through the OCT.
Trusted Location #1 Trusted locations are not This setting enables you to
Trusted Location #2 specified (see note). specify trusted locations
globally for Office Access 2007,
Trusted Location #n
Office Excel 2007, Office
PowerPoint 2007, Office Visio
2007, and Office Word 2007.
You can configure this setting
only through Group Policy; you
cannot configure global trusted
locations through the OCT.
201
Setting name Default configuration Description
Remove all trusted locations This setting is not selected. If you select this setting, all
written by the OCT during trusted locations that are
installation specified by the OCT are
deleted. This setting can be
configured only on the Office
security settings page of the
OCT. You cannot configure this
setting through Group Policy.
Note:
Several trusted locations are specified by default during installation. These default trusted
locations do not appear in the OCT or in the Group Policy Object Editor. For more
information about default trusted locations, see "Default trusted location settings" in
Evaluate default security settings and privacy options for the 2007 Office system.
You can find the Allow mix of policy and user locations setting at the following location on the
Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings/Trust Center
You can find the Trusted Location #1…#n settings and the Allow mix of policy and user
locations setting at the following location in the User Configuration/Administrative Templates
node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings/Trust Center
202
Application-specific trusted locations settings
Application-specific trusted locations settings must be configured separately for Office Access
2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. The
settings are described in the following table.
Allow Trusted Locations not Trusted locations that are not By default, trusted locations
on the computer on the computer are not that are network shares are
allowed. disabled, but users can still
select the Allow Trusted
Locations on my network
check box in the Trust Center
graphical user interface. If this
setting is set to Disabled and a
user attempts to designate a
network share as a trusted
location, a warning informs the
user that the current security
settings do not allow the
creation of trusted locations
with remote paths or network
paths. If an administrator
designates a network share as
a trusted location through
Group Policy or by using the
OCT and this setting is
Disabled, the trusted location is
disabled and is not recognized
by an application.
203
Setting name Default configuration Description
Disable all trusted locations Trusted locations are enabled. Enabling this setting disables all
trusted locations, including
trusted locations that are:
• Created by default
during setup.
• Created by users
through the graphical user
interface.
• Deployed through
Group Policy.
Enabling this setting also
prevents users from configuring
trusted locations settings in the
Trust Center.
Trusted Location #1 Trusted locations are not This setting allows you to
Trusted Location #2 specified (see Note). specify trusted locations
separately for Office Access
Trusted Location #n
2007, Office Excel 2007, Office
PowerPoint 2007, Office Visio
2007, and Office Word 2007.
You can configure this setting
through the OCT and through
Group Policy.
Note:
Several trusted locations are specified by default during installation. These default trusted
locations do not appear in the OCT or in the Group Policy Object Editor. For more
information about default trusted locations, see "Default trusted location settings" in
Evaluate default security settings and privacy options for the 2007 Office system.
You can find these settings at the following locations on the Modify user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations
Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
204
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office Access 2007/Security/Trust Center/Trusted Locations
Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
205
Note:
ActiveX controls cannot be disabled in files that are saved in trusted locations. When a
file is opened from a trusted location, all active content in the file is initialized and allowed
to run without notification, even if DisableAllActiveX is set to 1.
When you use the OCT to disable ActiveX controls, the DisableAllActiveX registry entry is written
to:
HKEY_CURRENT_USER/Software/Microsoft/Office/Common/Security
When you use the Group Policy Object Editor to disable ActiveX controls, the DisableAllActiveX
registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security
There is one setting for disabling ActiveX controls. This setting is described in the following table.
You can find the Disable All ActiveX setting at the following location on the Modify user settings
page of the OCT:
Microsoft Office 2007 system/Security Settings
You can also find the DisableAllActiveX setting at the following location in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings
Note:
You can also disable ActiveX controls by configuring ActiveX control initialization settings.
These settings are discussed in the following section.
206
Settings for changing the way ActiveX controls are initialized
You can change the way ActiveX controls are initialized by configuring the Unsafe ActiveX
initialization setting in the OCT or by configuring the ActiveX Control Initialization setting in
Group Policy. Both settings modify a registry entry named UFIControls. The 2007 Office system
and earlier versions of Office evaluate this registry entry to determine how to initialize ActiveX
controls.
There are six possible values for the UFIControls registry entry. The values are described in the
following table.
