George Coutsoumbidis, profile picture
Uploaded byGeorge Coutsoumbidis
354 views

Threats and Countermeasures

This document provides summaries for 9 settings related to application security threats in Microsoft Office 2007. Each setting summary describes the vulnerability addressed, the recommended countermeasure of enabling the setting for various Office applications, and potential impact. The settings control whether Internet Explorer performs typical safety checks on ActiveX controls opened from Office, blocks popups, and more. Enabling the settings can disrupt users in rare cases but provides protection from security risks.

Embed presentation

Download to read offline
Application Security Threats George Coutsoumbidis Computer Policy Security Settings 9/8/2011 of Threats and Countermeasures
Application Security Threats 2011 Threats and Countermeasures Computer Policy Setting Information A description is provided for each setting, along with information about the applications to which it applies, the vulnerability the setting addresses, how the vulnerability is addressed, and any other considerations. A table is also included for each setting that shows the setting's location in Group Policy, the ADM file that contains the setting, the recommended configuration for EC and SSLF environments, and any associated Common Configuration Enumeration (CCE) identifiers. Bind to object Applies to: 2007 Office system This setting determines whether Microsoft® Internet Explorer® performs its typical safety checks on Microsoft ActiveX® controls when opening URLs that are passed to it by a 2007 Office application. Vulnerability Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply the typical security checks to any ActiveX objects embedded in Web pages that are opened by the selected applications. Table 2.1. Bind to object Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1669, CCE-1691, CCE-1338, CCE-1717, CCE-1488, CCE-1638, CCE-1647, CCE-1294 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open Web pages that contain potentially dangerous ActiveX controls from 2007 Office applications. However, because any affected controls are usually blocked by default when Internet Explorer opens Web pages, most users should not experience significant usability issues. Block popups Applies to: 2007 Office system This setting controls whether Internet Explorer blocks pop-up windows when opening URLs that are passed to it by a 2007 Office application. Technical White Paper – by George Coutsoumbidis Page 2
Application Security Threats 2011 Vulnerability The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply its pop-up blocker functionality to any Web pages that are opened by the selected applications. Table 2.2. Block popups Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1152, CCE-1566, CCE-1077, CCE-1606, CCE-1738, CCE-1262, CCE-1663, CCE-1544 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open Web pages containing pop-up windows from 2007 Office applications. Pop-up windows can be beneficial and even necessary for some Web pages to function correctly. To see these pop-up windows, users will have to add the affected Web sites to the Allowed sites list in Internet Explorer's Pop-up Blocker Settings dialog box. Disable Package Repair Applies to: 2007 Office system This setting controls whether 2007 Office users can choose to repair corrupted Office Open XMP documents. Vulnerability By default, when a 2007 Office application detects that an Office Open XML document is corrupted, the user has the option to repair the corrupted document. Countermeasure If this setting is Enabled, 2007 Office applications do not attempt to repair corrupted Office Open XML documents. This setting can be used to guard against theoretical zero-day attacks that target the package repair feature and that potentially involve an attacker rewriting Office Open XML package files. Technical White Paper – by George Coutsoumbidis Page 3
Application Security Threats 2011 Table 2.3. Disable Package Repair Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-933 Impact The recommended setting for the SSLF configuration is Enabled, which means that 2007 Office users will not be able to repair corrupted Office Open XML package files by themselves. Users who attempt to open corrupted files will require administrative assistance to access the file. Disable user name and password Applies to: 2007 Office system This setting controls whether Internet Explorer opens URLs containing user information that are passed to it by a 2007 Office application. Vulnerability The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any URLs containing user authentication information opened by the designated applications. Table 2.4. Disable user name and password Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file Office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1563, CCE-1215, CCE-1484, CCE-1629, CCE-1762, CCE-1660, CCE-1057, CCE-1285 For more information about the specific configurations these CCE IDs address, see the Security Technical White Paper – by George Coutsoumbidis Page 4
Application Security Threats 2011 Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open URLs containing user authentication information from 2007 Office applications. Because such URLs are blocked by default when Internet Explorer opens Web pages through conventional means, however, most users should not experience significant usability issues. Disable VBA for Office applications Applies to: 2007 Office system This setting controls whether 2007 Office applications other than Microsoft Office Access™ 2007 can use Microsoft Visual Basic® for Applications (VBA). Vulnerability By default, most Office applications, including Microsoft Office Excel® 2007, Outlook® 2007, PowerPoint® 2007, and Word 2007, can execute Visual Basic for Applications (VBA) code that customizes and automates application operation. VBA could also be used by inexperienced or malicious developers to create dangerous code that can harm users' computers or compromise the confidentiality, integrity, or availability of data. Countermeasure If this setting is Enabled, the 2007 versions of Excel, Outlook, PowerPoint, Publisher, SharePoint® Designer, and Word cannot execute any VBA code. Enabling this setting does not install or remove any VBA–related code or files from users' computers. Note this setting does not affect Access 2007. Table 2.5. Disable VBA for Office applications Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-116 Impact If this setting is Enabled, VBA code will not function in 2007 Office applications (except Access). If your organization has business-critical requirements for using documents with VBA code, you might not be able to enable this setting. InfoPath APTCA Assembly allowable list Applies to: InfoPath This setting enables administrators to configure a list of assemblies in the Global Assembly Cache (GAC) that can be called by Microsoft Office InfoPath® 2007. Vulnerability The GAC contains shared assemblies that can be called from other applications. If an application is fully trusted, it can access any assembly in the GAC. If an application is partially trusted, it can only access assemblies in the GAC that have the AllowPartiallyTrustedCallersAttribute (APTCA) attribute set. A malicious user could attempt to design an InfoPath 2007 form that would access an assembly with the APTCA attribute set but that is not intended for use by InfoPath forms. To protect against this type of attack, an InfoPath form's business logic can call into assemblies in Technical White Paper – by George Coutsoumbidis Page 5
