Office 2010 Security (Part 2) - Threat Mitigation (Continued)

by [Published on 23 Feb. 2012 / Last Updated on 23 Feb. 2012]

This article continues to describe Office 2010 security improvements and explains how Protected View and Trusted Documents can help mitigate against potential threats.

If you would like to read the other parts in this article series please go to:

Introduction

In the first article of this series we described how security has been enhanced in Microsoft Office 2010 in two general ways: by the inclusion of new technologies for mitigating against threats, and by the addition of new features for controlling the flow of information. The first article described one threat mitigation technology in detail, namely Office File Validation (OFV). This present article will describe two more threat mitigation technologies included in Office 2010: Protected View and Trusted Documents.

Protected View

To understand how Protected View works, we first have to understand the concept of trust in Office 2010. To illustrate how trust works, we’ll focus in particular on one Office 2010 application: Word 2010.  (The details described below also generally apply to Excel 2010 and PowerPoint 2010.)

When a user tries to open a document in Word 2010, what happens depends on whether the document is trusted or not. If the document being opened is trusted, Word simply opens the document for editing with no special prompts being displayed. If the document happens to include active content such as macros or ActiveX controls, these are also enabled. 

End-User Experience for Protected View

If the document being opened is untrusted however, then Word will open the document in a special “sandbox” that has fewer privileges than the user’s own account. This allows the user to view the contents of the document but not modify, save or print the document. In addition, any active content within the document will be disabled. This special sandbox technology is what is known as Protected View as it protects the user by enabling them to view the document in a safe fashion. A message bar alerts the user to the fact that his document has been opened in Protected View. The actual appearance of the message bar may vary however as we will see next.

Opening an untrusted document actually launches a series of security checks by Word. This series of checks works something like this:

  1. Before Word opens the document, it first checks whether the document is located in a safe location or not. If the file is not in a safe location, for example because the user downloaded it from the Internet to the Downloads folder in the user’s profile, Word opens the document in Protected View and displays a message bar similar to the following:


Figure 1: This document is untrusted because it was downloaded from the Internet. 

  1. If the file is in a safe location, Word then checks to make sure its file type isn’t blocked. If the file type is blocked, for example because the administrator has temporarily blocked Word 97 binary documents from being opened by users because of a new exploit in the wild, Word opens the document in Protected View and displays a message bar similar to the following:


Figure 2: This document is untrusted because the administrator has blocked its file type using policy.

  1. If its file type isn’t blocked, Word then validates the document using OFV. If the document fails validation, Word opens the document in Protected View and displays a message bar similar to the following:


Figure 3: This document is untrusted because it has failed validation.

Depending on the type of “Protected View” message bar that appears, the user will either:

  • Not be able to edit, save or print the document because of a policy configured by the administrator, in which case the only option is to contact Helpdesk for support on the issue.
  • Be faced with the decision of whether to click the Enable Editing button on the message bar. They should click this button if they want to edit, save or print the document, but the user must use common sense and good judgment concerning this. For example, if the document is from a colleague they trust and the user’s antivirus software has the latest signature file, then the user may (perhaps) safely decide to click Enable Editing and begin working on the document. 

Administrator Options for Configuring Protected View

As the administrator for your organization, you can use Group Policy to configure how Protected View works on end-user PCs. As the next figure illustrates, Word 2010 has five per-user policy settings for configuring Protected View:


Figure 4: Policy settings for configuring Protected View in Word 2010.

More details concerning these five policy settings are listed in Table 1 below.

Policy setting

Description

Open files on local Intranet UNC in Protected View

This policy setting lets you determine if files on local Intranet UNC file shares open in Protected View. If you enable this policy setting, files on local Intranet UNC file shares open in Protected View if their UNC paths appear to be within the Internet zone. If you disable or do not configure this policy setting, files on Intranet UNC file shares do not open in Protected View if their UNC paths appear to be within the Internet zone.

Do not open files in unsafe locations in Protected View

This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the ''Downloaded Program Files'' and ''Temporary Internet Files'' folders are considered unsafe locations. If you enable this policy setting, files located in unsafe locations do not open in Protected View. If you disable or do not configure this policy setting, files located in unsafe locations open in Protected View.

Do not open files from the Internet zone in Protected View

This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure this policy setting, files downloaded from the Internet zone open in Protected View.

Turn off Protected View for attachments opened from Outlook

This policy setting allows you to determine if Word files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If you disable or do not configure this policy setting, Outlook attachments open in Protected View.

Set document behavior if file validation fails

This policy key controls the behavior of how Office documents should be handled when they fail File Validation. The options available are,

- Block files completely. This will prevent users from opening files.

- Open files in Protected View and disallow edit. This will prevent users from editing the files.

- Open files in Protected View and allow edit. This will allow users to edit the files.

If you disable or do not configure this policy setting, the default setting will be, ''Open files in Protected View and allow edit.''

Table 1: Policy settings for configuring Protected View in Word 2010.

Trusted Documents

In the previous section above it was noted that the very first security check Word 2010 performs when a user tries to open a document is this:

Before Word opens the document, it first checks whether the document is located in a safe location or not. If the file is not in a safe location, for example because the user downloaded it from the Internet to the Downloads folder in the user’s profile, Word opens the document in Protected View and displays a message bar.

