Threats and Countermeasures
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Threats and Countermeasures

on

  • 381 views

 

Statistics

Views

Total Views
381
Views on SlideShare
381
Embed Views
0

Actions

Likes
0
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Threats and Countermeasures Document Transcript

  • 1. Application Security Threats George Coutsoumbidis Computer Policy Security Settings9/8/2011 of Threats and Countermeasures
  • 2. Application Security Threats 2011 Threats and CountermeasuresComputer Policy Setting InformationA description is provided for each setting, along with information about the applications to which itapplies, the vulnerability the setting addresses, how the vulnerability is addressed, and any otherconsiderations. A table is also included for each setting that shows the settings location in GroupPolicy, the ADM file that contains the setting, the recommended configuration for EC and SSLFenvironments, and any associated Common Configuration Enumeration (CCE) identifiers.Bind to objectApplies to: 2007 Office systemThis setting determines whether Microsoft® Internet Explorer® performs its typical safety checkson Microsoft ActiveX® controls when opening URLs that are passed to it by a 2007 Officeapplication.VulnerabilityInternet Explorer performs a number of safety checks before initializing an ActiveX control. It willnot initialize a control if the kill bit for the control is set in the registry, or if the security settingsfor the zone in which the control is located do not allow it to be initialized.This functionality can be controlled separately for instances of Internet Explorer spawned by 2007Office applications (for example, if a user clicks a link in an Office document or selects a menuoption that loads a Web page). A security risk could occur if potentially dangerous controls areallowed to load.CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applicationsthat display in a list. Internet Explorer will apply the typical security checks to any ActiveX objectsembedded in Web pages that are opened by the selected applications.Table 2.1. Bind to object Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1669, CCE-1691, CCE-1338, CCE-1717, CCE-1488, CCE-1638, CCE-1647, CCE-1294For more information about the specific configurations these CCE IDs address, see the SecuritySettings workbook in this Solution Accelerator.ImpactEnabling this setting can cause some disruptions for users who open Web pages that containpotentially dangerous ActiveX controls from 2007 Office applications. However, because anyaffected controls are usually blocked by default when Internet Explorer opens Web pages, mostusers should not experience significant usability issues.Block popupsApplies to: 2007 Office systemThis setting controls whether Internet Explorer blocks pop-up windows when opening URLs thatare passed to it by a 2007 Office application.Technical White Paper – by George Coutsoumbidis Page 2
  • 3. Application Security Threats 2011VulnerabilityThe Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up andpop-under windows from appearing. This functionality can be controlled separately for instances ofInternet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in anOffice document or selects a menu option that loads a Web page). If the Pop-up Blocker isdisabled, disruptive and potentially dangerous pop-up windows could load and present a securityrisk.CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applicationsthat display in a list. Internet Explorer will apply its pop-up blocker functionality to any Web pagesthat are opened by the selected applications.Table 2.2. Block popups Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1152, CCE-1566, CCE-1077, CCE-1606, CCE-1738, CCE-1262, CCE-1663, CCE-1544For more information about the specific configurations these CCE IDs address, see the SecuritySettings workbook in this Solution Accelerator.ImpactEnabling this setting can cause some disruptions for users who open Web pages containing pop-upwindows from 2007 Office applications. Pop-up windows can be beneficial and even necessary forsome Web pages to function correctly. To see these pop-up windows, users will have to add theaffected Web sites to the Allowed sites list in Internet Explorers Pop-up Blocker Settingsdialog box.Disable Package RepairApplies to: 2007 Office systemThis setting controls whether 2007 Office users can choose to repair corrupted Office Open XMPdocuments.VulnerabilityBy default, when a 2007 Office application detects that an Office Open XML document is corrupted,the user has the option to repair the corrupted document.CountermeasureIf this setting is Enabled, 2007 Office applications do not attempt to repair corrupted Office OpenXML documents. This setting can be used to guard against theoretical zero-day attacks that targetthe package repair feature and that potentially involve an attacker rewriting Office Open XMLpackage files.Technical White Paper – by George Coutsoumbidis Page 3