Application Security Threats 2011 the Global Assembly Cache (GAC) only if two conditions are met:  The assembly has the Allow Partially Trust Callers Attribute (APTCA) set.  The assembly is listed in the APTCA Assembly allowable list. By default, this list is empty. Note The default functionality can be changed by disabling the "InfoPath APTCA Assembly Allowable List Enforcement" Group Policy setting, which is the next setting described in this guide. However, Microsoft strongly recommends that you ensure that allowable list enforcement is enabled. Countermeasure If this setting is Enabled, administrators can add entries to the APTCA assembly allowable list. To add a new assembly to the allowable list, add a new String Value entry that corresponds to the APTCA key. The Value Name field should be the public key token for the assembly and the Value Data field should be 1 for InfoPath 2007 to allow loading the assembly. If the Value Data field is not 1, the assembly will fail to load. Table 2.6. InfoPath APTCA Assembly allowable list Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Not configured setting (EC) Recommended Not configured setting (SSLF) CCE ID CCE-1169 Impact This setting does not change the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are added to the allowable list. InfoPath APTCA Assembly Allowable List Enforcement Applies to: InfoPath This setting controls whether InfoPath 2007 can call into assemblies that are not on the APTCA Assembly Allowable List. Vulnerability By default, an InfoPath 2007 form's business logic can only call into Global Assembly Cache (GAC) assemblies that are listed in the APTCA Assembly Allowable List. If this configuration is changed, forms can call into any assembly in the GAC that has the Allow Partially Trust Callers Attribute (APTCA) set. This configuration could allow malicious developers to access assemblies in the GAC that were not intended to be used by InfoPath forms. Countermeasure If this setting is Enabled, InfoPath 2007 forms cannot call into any assembly that is not on the APTCA Assembly Allowable List and overrides any configuration changes on the local computer. Technical White Paper – by George Coutsoumbidis Page 6
Application Security Threats 2011 Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Enabled setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-1739 Impact This setting enforces the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are listed in the allowable list. Navigate URL Applies to: 2007 Office system This setting controls whether Internet Explorer attempts to load malformed URLs that are passed to it from 2007 Office applications. Vulnerability To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any malformed URLs that are passed to it by the selected applications. Table 2.8. Navigate URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1034, CCE-1435, CCE-1708, CCE-808, CCE-1650, CCE-1223, CCE-1764, CCE-1769 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Technical White Paper – by George Coutsoumbidis Page 7
Application Security Threats 2011 Impact Enabling this setting does not block any legitimate URLs, and is therefore unlikely to cause usability issues for any 2007 Office users. Saved from URL Applies to: 2007 Office system This setting controls whether Internet Explorer evaluates URLs passed to it by 2007 Office applications for Mark of the Web (MOTW) comments. Vulnerability Typically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will evaluate any URLs that are passed to it by the selected applications for MOTW comments. Table 2.9. Saved from URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1193, CCE-1352, CCE-928, CCE-1576, CCE-1100, CCE-1232, CCE-1774, CCE-906 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some Web pages saved on UNC shares to run in a more restrictive security zone when opened from 2007 Office applications than they would if the setting were disabled or not configured. However, a page with a MOTW indicating it was saved from an Internet site is presumed to have been designed to run in the Internet zone in the first place, so most users should not experience significant usability issues. The following table contains the Group Policy settings that are obsolete in the 2007 Microsoft Office system Group Policy setting Product Allow in-place activation of embedded OLE objects Outlook 2007 Allow the use of ActiveX Custom Controls in InfoPath forms InfoPath 2007 Technical White Paper – by George Coutsoumbidis Page 8
Application Security Threats 2011 Always use Rich Text formatting in S/MIME messages Outlook 2007 Assume structured storage format of workbook is intact when Excel 2007 recovering data Automatic Query Refresh Excel 2007 Automatically download enclosures Outlook 2007 Completely disable the Smart Documents feature in Word and 2007 Office Excel system Control behavior when opening forms in the Local Machine InfoPath security zone 2007 Disable Password Caching 2007 Office system Display a warning that a form is digitally signed InfoPath 2007 Display OLE package objects Outlook 2007 Do not allow users to upgrade Information Rights Management 2007 Office configuration system Do not upload media files 2007 Office system Download Office Controls 2007 Office system Enable Cryptography Icons Outlook 2007 Hide Spotlight entry point 2007 Office system Locally cache network file storages Excel 2007 Locally cache PivotTable reports Excel 2007 Microsoft Office Online 2007 Office system OLAP PivotTable connect warning Excel 2007 OLAP PivotTable User Defined Function (UDF) security setting Excel 2007 PivotTable External Data Source connect warning Excel 2007 Prevent access to Web-based file storage 2007 Office system Prevent Word and Excel from loading managed code extensions 2007 Office system Refresh Alert Settings Excel 2007 Run forms in restricted mode if they do not specify a publish InfoPath location and use only features introduced before InfoPath 2003 2007 SP1 Technical White Paper – by George Coutsoumbidis Page 9
Application Security Threats 2011 Send copy of pictures with HTML messages instead of reference to Outlook 2007 Internet location Suppress High Security Macro alert for unsigned Macros Excel 2007 Windows Internet Explorer Feature 2007 Office system Technical White Paper – by George Coutsoumbidis Page 10

