Office 2007's Security Features in a Legacy Office Environment

 Executive Summary:

Since the release of Microsoft Office 2007 in late 2006, Microsoft customers have experienced a lower level of risk when working exclusively with the new Office Open XML (OOXML) file formats that are native to Office 2007. One of the advantages of using XML-based file formats in Office 2007 is that you can validate the files before opening them, making it more difficult for someone to have inserted malicious code. The old binary Office file formats are more susceptible to attacks.

Microsoft Office Isolated Conversion Environment (MOICE), an update to the Microsoft Office Compatibility Pack, provides the ability to work with OOXML files in Office 2003, Office 2002, Office XP, and Office 2000. When the Office Compatibility Pack is installed and MOICE is enabled, Office binary format files are automatically converted into OOXML, allowing you to work more securely with the files.

Let's look at how to install and work with MOICE on Office 2003 systems, including how to use it with the separate but related File Block feature. In addition, I'll show you how to use Office 2007's encryption and authentication features and discuss what you can do with them in a mixed Office environment.

Installing MOICE
MOICE converts files in a sandbox environment (i.e., it operates with very few privileges) and acts as an intermediary between binary file formats, the Office application itself, and the new OOXML standard. MOICE isn’t a separate installable component; it’s provided as an updated version of the Microsoft Office Compatibility Pack for Office 2003, Office 2002, Office XP, Office 2000, and Office 2007. (You might install the Office Compatibility Pack and use MOICE on Office 2007 systems to assist in converting binary file formats when File Block has been enabled—more about File Block in a moment.) Before you install the Office Compatibility Pack on Office 2003 systems, you should ensure that all other security updates for Office 2003 have been installed via Microsoft Update.

You can download Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats (FileFormatConverters.exe) from http://www.microsoft.com/downloads/details.aspx?familyid=941b3470-3ae9-4aee-8f43-c6bb74cd1466&displaylang=en. If you want to deploy the Office Compatibility Pack to desktops in your organization by using Group Policy or Microsoft Systems Management Server (SMS), you can extract the Windows Installer (MSI) file by typing the following command at a command prompt:

C:FileFormatConverters.exe  /extract:c:O12Conv

Accept the license agreement, and O12Conv.msi and related files will be extracted to the O12Conv directory. You can then add these files to a software distribution point on your network and use Group Policy or SMS to deploy them.

Enabling MOICE
After deploying the Office Compatibility Pack, you need to enable MOICE functionality by modifying file associations for the Office 2003 file formats. For instance, the following command converts the file association for .doc file formats to OOXML by using MOICE:

ASSOC .doc=oice.word.document

Note that you need to run this command as an administrator. The ASSOC command modifies the file association for all users by changing information in the HKEY_LOCAL_MACHINE registry key.

After you've run the above ASSOC command, you’ll notice that opening a .doc file takes a little longer than before and that the document opens as read only. If you save the document, it will default to Word 2007 format. For a full list of the ASSOC commands to enable and disable MOICE for all supported file types, see Table 1.

To automatically enable MOICE for selected file types, you can issue the ASSOC commands as part of a Group Policy computer startup script.
Before deploying MOICE in your organization, you should be aware of the following limitations:

In addition, you should know that converted files are saved on the computer in the %temp% folder. They aren't deleted when the user closes them.

File Block
In addition to using MOICE to convert pre–Office 2007 file formats to OOXML automatically, you can use File Block for Office 2007 and earlier to further secure your environment by restricting the opening and/or saving of legacy file formats. MOICE works by means of file associations, so it’s easy to bypass by selecting Open from the File menu within Office or changing the extension of a file from .doc to .rtf, for example. File Block checks the file’s content, not the extension, to determine whether it should be opened. Therefore, it’s a good idea to use File Block in conjunction with MOICE. Office 2007 contains File Block functionality by default and can be configured by using Group Policy. Follow the instructions below, but work under the Microsoft Office Word 2007 node.

Working with File Block in Office 2003 and earlier is a little more complicated because the functionality is hidden in Microsoft security bulletins and updates. Table 2 lists these for Office 2003, which is the version I'll focus on here. To enable File Block in Office 2003, you need to install the security updates and either modify the registry or use the new Administrative Template (ADM) files for Office 2003 SP3, which you can download at http://www.microsoft.com/downloads/details.aspx?familyid=BA8BC720-EDC2-479B-B115-5ABB70B3F490&displaylang=en. Run the orksp3at.exe executable, and extract the ADM templates to a chosen location.

