Thanks to security patches, Windows Vista and Internet Explorer 7, it is much more difficult for spyware to infest the Windows operating system (OS) today than it was a few years ago. That being the case, many former spyware authors have been engaging in phishing scams in an effort to steal sensitive information. Phishing scams are certainly nothing new, but they have become a whole lot more common (and sophisticated) in the last couple of years. You have probably heard a lot about the phishing filter that Microsoft created in Internet Explorer 7. What you might not realize is that Microsoft also included the phishing filter and some related protection mechanisms in Office 2007.
Protecting Microsoft Office 2007 against phishing scams is primarily based on the idea of identifying and blocking external content. Blocking external content also eliminates the chance that Office 2007 will accidentally execute malicious code from an external source.
You have no doubt seen situations in which Outlook has blocked external content, as shown in Figure A, but you might not realize that Word, Excel and other members of the Microsoft Office suite are also designed to do the same.
Outlook blocks external content in an effort to avoid running malicious code.
These various Microsoft Office products block external content, including images, hyperlinks, data connections and linked media, by default. Whenever a user opens a document containing the aforementioned types of external data, the user will receive a security alert stating that their security settings have blocked the content. The security alert contains two buttons. One button allows the user to enable the content that has been blocked. The other button opens the Trust Center.
The Trust Center is a console that allows you to modify privacy and security settings for various Microsoft Office features. Earlier versions of Microsoft Office allowed you to set the security levels to low, medium, high or very high, similar to the way Internet Explorer does. The problem with these particular security settings is that they are more or less meaningless to an end user. Of course, in the real world security settings are typically controlled by a Group Policy, and the end user is not allowed to touch them. However, many people also use Microsoft Office at home, so making the security settings easier to understand was Microsoft's way of helping those people.
To access the Trust Center, click on the button in the upper left corner of the window (the button that displays the Microsoft Office logo), and then click the Options button. The Options button appears toward the bottom of the menu, and its name varies depending on the particular application that you are running. For example, in Microsoft Word, the button is labeled Word Options. I have circled this button in Figure B.
The Options button takes you to the Word Options dialog box.
When you click on the Options button, Office will open the Options dialog box. Again, this dialog box will differ from one Office application to the next, but you can see a sample of what the dialog box looks like in Word 2007 in Figure C.
The Trust Center is accessible through the Options dialog box.
As you can see in the figure, this dialog box is designed primarily to allow you to configure the application's basic settings. However, the Trust Center is accessible through the dialog box. To reach the Trust Center, click the Trust Center option on the left side of the window and then click the Trust Center Settings button. When the Trust Center Settings window opens, it looks something like what you see in Figure D.
The Trust Center allows you to manage the various security settings.
As you can see in the figure, the Trusted Locations section is currently selected. This section allows you to determine which locations will be considered secure when opening Office documents. Similarly, the Trusted Publishers section allows you to control which add-ins you trust. For example, I have a utility installed on my PC that allows you to convert any document to a .pdf file. This particular application is signed with a Thawate certificate, and Microsoft Office acknowledges its publisher as being trusted.
The ActiveX Settings section allows you to control what happens when a document attempts to run in ActiveX control. Likewise, the Macro Settings section allows you to enable or disable macros in Microsoft Office documents. For both the ActiveX Settings and Macro Settings sections, the settings that you specify only apply to documents that are not in trusted locations.
In Figure A I showed you an example of an email message in which a message bar indicates that content had been blocked. The Trust Center's Message Bar section allows you to turn the message bar on or off.
The last section in the Trust Center is the Privacy Options section. This section simply allows you to control what types of information Microsoft Office sends back to Microsoft.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in April 2007