[unisog] Microsoft Office security level

Sippel, Jeremy chameleon at vt.edu
Thu Apr 29 13:27:36 GMT 2004


I had thought that Office came out of the box with a setting of high...
My memory might be a bit faded there.
I recall a new batch of PCs beging deployed within our university and a
subsequent rash of calls that our 'central' documents containing macros
were 'broken'.
To address this I created this page from our forms download area:
http://www.controller.vt.edu/support/macro_woes.html

I personally would recommend a setting of medium.  Many users will just
click through the prompt to enable/disable macros but I've found it a
good enough speed bump to at least give those who are tempted by 'shiny
clicky' a second chance.  I think you'll find out how well forcing the
best security possible will work only after your roll this out and wait
for the screaming to occur.  Do you really see that many macro virus
infections to justify the possible pain you will impose on your
customers?  I can't recall the last macro virus that made it through our
mail and client AV engines...

Having said that- I _really_ like the trusted/signed source idea.  I
can't believe I didn't think of that.

Jeremy Sippel
Virginia Tech

>-----Original Message-----
>From: Jay Plett [mailto:jay at princeton.edu] 
>Sent: Wednesday, April 28, 2004 10:35 PM
>To: UNISOG List
>Subject: [unisog] Microsoft Office security level
>
>
>We would like to set the Microsoft Office applications' security level 
>to high by domain policy for a few thousand staff and faculty 
>desktops. 
>But we must preserve these peoples' ability to get their work 
>done. Many 
>of them create Excel macros, create and maintain their own Access 
>databases, etc. In some cases, this is for their personal use; 
>in other 
>cases, it's to share with a small workgroup or an entire 
>department. In 
>a few cases, applications are developed for university-wide 
>administrative use. That last one seems relatively easy to 
>deal with by 
>purchasing a certificate from a recognized signing authority 
>and letting 
>it be somebody's job to sign the applications. But what to do 
>about the 
>much more frequent case of individuals doing daily work that 
>would need 
>signing? We are converging on the conclusion that high 
>security level is 
>little more than a PR gambit so Microsoft can say they've addressed a 
>security problem, with no practical use.
>
>Has anybody dipped their toe into these waters and found a workable 
>solution?
>
>	Jay Plett
>	jay at princeton.edu 
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org http://www.dshield.org/mailman/listinfo/unisog
>



More information about the unisog mailing list