(Follow me on Twitter: msftkitchen)

In part 2 of my “Office 14 Revealed” series, I’m going to cover some of the security enhancements being developed for Office 14. With all of the document-based attacks that exist today, enterprises stand to lose quite a bit. Office 14, being dubbed as an “enterprise productivity suite with a layered set of defenses,” is being engineered with these types of attacks in mind.

Layer 1: DEP (Data Execution Prevention) Support – At the first layer, Office 14 adds support for DEP; a hardware-based security feature available in many modern computers that eliminates many classes of attack.

Layer 2: Automatic Document Validation – In Office 14, protection through automatic validation of documents opened in Word, Excel and PowerPoint has been introduced to detect any malicious tampering. When encountering content that could potentially present a security risk, this layer interacts with the user and allows them make decisions based on what they feel is best.

Layer 3: Protected View – Office 14 provides the most protection in the riskiest of scenarios with the introduction of “Protected View” for email attachments and internet files. Protected View allows users to safely view any Word, Excel or PowerPoint file without the fear of malicious binaries infecting their system. Protected View integrates seamlessly with enhanced file-blocking controls which enables administrators to reduce the potential desktop attack surface. The way this is achieved is by eliminating support for legacy document formats while still allowing these files to be safely viewed.

Additional Security Measures:

Trusted Documents: Adding to the Trust Center first introduced in Office 2007, which set out to improve the decision making of end users when presented with Macros, links or other types of content that may impact security, Office 14 introduces the new “Trusted Documents” feature to further enhance the user experience by enabling users to eliminate security prompts for documents they have already trusted. This essentially allows for administrators to maintain strong security practices for unknown documents all without reducing user productivity via redundant prompts.

Cryptographic Agility: Adding to the strong cryptographic support for the new Office file formats introduced in Office 2007, Office 14 extends this by offering native support for Cryptographic Agility by integrating with the CNG (Cryptographic API: Next Generation) interfaces for Windows. What this means is enterprises and government agencies can now use any cryptographic provider they choose to meet national standards or corporate policy. Additionally, IT can now enforce policies in which passwords used on Office documents must conform to domain password complexity rules.

Long story short, security in Office 14 is being designed to keep users in a working mode where they are able to be more productive and secure by default.

Part 3, soon to follow…

-Stephen