Microsoft Office 2013 makes it easier than ever for users to access their documents when and where they need them. But Microsoft wasn't thinking only about end users when it released the latest version of its application suite. The company also took into account the needs of IT professionals who must deploy Office across the enterprise. Office 2013 features include plenty of bells and whistles to make administrators happy, particularly when it comes to security.
In fact, Microsoft has tackled a number of important areas to make Office a safer environment for enterprise workers. Security configurations have been updated and authentication has been enhanced. Functionality that supports trusted publishers, digital signatures and encrypted document recovery has also received a makeover. The latest version of Office even includes new and improved Protected View and Information Rights Management (IRM) features.
Office 2013 security configurations
Microsoft provides admins with two tools for managing configuration settings for Office 2013 security and deployment in the enterprise. The Office Customization Tool (OCT) lets administrators customize Windows Installer (MST) deployments when setting up volume-licensed versions of Office 2013. And administrators can use the Office 2013 Administrative Templates to configure Group Policy settings for both MSI and Click-to-Run installations.
To use these tools to configure Microsoft Office security and other settings, administrators must download the OCT and Administrative Template files from the Microsoft Download Center. Both sets of files are available as a single download. The files let administrators configure a variety of security-related settings, some of which are new to Office 2013.
For example, admins can block Apps for Office or permit connections to unsecure apps and catalogs. Note, however, that some new policy settings are available only to Group Policy and not the OCT.
With the release of Office 2013, Microsoft has moved from a computer-centric authentication model to a user-centric one, allowing content, resources, histories, settings and other personalization to move with the user from one device to the next.
Users no longer need to provide passwords multiple times to open Office files from different locations and different devices. They can create a profile, sign in once and work from various locations without having to log in each time, whether accessing files locally, from SkyDrive or through Office 365 apps.
For IT administrators, the key to managing identities lies within Active Directory and two tools integrated into the directory environment: Active Directory Federation Services (ADFS) and Forefront Identity Manager (FIM). ADFS is a Windows Server technology that provides users with single sign-on access to multiple systems and applications.
FIM is an identity management service used to administer user identities and their credentials throughout their lifespans on enterprise systems. Together these two tools, in combination with other Active Directory features, let administrators manage user IDs while providing Office 2013 access with device-independent flexibility.
In Office 2013, administrators can add content publishers to the Trusted Publishers list. The content in this case refers to digitally signed add-ins, ActiveX controls and Visual Basic for Applications (VBA) macros. The publisher can be any developer, software company or organization that distributes this type of content. To be added to the list, publishers must supply the certificate they used to digitally sign the published content. In fact, it is this certificate that is added to the Trusted Publishers list.
Adding publishers to the list makes it easier for users to work with their Office documents when they encounter active content. For example, if a user opens a file that contains a VBA macro created by a trusted publisher, the macro is enabled without the user being notified of potential security risks.
To add a publisher's certificate to the Trusted Publishers list, administrators can use Group Policy or the OCT. However, Group Policy provides greater manageability options, such as being able to configure specific trust relationships.
Information Rights Management
Information Rights Management (IRM) is an Office file-level management component used to prevent sensitive documents or email messages from being copied, printed or forwarded by unauthorized users. IRM uses permissions and authorization to control how the documents or messages are distributed. The IRM component is embedded in the file to prevent sensitive content from being accessed by unauthorized users, regardless where that file goes.
Office 2013 includes a new IRM client that helps to simplify identity selection. The client must typically have access to a server running the Windows or Active Directory version of Rights Management Services (RMS).
Note, however, IRM can also use individual Microsoft accounts to authenticate and grant permissions. Admins can control many of the IRM settings through Group Policy or the OCT, although some IRM options must be configured in the registry.
Not only has Microsoft improved Office's security configuration and authentication capabilities, but it has also made it easier to trust content publishers and configure IRM. These are just some of the Office 2013 features for security. My next article will look at digital signatures, Protected View and more.
This was first published in August 2013