Applies to
Microsoft Office 97, 2000, and XP

The purpose of this checklist is to present some of the most important options for configuring baseline security on computers running Microsoft Office XP, Microsoft Office 2000, or Microsoft Office 97. These security settings can be configured and applied directly on your machine or deployed by using the Microsoft Office Resource Kit.

Depending on your network settings, security-related policies can be enabled and distributed through the Active Directory® or the Network Logon feature if your computer is running on a Microsoft Windows NT®-managed network server. The Group Policy MMC snap-in (available on Microsoft Windows 2000® server and Microsoft Windows® XP server) and the System Policy Editor (available with the Office Resource Kit and NT Server 4.0 and Windows 2000 Server) can be used to enable these policies for all machines, users, or groups in a domain. For more information on Group Policy and System Policies, see Implementing Policies and Profiles for Windows NT 4.0 and Step-by-Step Guide to Understanding the Group Policy Feature Set.

For additional resources for configuring security settings, see Sources for additional security information.

Office XP, 2000, and 97 Security Configuration Checklist

Status	Step
	Download the latest Office service packs and/or service releases
	Download all service pack/service release updates
	Download and install the latest version of the Office Resource Kit for your Office program
	Subscribe to the Microsoft Security Notification Service
	Turn on macro virus protection
	Enable password and encryption security for Excel, Word, and PowerPoint files
	Set policies to help protect your baseline security
	Consider Office VBA security
	Review Outlook security
	Remove all personal information from Office files (Office XP only)

Download the latest Office Service Packs/Service Releases

Office service packs and service releases contain feature and security updates to help protect your Office installations and documents. Microsoft recommends that you keep up to date on all service packs and service releases and install these updates as soon as possible. Use the following links to download the most recent (and any previous) updates to your Office software.

Note  Some service packs and service releases require you to install all previously available updates for your version of Office before you apply the latest patch. Please review all installation instructions carefully to guarantee that your Office installations are updated successfully.

For Office XP

If you are updating a stand-alone computer, visit the Microsoft Download Center site and follow the instructions to have the latest Office updates automatically installed for you.

If you are updating multiple Office installations across a network, visit the Microsoft Download Center to obtain all service packs and service releases.

For Office 2000

If you are updating a stand-alone computer, visit the Microsoft Download Center site and follow the instructions to have the latest Office updates automatically installed for you.

If you are updating multiple Office installations across a network, visit the Microsoft Download Center to obtain all service packs and service releases.

For Office 97

Visit the Microsoft Download Center to find all available updates for your Office 97 installation. Review the list to ensure that all updates are installed.

Download all service pack/service release updates

Visit the Microsoft Download Center to search for available updates created for your version of Office since the latest service pack or service release.

Download and install the latest version of the Office Resource Kit

Microsoft recommends that you download the latest version of the Office Resource Kit for your version of Office.

The Office XP Resource Kit is available as a free product. This kit provides valuable information regarding the deployment, maintenance, and configuration issues associated with the entire Office XP product suite. Specific tools of interest are the ADM policy templates that are automatically installed as part of the installation of the resource kit, the Custom Installation Wizard, the Custom Maintenance Wizard, and the System Policy Editor.

Important  The ADM templates are not available through any other means, and installing the kit is the only way to install these templates on your computer.

To help protect an installation, Microsoft advises you to use the Custom Installation Wizard (CIW) to apply configuration settings as a baseline installation. You can implement most user-related Office settings through the Change Office User Settings screen in the CIW, but you should also implement them with policies through the NT logon or Active Directory method to ensure that any changes made by clever users are immediately reverted to your settings each time a user logs on. Also, you can use the Specify Office Security Settings screen of the wizard to force your selected security settings to be default settings for an installation of any Office application.

Microsoft strongly recommends that all administrators of an Office installation read the available Help for this screen of the Custom Installation Wizard and its related Help topic noted at the bottom, "Recommended Security Configuration for Office XP."

Subscribe to the Microsoft Security Notification Service

The Security Notification Service is a free e-mail service Microsoft uses to share information about the security of Microsoft products. Anyone can subscribe to the service, and you may unsubscribe at any time.

To subscribe to the service, follow these steps:

1. Send an e-mail to securbas@microsoft.com . The subject line and the body of the message are irrelevant, as they are not used to process the subscription request.
2. Once you receive a response asking you to verify your subscription, send a reply with the word "OK" in the body of the message.

You will then receive two e-mails, one confirming that you've been added to the subscriber list and one with more information on the notification service and its purpose.

Turn on macro virus protection

A macro virus is transmitted when an Office document that contains an infected macro is opened without proper security measures. Opening the document allows the malicious macro to spread the virus from document to document. The virus can also spread to other users' documents if an infected document is shared. Macro viruses can also be contained within worm viruses like the recent ILOVEYOU virus.

Macro virus protection should be set, at the very least, to prompt users to determine whether a document is from a trusted source and to decide whether to enable the macros when opening the document.

For detailed information on how to set macro virus protection, see the Office Resource Kit or Help.