207
UFIControls value Loads SFI controls in Initialization behavior Initialization behavior
safe mode? when a VBA project is when no VBA project is
present present
208
UFIControls value Loads SFI controls in Initialization behavior Initialization behavior
safe mode? when a VBA project is when no VBA project is
present present
209
UFIControls value Loads SFI controls in Initialization behavior Initialization behavior
safe mode? when a VBA project is when no VBA project is
present present
210
UFIControls value Loads SFI controls in Initialization behavior Initialization behavior
safe mode? when a VBA project is when no VBA project is
present present
When you configure the Unsafe ActiveX initialization setting in the OCT, the UFIControls
registry entry is written to:
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/Common/Security
When you configure the ActiveX Control Initialization setting through Group Policy, the
UFIControls registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/Common/Security
211
The following table describes the Unsafe ActiveX initialization settings that are in the OCT. You
can find the Unsafe ActiveX initialization setting on the Office security settings page of the OCT.
<do not configure> This is the default setting. This is the default setting.
Initialization behavior is the Initialization behavior is the
same as Prompt user to use same as Prompt user to use
persisted data. persisted data.
Prompt user to use control Prompts users to enable or If the file contains only SFI
defaults disable controls. If the user controls, SFI controls are
enables controls, SFI controls initialized with minimal
are initialized with minimal restrictions (that is, persisted
restrictions (that is, with values). If persisted values are
persisted values) and UFI not available, SFI controls are
controls are initialized with initialized with default values by
default values by using the using the InitNew method. SFI
InitNew method. SFI controls controls are initialized in safe
are initialized in safe mode. mode. Users are not prompted
to enable SFI controls.
If the file contains UFI controls,
users are prompted to enable
or disable controls. If the user
enables controls, SFI controls
are initialized with minimal
restrictions and UFI controls
are initialized with default
values by using the InitNew
method. SFI controls are
initialized in safe mode.
212
Setting Initialization behavior when a Initialization behavior when no
VBA project is present VBA project is present
Prompt user to use persisted Prompts users to enable or If the file contains only SFI
data disable controls. If the user controls, SFI controls are
enables controls, SFI and UFI initialized with minimal
controls are initialized with restrictions (that is, persisted
minimal restrictions (that is, values). If persisted values are
with persisted values). If not available, SFI controls are
persisted values are not initialized with default values by
available, controls are using the InitNew method. SFI
initialized with default values controls are initialized in safe
by using the InitNew method. mode. Users are not prompted
SFI controls are initialized in to enable SFI controls.
safe mode. If the file contains UFI controls,
users are prompted to enable
or disable controls. If the user
enables controls, SFI and UFI
controls are initialized with
minimal restrictions (that is,
persisted values). If persisted
values are not available,
controls are initialized with
default values by using the
InitNew method.
Do not prompt Initializes SFI and UFI controls SFI and UFI controls are
with minimal restrictions (that initialized with minimal
is, persisted values). If restrictions (that is, persisted
persisted values are not values). If persisted values are
available, the controls are not available, the controls are
initialized with default values initialized with default values by
by using the InitNew method. using the InitNew method.
Users are not notified that Users are not notified that
ActiveX controls are enabled. ActiveX controls are enabled.
SFI controls are not loaded in SFI controls are not loaded in
safe mode. safe mode.
213
Setting Initialization behavior when a Initialization behavior when no
VBA project is present VBA project is present
Do not prompt and disable all All ActiveX controls are All ActiveX controls are
controls disabled and will not initialize disabled and will not initialize
when a user opens a file that when a user opens a file that
contains ActiveX controls. contains ActiveX controls.
Users are not notified that Users are not notified that
ActiveX controls are disabled. ActiveX controls are disabled.
This setting applies only to This setting applies only to
applications in the 2007 Office applications in the 2007 Office
system. This setting does not system. This setting does not
disable ActiveX controls in files disable ActiveX controls in files
that are opened by earlier that are opened by earlier
versions of Office. versions of Office.
You can find the ActiveX Control Initialization setting at the following location in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings
You can configure the ActiveX Control Initialization setting with a value from 1 to 6. These
values correspond to the values of the UFIControls registry entry that are described in a previous
table.
214
The following table shows how the OCT, Group Policy, and Trust Center settings correspond to
the values of the UFIControls and DisableAllActiveX registry entries.
Registry values Group Policy settings OCT settings Trust Center settings
215
Registry values Group Policy settings OCT settings Trust Center settings
Add-in settings
There are three main types of security settings for add-ins:
• Settings for disabling add-ins.
• Settings for requiring that add-ins are signed by a trusted publisher.
• Settings for disabling notifications for unsigned add-ins.
216
The settings are described in the following table.
Disable all application add-ins Disabled When you enable this setting,
all add-ins are disabled and
users are not notified that add-
ins are disabled. This setting
can be configured in the OCT
and in the Group Policy Object
Editor. You must configure this
setting on a per-application
basis. This setting does not
exist for Office Publisher 2007.
To disable add-ins in Office
Publisher 2007, you must use
the Application add-ins
warnings options setting.
Application add-ins warnings Enable all installed application When you set this setting to
options add-ins (application default) Disable all application
extensions, all add-ins are
disabled and users are not
notified that add-ins are
disabled. This setting can be
configured only in the OCT. You
must configure this setting on a
per-application basis.
