With Office becoming an ever-increasing target for malware writers, Microsoft is offering a tool and guidance to help improve the security of Office 2007 and 2003.
The Office 2007 Security Guide will be posted on Microsoft’s TechEd site on Tuesday and formally introduced at the Microsoft TechEd conference this week in Barcelona, Spain. The guide will offer detailed documentation for securing Office 2007 applications to protect against specially written document files with malicious code hidden within them.
Such security has become a necessity as Office becomes a more frequent target of attacks. As Microsoft has hardened its operating system, the bad guys have gone for the low-hanging fruit and started looking in the application layer. Distribution of Word, Excel and PowerPoint files with hidden code to exploit vulnerabilities have been on the increase in recent months.
“It’s kind of a unique approach in that [security] has been the purview of the operating system,” Joshua Edwards, technical product manager for Office, told InternetNews.com. “But given the trend we’ve seen over the past few years moving from the OS level to the app layer, this was part of the design approach we’ve taken with Office 2007.”
Microsoft will also introduce the Group Policy Object Accelerator, a free tool that helps administrators set and change the security policies in Office across a network through Active Directory.
Microsoft has offered some measure of security in previous versions of its productivity suite, but Office 2007 is considerably more intricate and fine grained in its security. It has twice as many group policy and directory controls as Office 2003 and a total of 5,731 registry and policy setting, according to Edwards.
“Going through all those would be a painstaking process, so we’ve identified the 300 controls most related to security,” he said. “Everyone has a level of security and information privacy that they feel is appropriate. In the past, we’ve provided a baseline of security recommendations and guidance. But for the first time, we have built policy controls into the product itself.”
The tool and guide allow for locking down the application by not allowing it to save to certain locations, make Web transactions or run macros except from trusted sources.