Chapter 2: Confidentiality Settings

2007 Microsoft Office Security Guide

Chapter 2: Confidentiality Settings

Published: November 11, 2007

Confidentiality settings help mitigate threats to any information that should not be disclosed either publicly or privately, such as e-mail correspondence, project planning information, design specifications, financial information, customer data, and personal and private information.

The 2007 Microsoft® Office release provides several technologies and settings to help mitigate threats to confidential information. These technologies and settings are classified into three primary groups based on how they mitigate threats.

Privacy options. These options help protect personal and private information, including hidden information that is contained in files as well as information that is transmitted across a network.
Encryption settings. These settings help protect information that is created and saved in documents, presentations, and spreadsheets.
Information Rights Management (IRM) settings. These settings help protect information that is sent in e-mail messages.

Important In addition to considering all of the settings discussed in this chapter, you should always ensure that your computers are up to date with the most recent security patches from Microsoft. Effective patch management is essential to improving security in any organization.

Mitigating Privacy Threats

Privacy threats include any threats or threat agents that disclose or reveal personal or private information without the user's consent or knowledge. Privacy threats pose a risk to confidentiality because personal and private information is usually considered confidential.

Several threat agents can be used to exploit privacy threats, but some of the most common threat agents attempt to access data about the documents, which is known as metadata. Examples of metadata include information such as author name, organization name, document editing time, or document version number. Anyone with access to the document also has access to the metadata unless it has been removed from a document.

Privacy threats can also be exploited whenever a document contains sensitive information, whether it is in the text, the graphics, or in supplemental content such as comments, revisions, annotations, custom XML data, hidden text, watermarks, and header and footer information. Unless such supplemental content is removed from a document, anyone who has access to the document can also access this content.

Sometimes private information can be disclosed or revealed if various application features or functionality are enabled or used. Although these features and functionality are not considered threat agents, they can reveal or disclose personal or private information that your organization deems confidential or proprietary. For example, when you allow the 2007 Office release to automatically download updates for the online Help system, your computer's IP address can be disclosed—which can be considered personal and private information.

Most organizations face privacy threats or want to actively manage the disclosure of private or personal information.

For more information about privacy, see the "Privacy Statement for the 2007 Microsoft Office System."

By default, the 2007 Office release helps mitigate several privacy threats. Default settings include the following:

Document Inspector is enabled. Document Inspector is a new tool that helps users mitigate privacy threats by removing metadata, revisions, comments, custom XML tags, and other potentially private and personal content from documents.
Note Document Inspector is extensible and can be programmatically modified to suit the privacy needs of your organization by creating custom Inspector modules. For more information, see Customizing the 2007 Office System Document Inspector on MSDN.
Metadata is protected in an encrypted document. When users encrypt documents with the password protection feature, the metadata in the documents is encrypted. This setting applies only to Office Open XML Formats files.
The option to participate in the Customer Experience Improvement Program is disabled by default. The Customer Experience Improvement Program allows Microsoft to automatically and anonymously collect information from users' computers, including the error messages that are generated by the software, the kind of equipment that is installed in the computers, whether the computers have any difficulty running Microsoft software, and whether the hardware and software responds well and performs rapidly.
The option to download a file periodically that helps determine system problems is disabled by default. This setting allows computers to receive updates that can help improve application reliability by detecting when computers crash or become unstable and by automatically running the Microsoft Office Diagnostics tool to help diagnose and repair problems that might be found. This setting also allows Microsoft to ask users to send error reports for certain types of error messages that might appear.

The following table lists a number of 2007 Office settings that help mitigate privacy threats. For more information about specific settings, see the companion Threats and Countermeasures guide.

Table 2.1. Security Settings that Help Mitigate Privacy Threats

Setting name	Applies to
Automatically receive small updates to improve reliability	2007 Office system
Control Blogging	2007 Office system
Disable access to updates, add-ins, and patches on the Office Online website	2007 Office system
Disable Check For Solutions	2007 Office system
Disable Clip Art and Media downloads from the client and from Office Online website	2007 Office system
Disable commands	Office Access 2007, Excel 2007, InfoPath 2007, PowerPoint 2007, and Word 2007
Disable customer-submitted templates downloads from Office Online	2007 Office system
Disable Document Information Panel	2007 Office system
Disable inclusion of document properties in PDF and XPS output	2007 Office system
Disable template downloads from the client and from Office Online website	2007 Office system
Disable training practice downloads from the Office Online website	2007 Office system
Enable Customer Experience Improvement Program	2007 Office system
Hidden text	Office Word 2007
Make hidden markup visible	Office PowerPoint 2007
Online content options	2007 Office system
Prevents users from uploading document templates to the Office Online community.	2007 Office system