More Related Content

PPT
Graphical Utilities For IBM DB2 Monitoring
byluciano_alfonsin
 
PDF
metus
byguest3273dc
 
PPTX
Java EE 7 - PulsoConf 2013
byEdgar Martinez
 
DOCX
Exchange manage with scom
byGary Jackson
 
DOCX
Scom monitor datacenter
byGary Jackson
 
PDF
Windows server 2008_setting up step -by- step
bysalomemegrelishvili
 
DOCX
Test Lab Guide: Windows Server 2012 R2 Base Configuration
byTiago Henrique Ribeiro Ferreira
 
PDF
Sever-based Password Synchronization: Managing Multiple Passwords
byPortalGuard
 
Graphical Utilities For IBM DB2 Monitoring
byluciano_alfonsin
 
metus
byguest3273dc
 
Java EE 7 - PulsoConf 2013
byEdgar Martinez
 
Exchange manage with scom
byGary Jackson
 
Scom monitor datacenter
byGary Jackson
 
Windows server 2008_setting up step -by- step
bysalomemegrelishvili
 
Test Lab Guide: Windows Server 2012 R2 Base Configuration
byTiago Henrique Ribeiro Ferreira
 
Sever-based Password Synchronization: Managing Multiple Passwords
byPortalGuard
 

Similar to Threats and Countermeasures

PPTX
Security and privacy in microsoft 2010
bygarmendarizc
 
PPTX
Pace IT - Admin Tools (Part 1)
byPace IT at Edmonds Community College
 
PPTX
CamSec Sept 2016 - Tricks to improve web app excel export attacks
byJerome Smith
 
PDF
From velvet to silk there is still a lot of sweat
byStefano Maccaglia
 
PPT
Technology to Stop Hackers
byGreater Noida Institute Of Technology
 
PDF
Least Privilege Security For Windows 7 Vista And Xp Secure Desktops For Regul...
byhabbsjadini1
 
PPTX
Pace IT - Basic OS Security Settings (Part 2)
byPace IT at Edmonds Community College
 
