Security in Microsoft Office 2003 Editions

Don Kiely
Information Insights

June 2004

Applies to:
     Microsoft Office 2003 Editions

Summary: Discover how to approach secure computing with the Microsoft Office 2003 Editions. The security features in Office 2003 Editions protect against four major categories of threats: data, intellectual property, privacy, and application threats. Learn how to manage security in your implementation. (19 printed pages)

Contents

Introduction
Identifying Security Threats
Protecting Data in Documents
Protecting Privacy
Using the Remove Hidden Data Tool
Applying Code-Based Protections
Providing Programmatic Access to Security
Conclusion

Introduction

As the most used business productivity suite, the Microsoft Office System has been the object of many malicious attacks over the last few years. Microsoft responded by making each of the last several versions of the Microsoft Office System and its applications increasingly secure, leading to the most secure version yet—Microsoft Office 2003 Editions.

Security is a complex, ever-changing subject; Microsoft provides the tools that you need to enjoy more secure computing. You need to do your part and learn how to use those tools.

This article applies to user documents and to the solutions that you build using the Microsoft Office System as a foundation. As a user, it is essential that you understand the security features built into Office 2003 Editions to take full advantage of them and, more importantly, avoid accidentally circumventing them. If you are a developer building applications for Office 2003 Editions, you need to know how to hook into the security features for Office 2003 Editions in order to take advantage of them, and again, avoid accidentally circumventing them.

Identifying Security Threats

As with the security features of any product—software, buildings, anything—you have to understand the threats to security in order to use security tools effectively. So the first thing to do is inventory the threats that are specific to your users in their environment, in this case, when they use Office 2003 Editions applications and solutions that were built using Office applications. Figure 1 lists the threats that are typically faced by Office users and the features designed to counter them.

X Indicates applicability. ? Indicates potential applicability

Figure 1. Threats to Office 2003 Editions documents and users and the features designed to counter them

The security features of Office 2003 Editions protect against four major categories of threats: data, intellectual property, privacy, and application threats. While not formally defined, these categories map to real-world environments and provide a useful framework for understanding threats and protections.

Use Figure 1 as a tool to protect against the threats most important to you so that you do not waste time on features that do not provide any benefit for your users and environment. For example, signing a document with a digital signature does nothing to keep the document private, while document encryption does little to protect the integrity of data in a document. Choose the right security feature for the right threat.

This article does not examine every threat and security feature listed in****Figure 1; many merit separate article. This article provides an overall framework for the security features in Office 2003 Editions to help you to understand how to use them to protect against the threats that are most important to you.

Protecting Data in Documents

Documents contain a large amount of data, ranging from results of local races to information forming the basis of billion dollar decisions by major corporations and governments. Data integrity is critical to anyone who compiles, records, or uses the data.

The last several versions of Office provide data protection features, placing the ability to control data protection firmly with the user. In most Office applications on the Tools menu, select Options, and use the Security tab to set protection features (see Figures 2, 3, and 4). Each Office product offers similar security options, making it easy for a user to decide how to protect their documents and data.

Figure 2. Microsoft Office Word 2003 Security properties sheet

The user can use an appropriate level of protection for each document depending on how users use the document and its contents. By setting a password, Office encrypts the document, rendering it unreadable by anyone without the password. The Advanced button on the Security properties sheet provides control over the encryption algorithm that is used, as shown in the following figure. The user can select any compatible algorithm installed on their computer.

Figure 3. Encryption Type dialog box

The user can also use a modification password to control whether other users can make changes to the document. This option alone does not encrypt the document, but you can use it together with a password. In this case, any users with the password can read the document but must have the modification password to make changes. When opening the document, the user is prompted for both passwords. If the user does not provide a modification password, the document is opened as read-only.

**Note   **The Password to Open feature uses advanced encryption. Encryption is a standard method of securing the content of a file. There are several encryption methods that are available for use with Word files, Excel files, or PowerPoint presentations. Microsoft Office Outlook 2003 allows for encryption also, but also implements it by using different methods. For more information about encryption, see Encryption in the Important Aspects of Password and Encryption Protection section of the Office 2003 Editions Resource Kit.