Guidelines for Mitigating Privacy Threats

To help mitigate privacy threats in your organization, you should observe the following guidelines:

Use Group Policy to ensure that settings that help mitigate privacy threats are enforced throughout your organization.
Use file system and network access security to prevent unauthorized users from accessing documents.
Encrypt documents that contain sensitive information. Document encryption can also encrypt the metadata that is associated with documents.
Prior to sending documents to recipients, consider using Document Inspector to remove metadata, revisions, comments, custom XML tags, or hidden documents. This guideline is only necessary if these elements contain sensitive data that you do not want recipients to view.

Protecting Information with Encryption

The 2007 Office release provides several settings that enable you to change the way documents are encrypted when users use the encryption feature. The encryption feature is available only in Office Access™ 2007, Office Excel® 2007, Office PowerPoint® 2007, and Office Word 2007.

Encryption helps mitigate numerous types of document threats and document threat agents. Document threats consist of unauthorized users attempting to gain access to your organization's documents or the information that is contained in them. Unauthorized access to documents can cause the loss of confidentiality--that is, the document data is no longer proprietary--and loss of content.

Most organizations face document threats, although many organizations do not take sufficient measures to mitigate them because they perceive the threat to be minimal or consider the administrative cost for mitigating the threat excessive. These perceptions can lead to unsafe practices and circumstances such as the following:

Your organization's network security architecture cannot prevent intruders or attackers from gaining access to your internal network, which increases the risk that malicious users might gain access to your organization's documents.
Your organization does not prevent users from sending, receiving, or sharing proprietary documents over the Internet, including financial data, project plans, presentations, or drawings.
Your organization does not prevent users from connecting laptop computers to public networks, which increases the risk that unidentifiable attackers might gain access to the documents that are saved on users' laptop computers.
Your organization does not prevent users from taking documents that contain proprietary information out of the office.
There is a chance that unauthorized attackers or intruders can gain access to documents containing proprietary information.

Documents are not encrypted by default in the 2007 Office release, and there are no administrative settings that enable you to force users to encrypt documents. However, you can mitigate document threats by having users use the password protection feature to encrypt documents in Office Excel 2007, Office PowerPoint 2007, and Office Word 2007, and databases in Office Access 2007. By default, these applications use the following settings when a user encrypts a document or database:

For Office Access 2007 databases (.accdb) and Office Open XML documents in the Windows® XP Professional operating system, the cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider. The cryptographic algorithm is AES-128, and the cryptographic key length is 128-bit.
For Office Access 2007 databases and Office Open XML documents in the Windows Vista® operating system, the CSP is Microsoft Enhanced RSA and AES Cryptographic Provider. The cryptographic algorithm is AES-128, and the cryptographic key length is 128-bit.
Excel, PowerPoint, and Word documents that are saved in the Office 97-2003 format use the Office 97/2000–compatible encryption method, which is a proprietary encryption method called RC-40 40-bit with ability to customize via the registry.
Note AES-128 can be increased to 256-bit via a registry setting.

The following table lists a number of 2007 Office settings that help you configure encryption. For more information about specific settings, see the companion Threats and Countermeasures guide.

Table 2.2. Security Settings that Help Configure Encryption

Setting name	Applies to
Disable password to open UI	2007 Office system
Enable RPC encryption	Office Outlook 2007
Encrypt all e-mail messages	Office Outlook 2007
Encryption type for password protected Office 97-2003 files	2007 Office system
Encryption type for password protected Office Open XML files	2007 Office system
Protect document metadata for password protected files.	2007 Office system

Guidelines for Using Encryption

Observe the following guidelines for using encryption in your organization:

Use Group Policy to ensure that encryption settings are enforced throughout your organization.
Encrypt documents that contain sensitive information.
Evaluate the different encryption algorithms to determine which ones are appropriate for your organization. Different algorithms may be appropriate for different document types and different recipients.
Consider encrypting documents that should not be publicly available but pass over public networks, such as the Internet.