To configure the File Block settings for a given Office 2003 application (in this case, Word 2003), follow the steps below when configuring or creating a new Group Policy Object (GPO):

Log on to a desktop with a user account for which the GPO edited or created above applies. If MOICE is enabled for Word documents, you'll still be able to open legacy .doc files because they'll pass through the converter automatically. If MOICE is disabled, you’ll see an error message stating that a registry policy setting has denied access to the document.

File Block also lets you restrict users from saving files in the legacy binary file formats associated with pre–Office 2007 versions. Before enabling MOICE and File Block settings to enforce the use of OOXML, you should consider whether your partners and clients will be able to open the OOXML files you send them. File Block restrictions are ignored for documents that users save in designated trusted locations. (For more information about trusted locations, go to "Plan trusted locations and trusted publishers settings for the 2007 Office system" at http://technet2.microsoft.com/Office/en-us/library/5b677942-4aa4-4127-a247-b1cfd86912a91033.mspx?mfr=true.)

Encryption and Password Protection in Office 2007
Office 2007 introduces the Advanced Encryption Standard (AES) with 128-bit keys (which can be increased to 256-bit via Group Policy) and Secure Hash Algorithm-1 (SHA-1) for solid encryption of Office documents. Encryption in previous versions of Office was easily cracked and not widely used.

You can set two passwords for Office 2007 documents: a password to open and a password to modify. The password to open encrypts the document with AES encryption, and the password to modify prevents users from making changes to a document by opening the document as read only unless the users can supply the password. The password to modify doesn't encrypt a document.

To encrypt a document with a password to open in Office 2007, go to the Office menu and then select Prepare, Encrypt Document. You’ll be asked to enter a password and then re-enter the password before the document is finally encrypted. To see and set the password-to-modify option, you select General Options from the Tools menu in the Save As dialog box.

If you want to use Office 2003 or Office XP to open encrypted/password-protected files created in Office 2007, Office 2003/XP must be running on Windows XP SP2 or later, Windows Server 2003, or Windows Vista with the Office Compatibility Pack installed.

In Outlook 2007, the Secure MIME (S/MIME) standard requires that email messages are encrypted by using a digital certificate. In other Office 2007 programs, adding a digital certificate to a document provides authentication and integrity. For more information about obtaining digital certificates, see the "3 Issuers of Digital Certificates" sidebar.

Authenticating Documents with Digital Signatures in Office 2007
As in previous versions of Office, it’s possible to digitally sign documents and email messages in Office 2007. Documents digitally signed in Office 2007 can be opened in earlier versions of Office if the Office Compatibility Pack is installed, but the digital signature will be lost due to the new XMLDSig format used in Office 2007. You can self-sign a document without obtaining a digital certificate from an internal or third-party Certification Authority (CA), but the resulting signature won't necessarily be trusted when it’s opened on a different computer. (The "3 Issuers of Digital Certificates" sidebar explains this in more detail.)

Signatures can be added with a signature line or transparently. A signature line is a physical representation of the user’s signature in the body of the document itself. To add a signature line to a document in Word 2007, save the document and follow the steps below:

To add a transparent signature to a document: Select Prepare from the Office menu and select Add a Digital Signature. Enter a purpose for signing the document and then click Sign.

Use with Caution
Enabling MOICE and File Block is a good idea from a security standpoint and should certainly reduce the risks associated with users opening documents they’ve received by email and so on. However, MOICE and File Block do reduce flexibility, especially if your organization handles documents with advanced functionality such as macros or Information Rights Management. In such environments, enabling MOICE and File Block will increase users’ problems in opening legacy documents, potentially causing users to need to enlist Help desk staff or trusted users to convert the documents.

You should consider deploying MOICE and File Block to high risk users while allowing flexibility for groups of more trusted users. My only criticism of MOICE and File Block is that the mechanism to activate file conversion by means of file association only will cause confusion for some users. Rather than an unfriendly error message when trying to open blocked binary format documents from the File menu in Office, some useful instructions about how to open the file successfully would be nice.

Encryption and authentication in Office 2007 are useful features but should be used only when absolutely needed because they can increase complexity unnecessarily. If encryption is used for email, you should ensure that messages are being scanned for viruses and malware on the client because server-based scan engines won’t be able to inspect the encrypted message contents.