When you are using the Password to Modify feature, a malicious user may still be able to gain access to your password. For example, if you save a word (.doc) file by using the Password to Modify feature enabled in Rich Tech Format (.rtf) a malicious user may be able to gain access to your password.

The new Protect Document task pane in the Microsoft Office System guides the user to set protection for the document. The options that the user sets in the task pane limits the formatting options for other users and restricts whether they can edit, track changes, comment, complete forms, or make any changes. The tracked changes option, one of the options in the Editing restrictions list, is particularly useful when multiple users have the opportunity to edit a document and you want to make sure that changes are highlighted.

Figure 4. The Protect Document task pane

Note   The Protect Document button on the Word 2003 Security properties sheet (Figure 2) only opens the Protect Document task pane. If you do not click the Yes, Start Enforcing Protection button on the pane, no protections are enforced.

In Microsoft Office Outlook 2003, on the Options menu, when you click Security, you have different options available to you than what is available in the other Office applications, as shown in Figure 5. The differences reflect that while Outlook manages documents at some level, it is operating in a different environment and uses standards and protocols that introduce unique threats to Outlook.

Figure 5. Outlook Security tab

Protecting data in documents with passwords helps limit who can make changes to documents and to some extent what they can do in the document. But what if you must be confident that a document has not changed in any way? Or, if there are changes, you need to know who made them. This is an important part of data integrity if users are to rely on the data in documents. This is the purpose of signing documents with digital certificates.

A digital signature is encrypted information that uses public and private key cryptography. Unlike the shared secret of file open and modification passwords—which require that all legitimate users have the shared secret, the password—digital signatures use public and private key pairs and provide the strongest protection available. They do not actually prevent tampering with a document, but digital signatures provide reasonable assurance concerning the identity of the originator of the document and produce a warning if the contents are tampered with. A digital signature does not guarantee that the signer does not have malicious intent, but a digital signature does provide reasonable assurance about who they are.

Signing a document means that you attach a digital certificate to it. When you sign a document, the Office application creates a hash of the document, encrypts the hash, and includes it with the digital certificate as part of the document. The combination of digital certificate and hash creates the digital signature. If another person changes the document, the signature is no longer valid because its new hash no longer matches the hash in the signature. Users from that moment on are alerted that the document was altered.

There are several ways that this kind of signature validation failure can occur. Try this experiment:

1. Sign a document, and close it.
2. Reopen the document then change the text.
3. Save it.

The Office application warns you that saving removes all digital signatures.

If you change the text in a signed document, you invalidate the hash in the digital signature so that it doesn't match a hash calculated from the current version of the document. Rather than notify every subsequent user that the document is corrupt—even though you may have been the person who originally signed the document—the Office application removes all signatures.

But this is only one scenario that can cause signature validation failure. It can also occur because:

• The document or embedded script code is modified in any way, from:
  • Corruption
  • A macro virus that changes code or other content
  • Programmatic changes (such as an add-in) that automatically change data
• The document is signed with an invalid certificate, which can be invalid because it is:
  • Expired
  • Forged
  • Altered
  • Corrupted

The data protection features of Office applications help protect the integrity of data from accidental or intentional modifications. If you want to exert more control over who views the document's content and what is done with it, use the intellectual property protections available in Office 2003 Editions.

Protecting Privacy

A typical document may contain information about who first created the document and who made changes to it. Several most useful Office features require this kind of information, such as change tracking and commenting. Labeling a comment or change with something such as "{00020906-0000-0000-C000-000000000046}" instead of "Don Kiely" may ease concerns about privacy but is not useful for easily reviewing who made what changes.

But sometimes users just do not want any kind of identifying information in their documents. Rather than turn to other document formats to distribute documents, you can directly remove personal information and other related metadata from documents.

