Let's Not Forget About Office Although this chapter doesn't go into great depth about the settings you can adjust and change in Office 2003, you may want to review the detail group policy settings that can be controlled. To control Office applications, you first need to make sure that the .adm file for Office is loaded in the Group Policy Management Console on the server. You can obtain this file from this location along with the files that should be where you start first to review what you might want to control: http://www.microsoft.com/downloads/details.aspx?FamilyID=BA8BC720-EDC2-479B-B115-5ABB70B3F490&displaylang=en The key settings that a consultant should consider reviewing on an as-needed basis are the ones surrounding macros (see Table 10.4). Table 10.4. Office 2003 Group Policy Settings Surrounding SecurityExamples of Security Settings in Office: |
|---|
Disable VBA for Office applications | Automation Security | Word: Macro Security Level | Word: Trust all installed add-ins and templates | Word: Trust access to Visual Basic Project | Excel: Macro Security Level | Excel: Trust all installed add-ins and templates | Excel: Trust access to Visual Basic Project | Access: Macro Security Level | Access: Trust all installed add-ins and templates | PowerPoint: Macro Security Level | PowerPoint: Trust all installed add-ins and templates | PowerPoint: Trust access to Visual Basic Project | Publisher: Macro Security Level | Publisher: Trust all installed add-ins and templates | Outlook: Macro Security Level |
For Outlook 2003, the security settings surround email and attachments, as described in Table 10.5. Table 10.5. Outlook 2003 Group Policy Settings Surrounding SecurityExamples of Security Settings in Outlook: |
|---|
Prevent users from customizing attachment security settings | Allow access to email attachments | List of file extensions to allow: | Disallow access to email attachments | List of file extensions to disallow: | Outlook virus security settings | Apply individual settings for Outlook virus security | Configure Add-In Trust Level | Select Add-In Trust Level: | Security Zone for loaded Messages | Item Scripting | Scripting | Allow Active X One Off Forms | Disable Remember Password check box for Internet E-mail settings dialog | Prompt user to choose security settings if default settings fail | Check to prompt the user; uncheck to automatically select | Do not automatically sign replies | Disable automatic signing of signed messages on replies |
As part of your security review process, make sure that the appropriate amount of balance between control by the administrator and control by the end user is chosen. Some individuals in the firm can be trusted to properly control their systems, and some need to be better protected from the myriad of choices and tricks used to entice the end user into clicking and downloading. |