PPTX
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
byJayesh Naik
 
PPTX
Application hardening
byJayesh Naik
 
PDF
3 windowssecurity
byricharddxd
 
PDF
Security Lock Down Your Computer Like the National Security Agency (NSA)
byJosé Ferreiro
 
PPTX
Enhancements and Features for Office 2007
byDonald E. Hester
 
PPTX
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
byQuek Lilian
 
PPTX
Microsoft® office
byCameron Thompson
 
PDF
Microsoft Windows Xp Inside Out Bkcdrom Ed Bott Carl Siechert
byjeknicrozh38
 
PPTX
Windows 7 Security Enhancements
byPresentologics
 
PDF
Windows Xp Services That Can Be Disabled
byYAXXINE
 
PPTX
Windows 7 Feature Overview It Academic Day 2009
byTobias Koprowski
 
DOCX
What is dfs name space
byManikandan M
 
PPT
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
 
Security and privacy in microsoft 2010
bygarmendarizc
 
Pace IT - Admin Tools (Part 1)
byPace IT at Edmonds Community College
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
byJerome Smith
 
From velvet to silk there is still a lot of sweat
byStefano Maccaglia
 
Technology to Stop Hackers
byGreater Noida Institute Of Technology
 
Least Privilege Security For Windows 7 Vista And Xp Secure Desktops For Regul...
byhabbsjadini1
 
Pace IT - Basic OS Security Settings (Part 2)
byPace IT at Edmonds Community College
 
Application hardening, Secure Socket Layer(SSL) & Secure Electronic Transacti...
byJayesh Naik
 
Application hardening
byJayesh Naik
 
3 windowssecurity
byricharddxd
 
Security Lock Down Your Computer Like the National Security Agency (NSA)
byJosé Ferreiro
 
Enhancements and Features for Office 2007
byDonald E. Hester
 
Wave 14 - Winodws 7 Security Story Core by MVP Azra Rizal
byQuek Lilian
 
Microsoft® office
byCameron Thompson
 
Microsoft Windows Xp Inside Out Bkcdrom Ed Bott Carl Siechert
byjeknicrozh38
 
Windows 7 Security Enhancements
byPresentologics
 
Windows Xp Services That Can Be Disabled
byYAXXINE
 
Windows 7 Feature Overview It Academic Day 2009
byTobias Koprowski
 
What is dfs name space
byManikandan M
 
IT109 Microsoft Windows 7 Operating Systems Unit 07 lesson 10
byblusmurfydot1
 

Recently uploaded

PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PPTX
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Cloud-and-AI-Platform-FY26-Partner-Playbook.pptx
byiuiuiuiu1
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Six Shifts For 2026 (And The Next Six Years)
byDavid Armano
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 