  • 4. Application Security Threats 2011Table 2.3. Disable Package Repair Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-933ImpactThe recommended setting for the SSLF configuration is Enabled, which means that 2007 Officeusers will not be able to repair corrupted Office Open XML package files by themselves. Users whoattempt to open corrupted files will require administrative assistance to access the file.Disable user name and passwordApplies to: 2007 Office systemThis setting controls whether Internet Explorer opens URLs containing user information that arepassed to it by a 2007 Office application.VulnerabilityThe Uniform Resource Locator (URL) standard allows user authentication to be included in URLstrings in the form http://username:password@example.com. A malicious user might use this URLsyntax to create a hyperlink that appears to open a legitimate Web site but actually opens adeceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.comappears to open http://www.wingtiptoys.com but actually opens http://example.com. To protectusers from such attacks, Internet Explorer usually blocks any URLs using this syntax.This functionality can be controlled separately for instances of Internet Explorer spawned by 2007Office applications (for example, if a user clicks a link in an Office document or selects a menuoption that loads a Web page). If user names and passwords in URLs are allowed, users could bediverted to dangerous Web pages, which could pose a security risk.CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applicationsthat display in a list. Internet Explorer will block any URLs containing user authenticationinformation opened by the designated applications.Table 2.4. Disable user name and password Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file Office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1563, CCE-1215, CCE-1484, CCE-1629, CCE-1762, CCE-1660, CCE-1057, CCE-1285For more information about the specific configurations these CCE IDs address, see the SecurityTechnical White Paper – by George Coutsoumbidis Page 4
  • 5. Application Security Threats 2011Settings workbook in this Solution Accelerator.ImpactEnabling this setting can cause some disruptions for users who open URLs containing userauthentication information from 2007 Office applications. Because such URLs are blocked bydefault when Internet Explorer opens Web pages through conventional means, however, mostusers should not experience significant usability issues.Disable VBA for Office applicationsApplies to: 2007 Office systemThis setting controls whether 2007 Office applications other than Microsoft Office Access™ 2007can use Microsoft Visual Basic® for Applications (VBA).VulnerabilityBy default, most Office applications, including Microsoft Office Excel® 2007, Outlook® 2007,PowerPoint® 2007, and Word 2007, can execute Visual Basic for Applications (VBA) code thatcustomizes and automates application operation. VBA could also be used by inexperienced ormalicious developers to create dangerous code that can harm users computers or compromise theconfidentiality, integrity, or availability of data.CountermeasureIf this setting is Enabled, the 2007 versions of Excel, Outlook, PowerPoint, Publisher, SharePoint®Designer, and Word cannot execute any VBA code. Enabling this setting does not install or removeany VBA–related code or files from users computers. Note this setting does not affect Access 2007.Table 2.5. Disable VBA for Office applications Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-116ImpactIf this setting is Enabled, VBA code will not function in 2007 Office applications (except Access). Ifyour organization has business-critical requirements for using documents with VBA code, youmight not be able to enable this setting.InfoPath APTCA Assembly allowable listApplies to: InfoPathThis setting enables administrators to configure a list of assemblies in the Global Assembly Cache(GAC) that can be called by Microsoft Office InfoPath® 2007.VulnerabilityThe GAC contains shared assemblies that can be called from other applications. If an application isfully trusted, it can access any assembly in the GAC. If an application is partially trusted, it canonly access assemblies in the GAC that have the AllowPartiallyTrustedCallersAttribute (APTCA)attribute set.A malicious user could attempt to design an InfoPath 2007 form that would access an assemblywith the APTCA attribute set but that is not intended for use by InfoPath forms.To protect against this type of attack, an InfoPath forms business logic can call into assemblies inTechnical White Paper – by George Coutsoumbidis Page 5
  • 6. Application Security Threats 2011the Global Assembly Cache (GAC) only if two conditions are met: The assembly has the Allow Partially Trust Callers Attribute (APTCA) set. The assembly is listed in the APTCA Assembly allowable list. By default, this list is empty. Note The default functionality can be changed by disabling the "InfoPath APTCA Assembly Allowable List Enforcement" Group Policy setting, which is the next setting described in this guide. However, Microsoft strongly recommends that you ensure that allowable list enforcement is enabled.CountermeasureIf this setting is Enabled, administrators can add entries to the APTCA assembly allowable list. Toadd a new assembly to the allowable list, add a new String Value entry that corresponds to theAPTCA key. The Value Name field should be the public key token for the assembly and the ValueData field should be 1 for InfoPath 2007 to allow loading the assembly. If the Value Data field isnot 1, the assembly will fail to load.Table 2.6. InfoPath APTCA Assembly allowable list Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Not configured setting (EC) Recommended Not configured setting (SSLF) CCE ID CCE-1169ImpactThis setting does not change the default configuration and therefore should not have any effect onusability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you mustensure that those assemblies have the ACPTA attribute set, and that they are added to theallowable list.InfoPath APTCA Assembly Allowable List EnforcementApplies to: InfoPathThis setting controls whether InfoPath 2007 can call into assemblies that are not on the APTCAAssembly Allowable List.VulnerabilityBy default, an InfoPath 2007 forms business logic can only call into Global Assembly Cache (GAC)assemblies that are listed in the APTCA Assembly Allowable List. If this configuration is changed,forms can call into any assembly in the GAC that has the Allow Partially Trust Callers Attribute(APTCA) set. This configuration could allow malicious developers to access assemblies in the GACthat were not intended to be used by InfoPath forms.CountermeasureIf this setting is Enabled, InfoPath 2007 forms cannot call into any assembly that is not on theAPTCA Assembly Allowable List and overrides any configuration changes on the local computer.Technical White Paper – by George Coutsoumbidis Page 6
