Time to lockup

DQW Bureau
New Update


Majority of user-created files are spreadsheets, word-processed documents,

and presenta-tions. Significant amount of storage, bandwidth and desktop

resources are required to manage these files. Server-side security management is

much easier than desktop document security. End users with varying degree of

sensitivity to security aspects create, manage and share docu-ments using file

shares, emails, removable storage, and other mediums. To make matters worse,

users need to share documents with people outside the protected intranet


Threats and Countermeasures

Threats to documents need to be tackled at various levels-business user

level measures, enterprise level measures, and trust management macro viruses.

Macro viruses are the most common type, affecting all desktop suites that

support macros. Malware protection software usually handles WM viruses quite

efficiently. However, Microsoft has gone a step further in strengthening the

security of Office documents. The new file formats of DOCX, PPTX and XLSX cannot

contain macros-whether useful or harmful. Converting all MS Office files to new

formats (using a batch conversion tool like OMPM) can instantly increase the

security level across the organization.

OpenOffice and other suites can save documents in MS Office format.

Therefore, they implicitly benefit from this protection.


Online productivity suites do not suffer from this drawback. However, they

are weaker in the confidentiality aspect of protection.

Online productivity suites typically store the document on hosted servers.

Many organizations are concerned with keeping confidential documents, research

and design documents, financial data, customer data and other types of sensitive

information in the cloud.


All desktop productivity suites offer digital signature based encryption.

However, the exact implementation of the digital signature differs widely. For

example, in the recently held Black Hat security conference, technical experts

expressed their views on OpenOffice security implementation by saying that 'OO3

plain documents are very powerful malware vectors' and that 'OO3 digital

signatures provide only an illusion of security'.

Beyond Digital Signatures

Traditionally, the most secure way of protecting against pilferage has been

physically printing and signing each document. Microsoft has implemented an

interesting mix of traditional signatures in combination with digital

signatures. This feature is not commonly known, but is very useful in practice.

To use the signature, you need a valid certificate. You can also add a

scanned version of your regular signature. Once the document is signed, it is

marked as 'final'. Now any changes to it will invalidate the digital signature

and show a warning.


Preventing Misuse

Confidential documents like research data, product designs, and sensitive

customer data require to be shared internally with key employees. We use

file-based passwords to prevent unwanted persons to view and misuse such

documents. However, what if one of these trusted personnel forwards a copy to

competitors or other interested parties?

Most desktop productivity suites do not have any protection against this

threat. Microsoft has been offering this feature for at least six years. The

feature is Information Rights Management (IRM). It uses a rights management

server to identify the intended users of a particular document.

IRM protected documents are usually read-only. Further, the users cannot

copy, print, forward or email such documents. Even print-screen key does not



Apart from confidential and sensitive documents, IRM also maintains

inter-departmental confiden-tiality of information.

Privacy Protection

This is one of the most ignored areas. Before you finalize, publish, or send

a document outside the organization, it is necessary to remove privacy related


This could mean removing many things, such as-document properties, user

names, track changes, slide notes, spreadsheet history, hidden objects or text,

comments, etc. It is a long list. Removing so many things from each document is

a lengthy process. Therefore, we skip it very often!


It is strongly recommend to remove unwanted and privacy related information

should be a mandatory part of security and compliance policy. Business users

must be educated about the importance of this procedure. It is an operational

risk that often remains unaddressed. Most productivity suites expect users to

remove such information manually.

Microsoft Office 2007 does offer an effective solution to this problem. Its

Document Inspector feature checks documents before sending / publishing them for

external consumption. It checks all problematic items and allows you to remove

them in a few clicks.

Enterprise Level

Many security settings are complex and require technical knowledge to handle

them correctly. Security hardening always leads to some user level

inconvenience. Hence, it is important to strike a balance between desired level

of security and ease-of-use. This activity becomes even more complex if you have

to configure settings differently, depending upon the role or job function of

the users. For example, in a bank, the top management laptop probably needs to

be most secure, whereas the PC used by a data entry operator needs a lower level

of hardening.


The only practical way of implementing such customization is to implement

policy-based security management. Group Policy based upon Active Directory is

the most powerful and flexible option available.

Desktop tools such as MS Office and OpenOffice (with third-party extensions

loaded) offer policy based administration of document security. Microsoft not

only provides over 1,400 settings to manage security hardening of all Office

products, but it also offers pre-defined templates for standard desktop

hardening and a highly secure edition suited for extremely sensitive companies

or government departments like defense.

OpenOffice provides some third-party templates, but the granularity with

which you can deploy these policies is limited. Microsoft provides extensive,

often updated guidance, for managing security of desktop documents across the


Security Best Practices

All this discussion is incomplete without handling the primary weak link-the

business user. Due to lack of knowledge and awareness about the prevailing

threats, common actions of business users can breach confidentiality, privacy

and security, quite easily and quite often as well.

Here is a practical list of what business users must know and do to improve

document security. This is definitely not a complete list. But it can be a good

start. Only Microsoft Office related best practices are listen because these

form more than 90 percent of all user created documents worldwide. Other suites

may have implemented some of these features. However, a detailed comparison is

out of scope of this article:

  • Always run Document Inspector before finalizing and publishing (or

    sending) any document. Always save documents in the new formats (DOCX, XLSX,

    PPTX). This is applicable even if you are using OpenOffice.
  • If one is going to copy some presentation on another PC, always use the

    'File-Prepare-Package for CD option. Apply strong document password and

    conduct a Document Inspector check.
  • For sensitive documents and emails, use digital signatures and signature

    line to prevent/detect tampering.


IT Action Points

Consider whether you need to increase the priority desktop document related

security, confidentiality and privacy protection in your current security

policy. Convert all documents to macro virus free format if possible Download

and read Office 2007 security guide. This will help you understand common

threats and countermeasures.

Consider how to utilize the policy based administration and security features

for desktop security hardening as well as productivity improvements.

Dr Nitin Paranjape

(The author is CEO, MaxOffice )

(Source: DQ)