Note   Protecting a document with a password encrypts identifying personal information, but the metadata is still available to anyone who can open and view the document.

Users can remove personal data in two ways:

• On the Tools menu, click Options, and then click the Security tab. Check Remove personal information from file properties on save.
• When you save a file using the Save As menu item, click Tools, then click Security Options.

**Note   **You must select this removal option for each document. It persists only with that document. Microsoft Office 2003 Editions does not have a global setting to remove personal information from all documents.

This option removes or changes four kinds of information:

• The Author, Manager, Company, and Last saved file properties are removed.
• Names associated with comments or tracked changes are changed to "Author."
• Any routing slip information is removed.
• The e-mail message header that the application generates when the user sends a document directly from an Office 2003 Editions application is removed.

A document's content is not affected in any way by the removal of personal information.

The user can also select an option that presents the warning box shown in Figure 6 each time they print, save, or send a document that contains personal information. Even after you remove personal information, any subsequent changes to the document embed some information into the document. This option provides a reminder that you may have to remove personal information repeatedly over the life of a document.

Figure 6. Optional warning dialog that appears when a user prints, saves, or sends a document with personal information

For more information about this, see Protecting Personal Data in Your Word 2003 Documents.

Using the Remove Hidden Data Tool

You can also download the Office 2003/XP Add-in: Remove Hidden Data tool. This tool does a much more thorough job of scouring personal information from Office documents than the built-in feature, and a command-line version lets you scour multiple documents simultaneously.

The list of hidden document data removed by the tool is quite long. This list includes hyperlinks that could point to internal locations that shouldn't be publicized, all user names, deleted text, field codes, embedded objects, and PowerPoint presentation notes. Many types of data are automatically removed but the user can optionally review some types of hidden data and make decisions for each removal.

The tool adds a Remove Hidden Data. . . option to the File menu in Word, Excel, and PowerPoint. The tool prompts for a new file name and location so that the original document is preserved. Then it reviews the document for hidden data and either removes it all automatically or steps the user through each potential problem. Figure 7 shows an example of a user who chose to step through each problem the tool identifies the potential problem in the document, highlights it, and gives you the option of keeping or removing the data.

Figure 7. Using the Remove Hidden Data add-in (Click to view larger image)

The command-line version of the tool includes options that allow you to specify the documents to scour and where to save the clean versions, whether to use preset defaults for the items to remove, and whether to create a log file. Both the command-line and add-in versions of the tool create log files that contain the hidden data found in each document and the changes made.

The primary difference between the built-in privacy features and the Remove Hidden Data tool is that the tool can modify—with your permission—the document's contents. For example, if you were to click the Remove Data button for a hyperlink (as shown in Figure 7) it deletes both the highlighted text and the hyperlink behind it.

Applying Code-Based Protections

One reason that the Microsoft Office System is popular is its programmability features, which allow users and developers to develop custom solutions. Power users can record simple macros to automate repetitive tasks. Anyone can teach themselves to write simple Microsoft Visual Basic for Applications (VBA) scripts. More accomplished programmers can create Microsoft ActiveX controls, smart tags, and other add-ins to build complex applications within Office 2003 Editions.

The disadvantage is that Office products are a favorite target for hackers, forcing Microsoft to become much more aggressive about the protections that it builds into the Microsoft Office System. You can still force users to be prompted whether they want to allow a macro to run, but it is now much easier to protect against users making bad choices.

Developers also worry about the protection of their intellectual property. This is a similar issue to protecting a document's user data, but the data being protected is the developer's code. A developer might have trade secrets embedded in the code, or they just want to keep the power users in the Office 2003 Editions from changing the code.

As a first level of defense, you can protect code with a password that provides protection from intellectual property theft and other modifications from power users.

To set a password on VBA code

1. From the Visual Basic Editor, click the Tools menu.

2. Click Project Properties (or Normal Properties in some builds of Office 2003 Editions) and click the Protection tab, shown in Figure 8.