  • 7. Application Security Threats 2011Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Enabled setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-1739ImpactThis setting enforces the default configuration and therefore should not have any effect onusability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you mustensure that those assemblies have the ACPTA attribute set, and that they are listed in theallowable list.Navigate URLApplies to: 2007 Office systemThis setting controls whether Internet Explorer attempts to load malformed URLs that are passedto it from 2007 Office applications.VulnerabilityTo protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs.This functionality can be controlled separately for instances of Internet Explorer spawned by 2007Office applications (for example, if a user clicks a link in an Office document or selects a menuoption that loads a Web page). If Internet Explorer attempts to load a malformed URL, a securityrisk could occur in some cases.CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applicationsthat display in a list. Internet Explorer will block any malformed URLs that are passed to it by theselected applications.Table 2.8. Navigate URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1034, CCE-1435, CCE-1708, CCE-808, CCE-1650, CCE-1223, CCE-1764, CCE-1769For more information about the specific configurations these CCE IDs address, see the SecuritySettings workbook in this Solution Accelerator.Technical White Paper – by George Coutsoumbidis Page 7
  • 8. Application Security Threats 2011ImpactEnabling this setting does not block any legitimate URLs, and is therefore unlikely to causeusability issues for any 2007 Office users.Saved from URLApplies to: 2007 Office systemThis setting controls whether Internet Explorer evaluates URLs passed to it by 2007 Officeapplications for Mark of the Web (MOTW) comments.VulnerabilityTypically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of theWeb (MOTW) comment that indicates the page was saved from a site on the Internet, InternetExplorer runs the page in the Internet security zone instead of the less restrictive Local Intranetsecurity zone. This functionality can be controlled separately for instances of Internet Explorerspawned by 2007 Office applications (for example, if a user clicks a link in an Office document orselects a menu option that loads a Web page). If Internet Explorer does not evaluate the page fora MOTW, potentially dangerous code could be allowed to run.CountermeasureIf this setting is Enabled, you can select check boxes for one or more 2007 Office applicationsthat display in a list. Internet Explorer will evaluate any URLs that are passed to it by the selectedapplications for MOTW comments.Table 2.9. Saved from URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1193, CCE-1352, CCE-928, CCE-1576, CCE-1100, CCE-1232, CCE-1774, CCE-906For more information about the specific configurations these CCE IDs address, see the SecuritySettings workbook in this Solution Accelerator.ImpactEnabling this setting can cause some Web pages saved on UNC shares to run in a more restrictivesecurity zone when opened from 2007 Office applications than they would if the setting weredisabled or not configured. However, a page with a MOTW indicating it was saved from an Internetsite is presumed to have been designed to run in the Internet zone in the first place, so most usersshould not experience significant usability issues.The following table contains the Group Policy settings that are obsoletein the 2007 Microsoft Office systemGroup Policy setting ProductAllow in-place activation of embedded OLE objects Outlook 2007Allow the use of ActiveX Custom Controls in InfoPath forms InfoPath 2007Technical White Paper – by George Coutsoumbidis Page 8
  • 9. Application Security Threats 2011Always use Rich Text formatting in S/MIME messages Outlook 2007Assume structured storage format of workbook is intact when Excel 2007recovering dataAutomatic Query Refresh Excel 2007Automatically download enclosures Outlook 2007Completely disable the Smart Documents feature in Word and 2007 OfficeExcel systemControl behavior when opening forms in the Local Machine InfoPathsecurity zone 2007Disable Password Caching 2007 Office systemDisplay a warning that a form is digitally signed InfoPath 2007Display OLE package objects Outlook 2007Do not allow users to upgrade Information Rights Management 2007 Officeconfiguration systemDo not upload media files 2007 Office systemDownload Office Controls 2007 Office systemEnable Cryptography Icons Outlook 2007Hide Spotlight entry point 2007 Office systemLocally cache network file storages Excel 2007Locally cache PivotTable reports Excel 2007Microsoft Office Online 2007 Office systemOLAP PivotTable connect warning Excel 2007OLAP PivotTable User Defined Function (UDF) security setting Excel 2007PivotTable External Data Source connect warning Excel 2007Prevent access to Web-based file storage 2007 Office systemPrevent Word and Excel from loading managed code extensions 2007 Office systemRefresh Alert Settings Excel 2007Run forms in restricted mode if they do not specify a publish InfoPathlocation and use only features introduced before InfoPath 2003 2007SP1Technical White Paper – by George Coutsoumbidis Page 9
  • 10. Application Security Threats 2011Send copy of pictures with HTML messages instead of reference to Outlook 2007Internet locationSuppress High Security Macro alert for unsigned Macros Excel 2007Windows Internet Explorer Feature 2007 Office systemTechnical White Paper – by George Coutsoumbidis Page 10