Securing Office Applications
Microsoft Office is highly customizable and offers many features and tools. For standard users such as library staff, a default installation is usually acceptable. However, a default installation of Microsoft Office on a public access workstation would leave the system highly vulnerable because it would allow access to features a patron should not have. Fortunately, Microsoft Office can be significantly locked down. What follows is an outline of the various ways to lock down Microsoft Office.
Customizing Toolbars and Menus
Starting with Office 2000, a great feature of the Microsoft Office products is the ability to fully customize the toolbars and menus on the user level. This means that different users can be configured to see only the menu items and toolbar items you want them to see. The only catch is that you need to prevent users from recustomizing. Toolbars and menus are controlled using Microsoft Office policies.
Microsoft Office Policies
Office policies are implemented through an extra template added to the Policy Editor. It manipulates parts of the registry specific to Microsoft Office. Some examples of features you can control using Microsoft Office policies are default file locations and restrictions using macros. A very effective and powerful policy option is the "Disable items...|Predefined|Disable command bar button..." option. This allows you to choose which toolbar and menu items to make available. Most importantly, remember to disable the "Tools|Customize" option so that a user can't recustomize the toolbar.
Microsoft Office Macros
Macros are customized programs. They can do just about anything and can be executed just about any way. In their simplest form they can automate tasks by recording a series of keystrokes or mouse clicks. At the user's command, they can then be played back. At a higher level they can be created using a programming language called Visual Basic. At this level macros can perform very complex tasks. If they are created maliciously, they can perform undesirable functions and even harm your computer. They can also hold viruses, in which case you should always have anti-virus software installed. There are various levels of security regarding macros:
- List of Trusted Sources - If you know that macros originating from someone are safe, you can add them to a "List of Trusted Sources." All macros from this source will then be enabled.
- Digital Signatures - Only adding a "Trusted Source" may not be sufficient. It is possible to impersonate a source. Digital signatures will ensure against someone creating a macro by an impersonated source. They act as a "wax seal" on an envelope. By using a certificate, digital signatures prove that a macro is truly created by a certain source.
- Security Levels - You can enable different "Security Levels" that specify certain requirements before running a macro.
- High - requires macro to have a digital signature and come from a trusted source
- Medium - warning displayed when a macro is not from a trusted source
- Low - macros are always enabled
More on Microsoft Office Security
- Security policies and settings in the 2007 Office system
- Security in Microsoft Office 2003 Editions
- Security in Microsoft Office 2010
Next: Personal Firewalls