You can find the Disable all application add-ins setting at the following locations on the Modify
user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
217
You can find the Disable all application add-ins setting at the following locations in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application
Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust
Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
You can find the Application add-ins warnings options settings on the Office security settings
page of the OCT, under Default security settings.
218
The settings are described in the following table.
Require that application add- Disabled When you enable this setting,
ins are signed by trusted add-ins that are signed by a
publisher publisher that is on the trusted
publishers list will run without
notification. Unsigned add-ins
and add-ins that are signed by
a publisher that is not on the
trusted publishers list are
disabled, but users are
prompted to enable or disable
the add-ins. This setting can be
configured in the OCT and with
the Group Policy Object Editor.
You must configure this setting
on a per-application basis.
Application add-ins warnings Enable all installed application When you set this setting to
options add-ins (application default) Require that application
extensions are signed by
trusted publisher, add-ins that
are signed by a publisher that
is on the trusted publishers list
will run without notification.
Unsigned add-ins and add-ins
that are signed by a publisher
that is not on the trusted
publishers list are disabled, but
users are prompted to enable
or disable the add-ins. This
setting can be configured only
in the OCT. You must configure
this setting on a per-application
basis.
219
You can find the Require that application add-ins are signed by trusted publisher setting at
the following locations on the Modify user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Publisher 2007/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
You can find the Require that application add-ins are signed by trusted publisher setting at
the following locations in the User Configuration/Administrative Templates node of the Group
Policy Object Editor:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application
Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust
Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|
Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word
Options/Security/Trust Center
You can find the Application add-ins warnings options settings on the Office security settings
page of the OCT, under Default security settings.
Application add-ins warnings Enable all installed application When you set this setting to
options add-ins (application default) Require that extensions are
signed, and silently disable
unsigned extensions, signed
add-ins that are not trusted are
disabled, but users are
prompted to enable or disable
the add-ins. Unsigned add-ins
are also disabled, but users are
not notified and they are not
prompted to enable or disable
the unsigned add-ins. This
setting can be configured only
in the OCT. You must configure
this setting on a per-application
basis.
You can find the Disable trust bar notification for unsigned application add-ins setting at the
following locations on the Modify user settings page of the OCT:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
221
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Publisher 2007/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
You can find the Disable trust bar notification for unsigned application add-ins setting at the
following locations in the User Configuration/Administrative Templates node of the Group Policy
Object Editor:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Publisher 2007/Security/Trust Center
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
You can find the Application add-ins warnings options settings on the Office security settings
page of the OCT, under Default security settings.
222
Note:
You can also change the default macro security settings for Office Outlook 2007. See the
Office Outlook 2007 security documentation for more information.
The VBA macro warning settings and VBA macro warnings options settings modify a registry
entry named VBAWarnings. Each application evaluates this registry to determine how to run
macros. There are four possible values for the VBAWarnings registry entry. The values are
described in the following table.
When you configure the VBA macro warnings options setting in the OCT, the VBAWarnings
registry entry is written to:
HKEY_CURRENT_USER/Software/Microsoft/Office/12.0/program name/Security
Where program name can be any of the following:
Access
Excel
PowerPoint
Publisher
Visio
Word
223
When you configure the VBA macro warning settings setting through Group Policy, the
VBAWarnings registry entry is written to:
HKEY_CURRENT_USER/Software/Policies/Microsoft/Office/12.0/program name/Security
Where program name can be any of the following:
Access
Excel
PowerPoint
Publisher
Visio
Word
The following table shows how the OCT, Group Policy, and Trust Center settings correspond to
the values of the VBAWarnings registry entry.
Registry values VBA macro warning VBA macro warnings Macro settings (Trust
settings (Group Policy) options (OCT) Center)
You can find the VBA macro warnings options setting on the Office security settings page of the
OCT, under Default security settings.
224
You can find the VBA macro warning settings setting at the following locations in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office Access 2007/Application Settings/Security/Trust Center
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Publisher 2007/Security/Trust Center
Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Trust access to Visual Basic Automation clients do not have When you enable this setting,
project programmatic access to VBA Automation clients have
projects. programmatic access to VBA
projects and can use the VBA
object model. When you disable
this setting, Automation clients
do not have programmatic
access to VBA projects. This
setting can be configured in the
OCT and in the Group Policy
Object Editor.
You can find the Trust access to Visual Basic project setting at the following locations on the
Modify user settings page of the OCT:
225
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
You can find the Trust access to Visual Basic project setting at the following locations in the
User Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Disable VBA for Office VBA is enabled if it is installed. When you enable this setting,
applications VBA will not function and users
will not be able to run macros
and other programmatic
content. This setting can be
configured in the OCT and in
the Group Policy Object Editor.