Set password and encryption protection for Excel, Word, and PowerPoint files

Several features are available in Microsoft Excel, Microsoft Word, and Microsoft PowerPoint® to help protect files through passwords or encryption. These file-level security measures are in addition to any operating system-level security already set, such as permissions to a folder, a specific file, or an entire hard disk drive.

File encryption is one of the best ways to help protect a document. When saved, the file is scrambled with an encryption code, making the contents of the document unreadable. However, this requires setting a password and remembering that password.

For detailed information on how to enable password and encryption security, see the Office Resource Kit or Help.

Set policies to protect your baseline security

System policies provide administrators with the ability to control client desktops. Policies are special registry settings applied to users' computers when users log on to the network. Policy settings enable administrators to do the following:

• Modify the user interface.
• Grant permissions to run or not run features of an application or utility.
• Restrict a user from customizing parts of the different Office applications.

Information about deploying Office updates and security policies across a network can be found in the Office Resource Kit.

Suggested security policy settings to review include:

• The Unsafe ActiveX® Initialization policy can force users to review possibly unsafe ActiveX controls.
• The Prevent users from customizing attachment security settings and Allow access to e-mail attachments policies can help prevent the introduction of malicious code via Outlook messages.
• The Disable “Add-in Manager…” button policy can prevent the introduction of add-ins that conflict with network settings and services.
• The Prevent users from adding HTTP e-mail accounts policy can block users from adding security vulnerabilities by creating their own HTTP e-mail accounts.
• The Prevent users from making changes to Outlook profiles policy can help stop changes to Outlook settings which may cause security issues.

The policies listed here are only some of the many policies you can set for an Office network. For specific information about all of the available policies and how to implement them for your network, please review the Office Resource Kit.

Note  Keep in mind that setting policies is the only way to guarantee that users will adhere to all network security rules. Security settings set for installation but not enforced by policy can be changed by users and lead to a weakening of the network’s security protections.

Consider Office VBA security

Microsoft Office documents, spreadsheets, databases, and so on all have objects with properties and events that are controllable from a Microsoft Visual Basic® for Applications (VBA) macro or executable. You can use the Trust access to Visual Basic Project policy to control whether users have the ability to allow VBA macros and executables to gain access to each Office application’s core object.

Additionally, in response to customer requests, Microsoft has designed Office XP so that it can be installed without VBA. If you install Office XP without VBA, no VBA macros will be able to run. However, installing Office XP without VBA does not cover all the potential entry points for viruses. For example, an executable (.exe) file attached to an e-mail message might contain a virus — and it will run regardless of whether VBA is installed on the computer. Viruses can also be transmitted through a script or Microsoft ActiveX® control on a Web site.

If you install Office XP without VBA, you will lose all the features that rely on VBA. These features include Microsoft Office Online; many wizards, templates, and add-ins; and all macros. Any customizations that point to macros, such as buttons or menu commands, will no longer work. If a document contains macros or ActiveX controls, users must open it on a read-only basis and save changes in a new document. Furthermore, you will not be able to install Microsoft Access 2002 without also installing VBA.

Review Outlook security

The most popular target of security attacks on Office is Microsoft Outlook®. You should take special care to address Outlook security settings and the impact these settings can have on users.

Office XP Service Pack 1 introduces the ability to set Microsoft Outlook to read all non-digitally signed e-mail or unencrypted e-mail in plain text format. This change also allows system administrators to use policies to require users to read such e-mail in plain text format only.

Digitally signed e-mail or encrypted e-mail is not affected by this update and cannot be modified by a system policy. Digitally signed e-mail or encrypted e-mail is read in its original format.

For more information on this feature, refer to the Microsoft Knowledge Base article Q307594: Users Can Read Nonsecure E-mail As Plain Text.

For other Office XP Outlook issues, refer to the Office XP Security White Paper.

For Office 2000 and Office 97 Outlook issues and security options, refer to the Knowledge Base article Q235309: Outlook E-mail Attachment Security Update and the E-mail Security Update White Paper.

Remove all personal information from Office files (Office XP only)

In Office XP a security option is provided that allows users to remove all personal information from files when the files are saved.

When you use this option, the following personal information is removed from your document:

• File properties (Author, Manager, Company, Last saved by).
• Names associated with comments or tracked changes (names are changed to Author).
• Routing slip.
• The e-mail message header that is generated with the E-mail button.
• Versioning (the name under Saved by is changed to Author).

For detailed information, see the Office Resource Kit or the Help topic on removing personal or hidden information.

Sources for additional security information

• For answers to questions regarding the implementation of any of these or other security measures on individual machines, first consult the documentation provided with your copy of Office.
• For answers to questions regarding the implementation of security measures across a network, the Office Resource Kit is an excellent guide for administrators. While the Office Resource Kit home page refers specifically to Office XP administration issues, links are provided to the online Resource Kits for Office 2000 and Office 97.
• The Office XP Security White Paper contains information on many of the security improvements offered in Office XP.
• The Microsoft Office Online Web site is constantly updated with current Office news, security information, and user tips and tricks.
• The Microsoft TechNet Office Security site provides a broad range of resources for Office XP, Office 2000, and Office 97 security concerns. Information specific to Office 2000 and Office 97 can be found at http://www.microsoft.com/technet/security/prodtech/offsec.asp.

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.