Microsoft has improved or added Office 2013 features to make security easier for both end users and IT administrators. We've already looked at Office 2013 security configuration and authentication capabilities, as well as the suite's approach to trusted content publishers and Information Rights Management. Here are more Microsoft Office security measures that can help enterprises.
Microsoft has made a number of enhancements to digital signatures in Office 2013. A digital signature is an electronic signature attached to an email message or document that authenticates its source. One of these enhancements is related to the Open Document Format (ODF) specification, an XML-based file format whose aim is to provide a universal document structure that can be used by any software product. Office 2013 now supports ODF and lets users digitally sign their ODF documents with invisible digital signatures.
Office 2013 has made other enhancements to digital signatures as well. For example, prior to Office 2013, digital signatures were based on the XML Digital Signature (XML-DSig) formatting standard. However, Office 2013 has added support for XML Advanced Electronic Signatures (XAdES), a set of tiered extensions to XML-DSig that make digital signatures more reliable and secure.
By default, however, documents signed with XAdES are not compatible with earlier versions of Office unless Group Policy is specifically configured to override the default behavior.
Office 2013 provides the capability to open files in Protected View, a sandbox environment that isolates Office processes from other applications and operating system components to mitigate possible exploits.
Documents opened in Protected View are considered less of a threat than documents outside of Protected View, particularly if those documents are not trusted in some way. But Protected View has its limits. Users can only view a document's contents; they cannot edit, save or print the document. They also cannot view details about digital signatures.
In addition, all active content is disabled, including add-ins, Visual Basic for Applications macros, ActiveX controls and database connections. Users can, however, copy content and paste it into another document.
Protected View is enabled by default for Word, Excel and PowerPoint documents, but that doesn't mean all files automatically open in Protected View. For example, documents that are trusted or that come from trusted locations do not open in Protected View, which means they can be edited, saved and printed.
For a document to open in Protected View, it must originate from a nontrusted location or fail Office File Validation. Files will also open in Protected View if the Attachment Execution Services zone determines the file to be unsafe. In addition, a user can specifically open a file in Protected View, as well as change the default behavior of when files should open in Protected View.
Recovering password-protected documents
New Office 2013 features include one that lets administrators decrypt password-protected documents. For example, an employee who has left the organization might have password-protected an Excel spreadsheet, and now no one has the password to unlock the file. Administrators can use a private escrow key to retrieve that file's content -- but only if that file was encrypted using the default encryption available in Office 2010 and Office 2013.
In addition, the client computer on which the document was encrypted must have been set up with special certificate metadata. This usually involves using Group Policy to make registry changes on the client computer in order to associate a certificate with the protected documents.
If a file is then encrypted after this mechanism has been put in place, admins can use the DocRecrypt tool to recover data from that document. However, the tool works only on Office Open XML-formatted documents, which have file extensions such as .docx, .xlsx or .pptx.
The Office 2013 difference
With each new Office release, Microsoft adds another layer of security protections. And Microsoft Office 2013 is no exception. It's now easier to recover password-protected files and open files in Protected View Even the digital signature functionality has been expanded and improved.
Clearly, Microsoft's Office 2013 security improvements have been made with the enterprise in mind, making it easier for both users and administrators to protect their Office documents while expanding the users' ability to work with those documents when they need them and from wherever they happen to be.
This was first published in August 2013