The new security section of the Microsoft® Office 2003 Editions Resource Kit covers a range of security-related concepts and features of Microsoft Office 2003. To help address growing concern about the security of information and systems, several new features were included in Office 2003 for administrators and users.
Some of the new improvements include the following:
While the previous macro security method helped to address many security-related issues, a few subtle improvements have been made to how documents, attachments, and linked references are opened.
However, this may cause some minor problems for some users when attachments to some files no longer open or are disabled. Administrators can revise some of these features and how they work through policy settings or from within the Custom Installation Wizard on the Specify Office Security Settings page.
For more information on the effects of these improvements on users — as well as how the administrator can configure security settings in the Custom Installation Wizard — see Macro Security Levels in Office 2003.
- Revised Trusted Publishers store management
When administrators accept certificate of trusts from external vendors, they can now more easily roll out those certificates to others by using the Active Directory® directory service. Active Directory makes it easy for administrators to do several tasks that were previously difficult to perform. Reliance on this feature of Microsoft Windows-based servers is more important than with previous releases, and several new features of Office require the use of Active Directory in order to work properly.
This feature has a different user interface for Windows® 2000 than under Windows XP. See the Tools | Macro | Security | Trusted Publishers tab for more information. It is now also possible to remove an installed and trusted certificate of trust if you no longer require it or suspect it was compromised.
For more information on managing the Trusted Publishers store, see Working with Trusted Trust Publishers.
- Revised Microsoft ActiveX® controls
The concern about how ActiveX controls start and run on users' computers is more important than ever. A new paradigm was developed that allows administrators more control over how these types of programs are opened and run. In essence, the new paradigm defends against unknown or ill-defined controls that may possess security flaws; it allows you to set the degree of risk you are willing to accept from an unknown ActiveX control when it starts.
Even with this improved paradigm, an ActiveX control only makes use of possible security-related options if the one who creates the control decides to use the options. For more information on ActiveX controls as they relate to security, see Activex Controls and Office Security.
Added to Office 2003 are new encryption types and the ability to set all Office applications to use a specific encryption type as its default. This does not mean that every document will have encryption when it is saved; it only means that if a password is set to encrypt the document, the user does not have to select an encryption type to use.
For more information on configuring Office 2003 for encryption, see Important Aspects of Password and Encryption Protection.
- Revised core Office programming objects
Due to the security review of all Office applications, the core objects were updated in an endeavor to help eliminate the classic buffer overflow attack to any data entry points. Along with this review, programmers worked to implement improved programming methods — such as those that relate to handling user IDs and passwords stored within code.
For more information on Office code objects as related to security, see Important Aspects of Password and Encryption Protection.