   Note   Setting a password only protects the opening of this dialog, so users can see your code but not open the dialog box. To protect your code, you need to also set the Lock project for viewing checkbox.

Figure 8. The Protection tab for passwords on project properties

Setting a project password is a good first step.

Important   Setting a password really only results in a low-strength block to code access in the integrated development environment such as the Visual Basic editor. The code is still in plain text in the document and can be retrieved from there.

To protect more fully against viruses and allow your code to run in secure environments, you need to sign your VBA code digitally. Used with a project password, digital signing protects both your intellectual property and protects your users against viruses. And if users have macro security set to High (the default), unsigned code does not run.

To apply a digital signature to your project, from the Visual Basic Editor (Alt-F11), click the Tools menu, and then click Digital Signature. . .. You can sign your code with any digital certificate installed on the local computer, such as that shown in Figure 9.

Figure 9. Apply a digital signature to your VBA project (Click to view larger image)

Once you sign the project with a digital certificate, any changes to the project code or properties causes the Office 2003 application to block the document from opening. Unlike documents signed by users, if you make changes to the VBA project on the same computer on which you originally signed the code, Office 2003 application automatically reapplies the signature, calculating a new hash to reflect the changed code. If you make the changes on another computer, the signature is invalidated and the code change fails. Re-signing the code after changes on the same computer is a nice convenience feature for developers and helps continue the protection for the code.

Note    You should lock a VBA project before signing it by applying a password as described previously. Otherwise, users can invalidate the code's digital signature by opening the Visual Basic Editor and making a change, such as adding a comment.

The user can modify security settings, affecting whether code runs or not. If you write an add-in that modifies VBA code, you should determine whether a VBA project is digitally signed. Otherwise, your modification can affect whether code runs on a user's computer. Use the VBASigned property of each document object for the specified application (a Word document, Excel workbook, and so on.) to check whether a VBA project is signed.

Two other types of add-in code deserve mention. If you use an ActiveX component in your project or document, the security protections are started when the user installs the component and when the control initializes at execution. The other type of add-in code is smart tags. Office 2003 Editions treats smart tags as a type of VBA macro rather than an ActiveX component—no matter how you develop them—so smart tags are affected by the user's security setting for macros. Note that Office 2003 Editions loads smart tags when the application starts up, not when it is first used. This means that unsigned smart tags are not loaded when the user's security setting is set to High (the default), and there is no message to the user. For this reason you should always sign smart tags you deploy.

.NET-based Code Access Security

Although it is not a .NET-based application, Office 2003 Editions provides support for automating Office 2003 Editions-based solutions and documents using .NET-based assemblies. Office 2003 Editions has hooks that will automatically load and run a .NET-based assembly so that you can write applications in any .NET-based language—not just VBA.

Using a .NET-based language instead of VBA lets you hook into the much more robust security model of the Common Language Runtime (CLR) and its Code Access Security (CAS). CAS doesn't rely on the permissions that a user has, it relies on evidence about the assembly—such as location, strong name, and several others—to grant or deny permissions to code. This helps to avoid problems such as luring attacks that lure trusted code into running rogue or untrusted code.

The primary development tool for working with Office applications in the .NET environment is Microsoft Visual Studio Tools for the Microsoft Office System. Visual Studio Tools for Office initially sets up security on your development computer, but CAS can make deploying your Office solution more complicated. You need to learn more about how CAS works to build any kind of .NET-based application as well as how to match the best kind of evidence to your application's needs.

For a great description of the CAS issues and deploying Visual Studio Tools for Office solutions, see Brian Randell and Ken Getz's excellent MSDN Magazine article, Secure and Deploy Business Solutions with Microsoft Visual Studio Tools for Office 2003 Editions.

Providing Programmatic Access to Security

Microsoft Office 2003 Editions includes new and better features in the object model to support security. Many****of the object model features are common to most applications in the Microsoft Office System, while each application has its own extensions to support the particular security needs of its own. For more information about the security object model features in each product, see the appropriate product documentation.

Note    An important distinction to remember when considering security features is that some protect documents, while others protect code.