Protecting Information with IRM

The 2007 Office release provides several Information Rights Management (IRM) settings to help protect the privacy and confidentiality of documents. IRM is a persistent file-level technology that uses permissions and authorization to help prevent sensitive information from being printed, forwarded, or copied by unauthorized individuals. When permission for a document or message is restricted by using this technology, the usage restrictions travel with the document or e-mail message as part of the contents of the file.

For IT managers, IRM helps enable the enforcement of existing organizational policies regarding document confidentiality, workflow, and e-mail retention. For CEOs and security officers, IRM reduces the risk of having key company information fall into the hands of inappropriate people, whether by accident, thoughtlessness, or through malicious intent. Also, Windows Rights Management Server logs all rights and usage of all IRM-protected documents, thereby creating evidence that is useful to verify compliance with government regulations that pertain to the protection of sensitive financial and operating data. In addition, it provides a ‘chain of authority’ as to who has had access to the information in question, when it was accessed, and so forth.

IRM support in the 2007 Office release helps mitigate threats to confidentiality by addressing the following two fundamental needs:

Restricted permission for sensitive information. IRM helps protect sensitive information from unauthorized access and reuse. Organizations rely on firewalls, logon security-related measures, and other network technologies to help protect sensitive intellectual property. A basic limitation of using these technologies is that authorized users or malicious software running on users' behalf with access to the information can share it with unauthorized people. This limitation can lead to a potential breach of security policies.
Information privacy. Information workers often work with confidential or sensitive information. By using IRM, employees need not depend on the discretion of others to ensure that sensitive materials remain inside the organization. IRM eliminates users' ability to forward, copy, or print confidential information by helping to disable those functions in documents and messages with restricted permission.

Enabling IRM in your organization typically requires access to a rights management server running Microsoft Windows Rights Management Services (RMS) for Windows Server® 2003 or later. (It is also possible to use IRM by using Microsoft Windows Live™ ID to authenticate permissions.) The permissions are enforced by using authentication, typically by using Active Directory. Windows Live ID can authenticate users if Active Directory is not implemented (although rights and usage auditing is not available if using the public RMS option via Microsoft Windows Live ID).

In addition, although IRM is an integral part of the 2007 Office release, separate installation and configuration of the necessary RMS client software is required to interact with RMS for Windows Server 2003 or later or the Windows Live ID service on the Internet. You can download the Microsoft Windows Rights Management Services Client to enable users to run applications that restrict permission based on RMS technologies.

Also, users do not need Microsoft Office to be installed to read protected documents and messages. The Rights Management Add-on for Microsoft Internet Explorer® (a free download from Microsoft) enables Microsoft Windows users who have the appropriate permission to read e-mail messages and some documents with restricted permission without using Office software.

By default, documents are not protected with IRM in the 2007 Office release, and there are no administrative settings that enable you to force users to protect documents with IRM. However, you can create the permissions policies that appear in Office applications. For example, you might define a permission policy called Company Confidential that specifies that documents or e-mail messages can only be opened by users inside the company domain. When users implement such a policy (by clicking Company Confidential in the Office user interface) the document is protected as specified in the Company Confidential permission policy. There is no limit to the number of permission policies that you can create.

The following table lists a number of 2007 Office settings that help you configure IRM. For more information about specific settings see the companion Threats and Countermeasures guide.

Table 2.3. Security Settings that Help Configure IRM

Setting name	Applies to
Allow users with earlier versions of Office to read with browsers...	2007 Office system
Always expand groups in Office when restricting permission for documents	2007 Office system
Always require users to connect to verify permission	2007 Office system
Disable Microsoft Passport service for content with restricted permission	2007 Office system
Information Rights Management	Office InfoPath 2007
Never allow users to specify groups when restricting permission for documents	2007 Office system
Prevent users from changing permissions on rights managed content	2007 Office system
Protect document metadata for rights managed Office Open XML Files	2007 Office system

Guidelines for Protecting Information with IRM

Use the following guidelines to help protect information in your organization with IRM:

Use Group Policy to ensure that IRM settings are enforced throughout your organization.
Protect sensitive information in e-mail messages by preventing users from printing, copying, editing, or forwarding information.
Protect Office documents on a per-user or per-group basis according to rights defined by the application owner.
Use document expiration dates. After expiration, documents can only be opened by the document owner.
Do not consider IRM to provide absolute protection for sensitive data. Users can still pass on information verbally, copy information manually, or photograph data to pass it on to unauthorized users.