You can find the Disable VBA for Office applications setting at the following location on the
Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings
You can find the Disable VBA for Office applications setting at the following location in the User
Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings
Enable Microsoft Visual Basic VBA is enabled. Enabling this setting allows
for Applications VBA to run. Disabling this
setting prevents VBA from
running, which can prevent
some drawing types from
having full functionality in
Office Visio 2007.
Load Microsoft Visual Basic for VBA projects are not loaded Enabling this setting allows
Applications projects from text from text. Office Visio 2007 to compile
VBA projects when you open a
file. This enables you to use
VBA projects that are saved in
earlier Office Visio 2007 file
formats. The compiled VBA
projects are not saved.
Disabling this setting prevents
VBA projects from being
loaded from text.
Enable Microsoft Visual Basic Users are allowed to create Enabling this setting allows
for Applications project VBA projects. users to create VBA projects.
creation Disabling this setting prevents
users from creating VBA
projects in files that do not
already have a VBA project.
You can find these settings at the following location on the Modify user settings page of the OCT:
Microsoft Office Visio 2007/Tools|Options/Security/Macro Security
You can find these settings at the following location in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office Visio 2007/Tools|Options/Security/Macro Security
227
Global Automation security settings
You can change the way macros run in applications that are started programmatically through
Automation by configuring the Automation security setting. This setting is global in scope and
applies to the following applications:
Office Excel 2007
Office PowerPoint 2007
Office Word 2007
This setting has three possible configuration states. Each configuration state is described in the
following table.
You can find this setting at the following location on the Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings
You can find this setting at the following location in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings
228
Application-specific Automation security settings
You can change the way macros run in Office Publisher 2007 when Office Publisher 2007 is
started programmatically through Automation. To do this, you use the Publisher automation
security level setting. This setting can be configured only through Group Policy and has three
possible configuration states. Each configuration state is described in the following table.
You can find the Publisher automation security level setting at the following location in the
User Configuration/Administrative Templates node of the Group Policy Object Editor:
Microsoft Office Publisher 2007/Security
229
Settings for preventing virus-scanning programs from scanning
encrypted macros
The three settings for preventing virus-scanning programs from scanning encrypted macros are
described in the following table.
Determine whether to force Encrypted macros are scanned Encrypted macros are not
encrypted macros to be by your virus-scanning scanned by your virus-
scanned in Microsoft Excel program when you open an scanning program when you
Open XML workbooks encrypted workbook that enable this setting, which
contains macros. means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting
applies only to Office Excel
2007.
Determine whether to force Encrypted macros are scanned Encrypted macros are not
encrypted macros to be by your virus-scanning scanned by your virus-
scanned in Microsoft program when you open an scanning program when you
PowerPoint Open XML encrypted presentation that enable this setting, which
presentations contains macros. means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting
applies only to Office
PowerPoint 2007.
Determine whether to force Encrypted macros are scanned Encrypted macros are not
encrypted macros to be by your virus-scanning scanned by your virus-
scanned in Microsoft Word program when you open an scanning program when you
Open XML documents encrypted document that enable this setting, which
contains macros. means that encrypted macros
will run according to the macro
security settings that you have
configured. This setting
applies only to Office Word
2007.
230
You can find these settings at the following locations on the Modify user settings page of the OCT:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
Encryption type for password On Microsoft Windows XP Enables you to specify the
protected Office open XML operating systems, the default encryption type for Office
files is Microsoft Enhanced RSA and Open XML Formats files that
AES Cryptographic Provider are encrypted.
(Prototype), AES-128, 128-bit.
On Windows Vista operating
systems, the default is Microsoft
Enhanced RSA and AES
Cryptographic Provider, AES-
128, 128-bit.
Encryption type for password Office 97/2000 Compatible Enables you to specify the
protected Office 97-2003 files encryption method, which is a encryption type for Office 97-
proprietary encryption method. 2003 format files that are
encrypted.
231
You can find these settings at the following location on the Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Security Settings
Disallows add-ons access to Add-ins can access sections of Enabling this setting prevents
password protected sections text that have been unlocked add-ins from accessing sections
by a user. of text that have been unlocked
by a user.
Disable password protected Encrypted sections of text are When you enable this setting,
sections not disabled (that is, users can users cannot:
use the password protection • Encrypt new and
feature to lock and unlock existing sections of text.
sections of text and change
• Disable encryption on
password settings).
an encrypted section of
text.
• Change the password
that is used to encrypt a
section of text.
When this setting is enabled,
users can still enter a password
to access sections of text that
are encrypted.
Lock password protected Encrypted sections of text Enabling this setting ensures
sections as soon as I remain unlocked for a period of that encrypted sections of text
navigate away from them time after a user navigates become locked as soon as a
away from the unlocked text. user navigates away from the
text.