Let’s dig deeper into this idea of “safe locations” before we introduce the new Trusted Documents feature of Word 2010. It was in the previous version Office 2007 that the idea of a trusted location was first introduced. Specifically, a trusted location in Word 2007 is a folder designed as a trusted location either by the user (using the Trust Center) or the administrator (using Group Policy). Any documents contained in a folder designated as a trusted location are automatically considered as trusted by Word, so if the user tries to open such a document, Word opens it for editing with all active content enabled. Trusted locations can either local folders or network shares. Some folders, such as where Word stores its templates, are trusted locations by default.  Other folders, such as the Temp folder, cannot be trusted locations. 

End-User Experience for Trusted Documents

The problem with the Office 2007 approach is that it’s basically all or nothing. If a folder is designated as a trusted location, then all documents in it are considered as trustworthy by Word 2007. What’s new in Word 2010 (and Excel 2010 and PowerPoint 2010) is that the trustworthiness of documents can now be designated on a per-document basis by the user. This new capability is known as Trusted Documents, and it builds upon the Trusted Locations feature of Office 2007 rather than replaces it.

Here’s an example that illustrates how the new Trusted Documents feature works in Word 2010. Let’s say a user tries to open a document they downloaded from the Internet to the Downloads folder of their user profile. When the user tries to open the document, it opens in Protected View and the previously described message bar appears:


Figure 5: This document was opened in Protected View because it is stored in an untrusted location.   

After inspecting the document using the low-privileged Protected View, the user decides that the document is safe to work with and clicks Enable Editing. Word now does two things:

  • Word closes Protected View and opens the document for editing.
  • Word creates an HKCU registry entry recording the user’s decision that the document should be considered as trusted.

At this point, if the document doesn’t contain any active content such as macros or ActiveX controls, then the user can begin working with the document. If however the document also contains active content, then a second message bar is displayed as follows:


Figure 6: The document has been opened for editing but active content has been disabled.

If the user now decides that it’s safe to enable the active content within the document, he can click the Enable Content button. Doing this updates the previously created registry entry to record this additional decision on the part of the user concerning the trustworthiness of the document.

Now, the next time the user tries to open the same document, Word determines from the previously saved registry entry that the user previously determined trust decision concerning the document. Then, instead of opening the document in Protected View, Word simply opens the document for editing with all active content enabled.

Administrator Options for Configuring Trusted Documents

As the administrator for your organization, you can use Group Policy to configure how Trusted Documents works on end-user PCs. Word 2010 has four per-user policy settings for configuring the Trusted Documents feature:

  • Turn off trusted documents
  • Turn off Trusted Documents on the network
  • Set maximum number of trusted documents
  • Set maximum number of trust records to preserve

Figure 7 shows where these policy settings are found:


Figure 7: Policy settings for configuring Trusted Documents in Word 2010.

More details concerning these four policy settings are listed in Table 2 below.

Policy setting

Description

Turn off trusted documents

This policy setting allows you to turn off the trusted documents feature. The trusted documents feature allows users to always enable active content in documents such as macros, ActiveX controls, data connections, etc. so that they are not prompted the next time they open the documents. Trusted documents are exempt from security notifications. If you enable this policy setting, you will turn off the trusted documents feature. Users will receive a security prompt every time a document containing active content is opened. If you disable or do not configure this policy setting, documents will be trusted when users enable content for a document, and users will not receive a security prompt.

Turn off Trusted Documents on the network

This policy setting allows you to turn off the trusted documents feature for documents opened from the network. If you enable this policy setting, users will always see security notifications for active content such as macros, ActiveX controls, data connections, etc. for documents opened from the network. If you disable or do not configure this policy setting, the trusted documents feature allows users to always allow active content in documents such as macros, ActiveX controls, data connections, etc. so that users are not prompted the next time they open the documents. Trusted documents are exempt from security notifications.

Set maximum number of trusted documents

This policy setting allows you to specify the maximum number of trust records for trusted documents that can be stored in the registry. If you enable this policy setting, you may specify the maximum number of trust records, with an upper limit of 20000. Due to performance reasons, it is not recommended to set it to the upper limit. If you disable or you do not configure this policy setting, the default value for of 500 is used.

Set maximum number of trust records to preserve

This policy setting allows you to specify the maximum number of trust records to preserve when the purge task detects that this application has trusted more than the number of trusted documents set by the ''Set maximum number of trusted documents'' policy setting. If you enable this policy setting, you may specify the maximum number of trust records to preserve, with an upper limit of 20000. Due to performance reasons, it is not recommended to set it to the upper limit. If you disable or you do not configure this policy setting, the default value for of 400 is used.

Table 2: Policy settings for configuring Trusted Documents in Word 2010.

Conclusion

This article and the previous one have introduced three security improvements in Office 2010 designed to mitigate against threats, namely Offline File Validation,  Protected View and Trusted Documents. The third and final article of this series will examine Office 2010 improvements designed to enable enterprises to better control the flow of information.

If you would like to read the other parts in this article series please go to:

The Author — Mitch Tulloch

Mitch Tulloch avatar

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions.

Latest Contributions

Featured Links