Microsoft Beefs Up Office Security

Microsoft offers a tool to automate security settings in Office to protect against malicious files.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted November 13, 2007

Andy Patrizio

With Office becoming an ever-increasing target for malware writers, Microsoft is offering a tool and guidance to help improve the security of Office 2007 and 2003.

The Office 2007 Security Guide will be posted on Microsoft's TechEd site on Tuesday and formally introduced at the Microsoft TechEd conference this week in Barcelona, Spain. The guide will offer detailed documentation for securing Office 2007 applications to protect against specially written document files with malicious code hidden within them.

Such security has become a necessity as Office becomes a more frequent target of attacks. As Microsoft has hardened its operating system, the bad guys have gone for the low-hanging fruit and started looking in the application layer. Distribution of Word, Excel and PowerPoint files with hidden code to exploit vulnerabilities have been on the increase in recent months.

"It's kind of a unique approach in that [security] has been the purview of the operating system," Joshua Edwards, technical product manager for Office, told InternetNews.com. "But given the trend we've seen over the past few years moving from the OS level to the app layer, this was part of the design approach we've taken with Office 2007."

Microsoft will also introduce the Group Policy Object Accelerator, a free tool that helps administrators set and change the security policies in Office across a network through Active Directory.

Microsoft has offered some measure of security in previous versions of its productivity suite, but Office 2007 is considerably more intricate and fine grained in its security. It has twice as many group policy and directory controls as Office 2003 and a total of 5,731 registry and policy setting, according to Edwards.

"Going through all those would be a painstaking process, so we've identified the 300 controls most related to security," he said. "Everyone has a level of security and information privacy that they feel is appropriate. In the past, we've provided a baseline of security recommendations and guidance. But for the first time, we have built policy controls into the product itself."

The tool and guide allow for locking down the application by not allowing it to save to certain locations, make Web transactions or run macros except from trusted sources.

This article was first published on InternetNews.com. To read the full article, click here.

Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.