232
Setting name Default configuration Description
Lock password protected Encrypted sections of text You can change the number of
sections after user hasn't remain unlocked for 10 minutes minutes that unlocked sections
worked on them for a time after a user navigates away remain unlocked by enabling
from the unlocked text or a this setting and choosing a new
user stops editing the unlocked time in Time interval (minutes)
text. to lock password protected
sections.
If you do not want unlocked
sections of text to automatically
lock after a user unlocks them,
you can disable this setting or
you can enable this setting and
clear the Check to lock
sections checkbox. In either
case, be sure that you do not
enable the Lock password
protected sections as soon
as I navigate away from them
setting. Doing so causes
unlocked sections to lock as
soon as a user navigates away
from the sections, regardless of
how you have configured the
Lock password protected
sections after user hasn't
worked on them for a time
setting.
You can find these settings at the following locations on the Modify user settings page of the OCT:
Microsoft Office OneNote 2007/Tools|Options/Password
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office OneNote 2007/Tools|Options/Password
Disable hyperlink warnings By default, users are notified Enabling this setting
about unsafe hyperlinks. In suppresses hyperlink warnings
addition, unsafe hyperlinks are for the following:
disabled until they are enabled • Hyperlinks that use
by a user. unsafe protocols, such as
msn, nntp, mms, outlook,
and stssync.
• Hyperlinks from a
remote file to the local
computer.
234
Linked images settings
You can enable the automatic downloading of images in Office PowerPoint 2007 by using the
setting that is described in the following table.
Unblock automatic download By default, images that are • Enabling this setting
of linked images saved on an external computer allows linked images on
do not display in slides. external Web sites to
download and appear in
slides.
You can find this setting at the following location on the Modify user settings page of the OCT:
Microsoft Office PowerPoint 2007/PowerPoint Options/Security
You can find this setting at the following location in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office PowerPoint 2007/PowerPoint Options/Security
235
Internet Explorer feature control setting Description
Disable user name and password Invalidates URL syntax that may include a
username and password, such as
http://username:password@server/.
Local Machine Zone Lockdown Security Applies Local Machine Zone settings to all local
content.
Mime Sniffing Safety Feature Checks the signature bits of downloaded files to
determine the file's type and render the type
properly.
Restrict File Download Prevents file downloads that are not initiated by
the user.
236
Internet Explorer feature control setting Description
Saved from URL Evaluates the saved from URL information for
files on a Universal Naming Convention (UNC)
share. This feature increases security on UNC
paths, but at a performance cost.
By default, Microsoft Office Groove 2007 (Groove.exe), Office Outlook 2007 (Outlook.exe), and
Microsoft Office SharePoint Designer 2007 (Spdesign.exe) are opted in to all 15 feature control
settings. Office InfoPath 2007 (Infopath.exe) is also opted in to all 15 feature control settings and
the following three Office InfoPath 2007 components: Document Information Panel, Workflow
forms, and third-party hosting.
Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be
found at the following location on the Modify user settings page of the OCT:
Microsoft Office 2007 system (machine)/Security Settings/IE Settings
Internet Explorer feature control settings for all applications except Office InfoPath 2007 can be
found at the following location in the Group Policy Object Editor:
Computer Configuration/Administrative Templates/Microsoft Office 2007 system
(machine)/Security Settings/IE Settings
Office InfoPath 2007 is a special case and cannot be configured by using the standard Internet
Explorer feature control settings. Instead, you use the Windows Internet Explorer Feature
Control Opt-In setting to configure Internet Explorer feature control settings for Office InfoPath
2007. This setting can be configured as follows:
None. Opts out Infopath.exe and its associated components (Document Information Panel,
Workflow forms, and third-party hosting) from all 15 Internet Explorer feature control settings.
Infopath.exe, Document Information Panel, and Workflow forms. Opts-in everything except
the third-party hosting component to all 15 Internet Explorer feature control settings.
Infopath.exe, Document Information Panel, Workflow forms, and third-party hosting. This
is the default setting. Infopath.exe and all three associated components are opted in to all 15
Internet Explorer feature control settings.
You can find the Windows Internet Explorer Feature Control Opt-In setting at the following
location on the Modify user settings page of the OCT:
Microsoft Office InfoPath 2007 (machine)/Security
237
You can find the Windows Internet Explorer Feature Control Opt-In setting at the following
location in the Group Policy Object Editor:
Computer Configuration/Administrative Templates/Microsoft Office InfoPath 2007
(machine)/Security
Privacy options
Privacy options help you protect personal and private information. You can configure four main
categories of privacy options in the 2007 Office system. The options can be configured in the
OCT and through Group Policy. The four categories of privacy options are discussed below.