You can set the same user interface features by using VBA code, such as setting a file open password. The Document object's SaveAs method provides Password and WritePassword parameters. The Password parameter lets you set a password that encrypts the document and the WritePassword parameter sets the modification password.

When you open a password-protected document, you can use parameters of the Open method to supply the appropriate password. Without the file modification password, for example, you cannot modify the document programmatically any more than you can from the user interface. One issue is that the terminology for this parameter varies across applications. For example, you have to supply the WritePassword parameter in Word to make changes to the document, but in Excel you have to supply the *WriteResPassword*****parameter. You can also remove a password requirement from a document programmatically. To do so, open the document programmatically with the correct password then immediately save it with a blank password.

Important   Do not store hard-coded passwords in VBA code.

Office 2003 Editions changes the security for how macros are called from other macros. In previous versions of Office, a macro called from another macro was inherently trusted. For example, if you write code to trust other code, and the user trusts the source of the code, previous versions of Office trusted any called code. This represented a security risk. Hackers have created "luring" attacks in which trusted code is lured into calling harmful code. Office 2003 no longer inherently trusts called code.

The AutomationSecurity method is new in all Application objects in the Microsoft Office System. This method lets you control how security is handled when a macro calls another macro or an external program. The method has three values:

• msoAutomationSecurityLow. Macros can invoke other macros without establishing the invoked macro's digital signature. Similar to the Low macro security setting, this option is not recommended.
• msoAutomationSecurityByUI. Indicates the macro security setting as specified in the Office 2003 Editions user interface.
• msoAutomationSecurityForceDisable. The equivalent of setting macro security to High. If a macro is not signed by a trusted source, it does not run.
• It is recommended that you use either msoAutomationSecurityByUI or msoAutomationSecurityForceDisable to protect users and their documents.

In addition, it is important that you consider the operating system you are running. If you are using Windows® 2000 or later, all of the new security features in Office 2003 Editions are effective and you can customize applications to the environment in which they run. However, Office security features are only part of the solution. Because Office applications (other than Outlook) save documents as individual disk files, you can take advantage of your operating system's security features to protect data and code. Windows lets you define group-based read and write permissions, giving you far more flexibility than just the Office security features.

Conclusion

Security is a complex subject. Microsoft has been working within its Trustworthy Computing initiative for more than two years, and Office 2003 Editions is the first version of the Microsoft Office System released during that time; but security remains a task that requires careful planning and management.

You must continue to consider other factors:

• The Human Factor such as:
  • Passwords taped to a monitor for anyone to see
  • Unattended computers in public traffic areas
• The operating system:
  • Windows has many security features you can use. . .
  • ...or ignore
• Physical security:
  • You must secure computers, documents, and network infrastructure against theft and damage

The Microsoft Office System attempts to balance security with a friendly user interface. To offer "complete" security, the only real solution is to hire the electronic equivalent of security guards to monitor and patrol your computing "premises," checking doors and chasing away suspicious characters. Microsoft provides tools that help you secure Office 2003 Editions against known threats, but it takes careful scrutiny and hard work to keep any application safe.

Additional Resources:

• Microsoft Office 2003 Editions Security Whitepaper
• Office 2003 Security Enhancements
• Office 2003 Editions Resource Kit: Security: Overview
• Secure and Deploy Business Solutions with Microsoft Visual Studio Tools for Office
• Information Rights Management in Microsoft Office 2003

About the Author

Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business, technology, and security consulting services. His development work involves tools such as SQL Server, Visual Basic .NET, C, ASP.NET, and Microsoft Office 2003 Editions. He writes regularly for several trade journals, including Access-VB-SQL Advisor, Fawcette's Visual Studio magazine, and asp.netPRO, and writes courseware and trains developers in database and .NET-based technologies. When not living and breathing technology he wanders the Alaskan wilderness with his dogs, Mardy and Izzi. You can reach Don at donkiely@computer.org.

© Microsoft Corporation. All rights reserved.