Document Inspector All Inspector modules are You can disable the Inspector
enabled. modules that are used by
Document Inspector by
enabling this option and adding
the CLSID for an Inspector to
the list of disabled Inspector
modules.
You can find the CLSID for an Inspector module by looking at the registry entries that are listed
under the following registry keys:
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Excel/Document Inspectors
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/PowerPoint/Document Inspectors
HKEY_LOCAL_MACHINE/Software/Microsoft/Office/12.0/Word/Document Inspectors
Note:
You cannot disable the Inspector module for Comments, Revisions, Versions, and
Annotations, or the Inspector module for Document Properties and Personal Information.
That is, there is no CLSID for these Inspector modules.
You can find the Document Inspector option at the following location on the Modify user settings
page of the OCT:
Microsoft Office 2007 system (machine)/Miscellaneous
You can find the Document Inspector option at the following location in the Group Policy Object
Editor:
Computer Configuration/Administrative Templates/Microsoft Office 2007 system
(machine)/Miscellaneous
238
Metadata protection options
Metadata protection options are described in the following table.
Protect document metadata Metadata is not protected in Enabling this option encrypts
for rights managed Office rights-managed Office Open metadata, such as author
Open XML files XML Formats files. name, hyperlink references,
and number of words, in Office
Open XML Formats files that
are restricted using IRM.
You can find these options at the following location on the Modify user settings page of the OCT:
Microsoft Office 2007 system/Security Settings
You can find these options at the following location in the Group Policy Object Editor:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
239
Office privacy options
Office privacy options are described in the following table.
Enable Customer Experience This option is not enabled (that Enabling this option opts users
Improvement Program is, users are not enrolled in the in to the Customer Experience
Customer Experience Improvement Program (CEIP),
Improvement Program). which can reveal the IP
address of a user's computer
to Microsoft.
Automatically receive small This option is not enabled (that Enabling this option allows a
updates to improve reliability is, users do not automatically small file to be downloaded
receive small updates to that enables Microsoft to
improve reliability). provide users with help if they
experience an abnormal
number of program errors.
Enabling this option can also
reveal the IP address of a
user's computer to Microsoft.
240
Option name Default configuration Description
Online content options Searches Microsoft Office Enabling this option and
Online for Help content when a choosing the Never show
computer is connected to the online content or entry
Internet. points setting prevents the
Help system from accessing
Office Online. It also prevents
the Help system from
displaying links to content that
is on Office Online and
prevents the Help system from
downloading updated Help
content.
Enabling this option and
choosing the Search only
offline content whenever
available setting forces the
Help system to search only
offline Help files, even when a
computer is connected to the
Internet.
Enabling this option and
choosing the Search online
content whenever available
setting enables the Help
system to search Office Online
for updated Help when a
computer is connected to the
Internet. This is the default
setting.
Note: This option is disabled by
default in the French, German,
and Italian versions of the 2007
Office system.
You can find these options at the following locations on the Modify user settings page of the OCT:
Microsoft Office 2007 system/Privacy/Trust Center
Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content
241
You can also find these options at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office 2007 system/Privacy/Trust Center
Microsoft Office 2007 system/Tools|Options|General|Services Options/Online Content
Make hidden markup visible Hidden markup is not visible. Enabling this option displays all
tracked changes before users
open or save documents. Can
be configured only for Office
PowerPoint 2007 and Office
Word 2007.
Warn before printing, saving, No warning is displayed when Enabling this option warns
or sending a file that contains a user prints or saves a file about tracked changes
tracked changes or comments that contains tracked changes (revisions) and comments
or comments. before users print, send, or
save a document. Can be
configured only for Office Word
2007.
Store random number to A random number is not stored Enabling this option improves
improve merge accuracy to improve merge accuracy. the accuracy of merging
tracked changes by multiple
authors. Can be configured
only for Office Word 2007.
You can find these options at the following locations on the Modify user settings page of the OCT:
Microsoft Office PowerPoint 2007/PowerPoint Options/Security
Microsoft Office Word 2007/Word Options/Security
You can find these options at the following locations in User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office PowerPoint 2007/PowerPoint Options/Security
Microsoft Office Word 2007/Word Options/Security
242
Block file format settings
Block file format settings enable you to prevent users from opening or saving various file types
and file formats. There are two types of block file format settings: block open settings and block
save settings. You can configure block file format settings in the OCT and through Group Policy;
however, you can configure only a single block open setting in the OCT and the majority of the
settings can be configured only through Group Policy. In addition, you can configure block file
format settings only for the following applications: Office Excel 2007, Office PowerPoint 2007, and
Office Word 2007.
The following table provides a description of each block open setting for Office Excel 2007.
Block opening of pre-release versions of the file Enabling this setting prevents the opening of
formats new to Excel 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .xlsb, .xlsx, .xlsm, .xltx,
.xltm, and .xlam files. You can configure this
setting in the OCT and through Group Policy.
Block opening of Open XML file types Enabling this setting prevents the opening of
Office Open XML Formats files, such as .xlsx,
.slxm, .xltx, .xltm, and .xlam files. You can
configure this setting only through Group Policy.
Block opening of Binary 12 file types Enabling this setting prevents the opening of
Office 2007 binary format files, such as .xlsb
files. You can configure this setting only through
Group Policy.
Block opening of Binary file types Enabling this setting prevents the opening of
binary format files, such as .xls, .xla, .xlt,
.xlm, .xlw, and .xlb files. You can configure this
setting only through Group Policy.
Block opening of HTML and XMLSS file types Enabling this setting prevents the opening of
HTML and XML file types, such as .mht, .mhtml,
.htm, .html, .xml, and .xmlss files. You can
configure this setting only through Group Policy.
Block opening of XML file types Enabling this setting prevents the opening of
XML file types, such as .xml files. You can
configure this setting only through Group Policy.
243
Setting name Description
Block opening of DIF and SYLK file types Enabling this setting prevents the opening of
DIF and SYLK file types, such as .dif and .slk
files. You can configure this setting only through
Group Policy.
Block opening of Text file types Enabling this setting prevents the opening of
text file types, such as .txt, .csv, and .prn files.
You can configure this setting only through
Group Policy.
Block opening of XLL file types Enabling this setting prevents the opening of
XLL file types, such as .xll files. You can
configure this setting only through Group Policy.
The following table provides a description of each block open setting for Office PowerPoint 2007.
Block opening of pre-release versions of the file Enabling this setting prevents the opening of
formats new to PowerPoint 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .pptx, .pptm, .potx, .potm,
.ppsx, and .ppsm files. You can configure this
setting in the OCT and through Group Policy.
Block opening of Open XML file types Enabling this setting prevents the opening of
Office Open XML Formats files, such as
.pptx, .pptm, .potx, .potm, .ppsx, .ppsm,
.ppam, .thmx, and .xml files. You can configure
this setting only through Group Policy.
Block opening of Binary file types Enabling this setting prevents the opening of
Office binary file types, such as .ppt, .pot, .pps,
and .ppa files. You can configure this setting
only through Group Policy.
Block opening of HTML file types Enabling this setting prevents the opening of
HTML file types, such as .htm, .html, .mht,
and .mhtml files. You can configure this setting
only through Group Policy.
244
Setting name Description
The following table provides a description of each block open setting for Office Word 2007.
Block opening of pre-release versions of the file Enabling this setting prevents the opening of
formats new to Word 2007 pre-release (beta) versions of Office Open XML
Formats files, such as .docx, .docm, .dotx,
and .dotm files. You can configure this setting in
the OCT and through Group Policy.
Block opening of Open XML file types Enabling this setting prevents the opening of
Office Open XML Formats files, such as
.docx, .dotx, .docm, .dotm, and .xml files. You
can configure this setting only through Group
Policy.
Block opening of Binary file types Enabling this setting prevents the opening of
Office binary file types, such as .doc and .dot
files. You can configure this setting only through
Group Policy.
Block opening of HTML file types Enabling this setting prevents the opening of
HTML file types, such as .htm, .html, .mht,
and .mhtml files. You can configure this setting
only through Group Policy.
Block opening of Word 2003 XML file types Enabling this setting prevents the opening of
Office 2003 XML file types, such as .xml files.
You can configure this setting only through
Group Policy.
Block opening of RTF file types Enabling this setting prevents the opening of
RTF file types, such as .rtf files. You can
configure this setting only through Group Policy.
Block opening of Text file types Enabling this setting prevents the opening of
TXT file types, such as .txt files. You can
configure this setting only through Group Policy.
Block opening of Internal file types Enabling this setting prevents the opening of
pre-release binary format files. You can
configure this setting only through Group Policy.
Block opening of files before version Enabling this setting enables you to prevent file
formats that are older than a specific Office
release from opening. You can configure this
setting only through Group Policy.
The following table provides a description of each block save setting for Office Excel 2007.
Block saving of Open XML file types Enabling this setting prevents the saving of
Office Open XML Formats files, such as .xlsx,
.xlsm, .xltx, .xltm, and .xlam files. You can
configure this setting only through Group Policy.
Block saving of Binary 12 file types Enabling this setting prevents the saving of
Office 2007 binary file types, such as .xlsb files.
You can configure this setting only through
Group Policy.
Block saving of Binary file types Enabling this setting prevents the saving of
Office binary file types, such as .xls, .xla, .xlt,
.xlm, .xlw, and .xlb files. You can configure this
setting only through Group Policy.
Block saving of HTML and XMLSS file types Enabling this setting prevents the saving of
HTML and XML files types, such as .mht,
.mhtml, .htm, .html, .xml, and .xmlss files. You
can configure this setting only through Group
Policy.
Block saving of XML file types Enabling this setting prevents the saving of XML
file types, such as .xml files. You can configure
this setting only through Group Policy.
Block saving of DIF and SYLK file types Enabling this setting prevents the saving of DIF
and SYLK file types, such as .dif and .slk files.
You can configure this setting only through
Group Policy.
246
Setting name Description
Block saving of Text file types Enabling this setting prevents the saving of text
file types, such as .txt, .csv, and .prn files. You
can configure this setting only through Group
Policy.
The following table provides a description of each block save setting for Office PowerPoint 2007.
Block saving of Open XML file types Enabling this setting prevents the saving of
Office Open XML Formats files, such as
.pptx, .pptm, .potx, .potm, .ppsx, .ppsm,
.ppam, .thmx, and .xml files. You can configure
this setting only through Group Policy.
Block saving of Binary file types Enabling this setting prevents the saving of
Office binary file types, such as .ppt, .pot, .pps,
and .ppa files. You can configure this setting
only through Group Policy.
Block saving of HTML file types Enabling this setting prevents the saving of
HTML file types, such as .htm, .html, .mht,
and .mhtml files. You can configure this setting
only through Group Policy.
Block saving of outlines Enabling this setting prevents the saving of files
as outlines, such .rtf, .txt, .doc, .wpd, .docx,
.docm, and .wps files. You can configure this
setting only through Group Policy.
The following table provides a description of each block save setting for Office Word 2007.
Block saving of Open XML file types Enabling this setting prevents the saving of
Office Open XML Formats files, such as
.docx, .dotx, .docm, .dotm, and .xml files. You
can configure this setting only through Group
Policy.
247
Setting name Description
Block saving of Binary file types Enabling this setting prevents the saving of
Office binary file types, such as .doc and .dot
files. You can configure this setting only through
Group Policy.
Block saving of HTML file types Enabling this setting prevents the saving of
HTML file types, such as .htm, .html, .mht,
and .mhtml files. You can configure this setting
only through Group Policy.
Block saving of Word 2003 XML file types Enabling this setting prevents the saving of
Office 2003 XML format files, such as .xml files.
You can configure this setting only through
Group Policy.
Block saving of RTF file types Enabling this setting prevents the saving of RTF
file formats, such as .rtf files. You can configure
this setting only through Group Policy.
Block saving of converters Enabling this setting prevents the saving of files
through converters, such as the WordPerfect
converter that is included in the 2007 Office
system. You can configure this setting only
through Group Policy.
Block saving of Text file types Enabling this setting prevents the saving of TXT
file types, such as .txt files. You can configure
this setting only through Group Policy.
By default, users cannot open files that have been saved in a format previous to the Word 6.0
format. Files that have been saved using a beta version of Word 6.0 are considered to be
previous to the Word 6.0 format and cannot be opened by default.
You can find these settings at the following locations on the Modify user settings page of the OCT:
Microsoft Office Excel 2007/Block file formats
Microsoft Office PowerPoint 2007/Block file formats
Microsoft Office Word 2007/Block file formats
You can find these settings at the following locations in the User Configuration/Administrative
Templates node of the Group Policy Object Editor:
Microsoft Office Word 2007/Block file formats
Microsoft Office PowerPoint 2007/Block file formats
Microsoft Office Word 2007/Block file formats
248
See Also
Evaluate default security settings and privacy options for the 2007 Office system
249
Attachment file types restricted by Outlook
2007
There is restricted access to some attachments in items (such as e-mail messages or
appointments) in Microsoft Office Outlook 2007. Files with specific file types can be categorized
as Level 1 (the user cannot view the file) or Level 2 (the user can open the file after saving it to
disk).
Note:
This topic is for Outlook administrators. To learn more about why some Outlook
attachments are blocked, see Blocked attachments: The Outlook feature you love to
hate (http://go.microsoft.com/fwlink/?LinkId=81268). Or learn how to share files with
restricted file types by reading Blocked attachments in Outlook
(http://go.microsoft.com/fwlink/?LinkId=81269).
By default, Outlook classifies a number of file type extensions as Level 1 and blocks files with
those extensions from being received by users. As an administrator, you can use Group Policy to
manage how a file type is categorized for e-mail attachment blocking. For example, you can
change a file type categorization from Level 1 to Level 2 or create a list of Level 2 file types.
Note:
There are no Level 2 file types by default.
You can find links to more information about customizing attachment settings in Outlook in the
See Also section, which is visible when you are connected to the Internet.
The following table lists Level 1 file types that are blocked under a default installation of Outlook.
.com Command
250
File type File description
251
File type File description
252
File type File description
See Also
Customize attachment settings in Outlook 2007
253