Threats and Countermeasures

  • 1.
    Application Security Threats George Coutsoumbidis Computer Policy Security Settings 9/8/2011 of Threats and Countermeasures
  • 2.
    Application Security Threats2011 Threats and Countermeasures Computer Policy Setting Information A description is provided for each setting, along with information about the applications to which it applies, the vulnerability the setting addresses, how the vulnerability is addressed, and any other considerations. A table is also included for each setting that shows the setting's location in Group Policy, the ADM file that contains the setting, the recommended configuration for EC and SSLF environments, and any associated Common Configuration Enumeration (CCE) identifiers. Bind to object Applies to: 2007 Office system This setting determines whether Microsoft® Internet Explorer® performs its typical safety checks on Microsoft ActiveX® controls when opening URLs that are passed to it by a 2007 Office application. Vulnerability Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply the typical security checks to any ActiveX objects embedded in Web pages that are opened by the selected applications. Table 2.1. Bind to object Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1669, CCE-1691, CCE-1338, CCE-1717, CCE-1488, CCE-1638, CCE-1647, CCE-1294 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open Web pages that contain potentially dangerous ActiveX controls from 2007 Office applications. However, because any affected controls are usually blocked by default when Internet Explorer opens Web pages, most users should not experience significant usability issues. Block popups Applies to: 2007 Office system This setting controls whether Internet Explorer blocks pop-up windows when opening URLs that are passed to it by a 2007 Office application. Technical White Paper – by George Coutsoumbidis Page 2
  • 3.
    Application Security Threats2011 Vulnerability The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will apply its pop-up blocker functionality to any Web pages that are opened by the selected applications. Table 2.2. Block popups Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1152, CCE-1566, CCE-1077, CCE-1606, CCE-1738, CCE-1262, CCE-1663, CCE-1544 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open Web pages containing pop-up windows from 2007 Office applications. Pop-up windows can be beneficial and even necessary for some Web pages to function correctly. To see these pop-up windows, users will have to add the affected Web sites to the Allowed sites list in Internet Explorer's Pop-up Blocker Settings dialog box. Disable Package Repair Applies to: 2007 Office system This setting controls whether 2007 Office users can choose to repair corrupted Office Open XMP documents. Vulnerability By default, when a 2007 Office application detects that an Office Open XML document is corrupted, the user has the option to repair the corrupted document. Countermeasure If this setting is Enabled, 2007 Office applications do not attempt to repair corrupted Office Open XML documents. This setting can be used to guard against theoretical zero-day attacks that target the package repair feature and that potentially involve an attacker rewriting Office Open XML package files. Technical White Paper – by George Coutsoumbidis Page 3
  • 4.
    Application Security Threats2011 Table 2.3. Disable Package Repair Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-933 Impact The recommended setting for the SSLF configuration is Enabled, which means that 2007 Office users will not be able to repair corrupted Office Open XML package files by themselves. Users who attempt to open corrupted files will require administrative assistance to access the file. Disable user name and password Applies to: 2007 Office system This setting controls whether Internet Explorer opens URLs containing user information that are passed to it by a 2007 Office application. Vulnerability The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any URLs containing user authentication information opened by the designated applications. Table 2.4. Disable user name and password Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file Office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1563, CCE-1215, CCE-1484, CCE-1629, CCE-1762, CCE-1660, CCE-1057, CCE-1285 For more information about the specific configurations these CCE IDs address, see the Security Technical White Paper – by George Coutsoumbidis Page 4
  • 5.
    Application Security Threats2011 Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some disruptions for users who open URLs containing user authentication information from 2007 Office applications. Because such URLs are blocked by default when Internet Explorer opens Web pages through conventional means, however, most users should not experience significant usability issues. Disable VBA for Office applications Applies to: 2007 Office system This setting controls whether 2007 Office applications other than Microsoft Office Access™ 2007 can use Microsoft Visual Basic® for Applications (VBA). Vulnerability By default, most Office applications, including Microsoft Office Excel® 2007, Outlook® 2007, PowerPoint® 2007, and Word 2007, can execute Visual Basic for Applications (VBA) code that customizes and automates application operation. VBA could also be used by inexperienced or malicious developers to create dangerous code that can harm users' computers or compromise the confidentiality, integrity, or availability of data. Countermeasure If this setting is Enabled, the 2007 versions of Excel, Outlook, PowerPoint, Publisher, SharePoint® Designer, and Word cannot execute any VBA code. Enabling this setting does not install or remove any VBA–related code or files from users' computers. Note this setting does not affect Access 2007. Table 2.5. Disable VBA for Office applications Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security Settings ADM file office12.adm Recommended Not configured setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-116 Impact If this setting is Enabled, VBA code will not function in 2007 Office applications (except Access). If your organization has business-critical requirements for using documents with VBA code, you might not be able to enable this setting. InfoPath APTCA Assembly allowable list Applies to: InfoPath This setting enables administrators to configure a list of assemblies in the Global Assembly Cache (GAC) that can be called by Microsoft Office InfoPath® 2007. Vulnerability The GAC contains shared assemblies that can be called from other applications. If an application is fully trusted, it can access any assembly in the GAC. If an application is partially trusted, it can only access assemblies in the GAC that have the AllowPartiallyTrustedCallersAttribute (APTCA) attribute set. A malicious user could attempt to design an InfoPath 2007 form that would access an assembly with the APTCA attribute set but that is not intended for use by InfoPath forms. To protect against this type of attack, an InfoPath form's business logic can call into assemblies in Technical White Paper – by George Coutsoumbidis Page 5
  • 6.
    Application Security Threats2011 the Global Assembly Cache (GAC) only if two conditions are met:  The assembly has the Allow Partially Trust Callers Attribute (APTCA) set.  The assembly is listed in the APTCA Assembly allowable list. By default, this list is empty. Note The default functionality can be changed by disabling the "InfoPath APTCA Assembly Allowable List Enforcement" Group Policy setting, which is the next setting described in this guide. However, Microsoft strongly recommends that you ensure that allowable list enforcement is enabled. Countermeasure If this setting is Enabled, administrators can add entries to the APTCA assembly allowable list. To add a new assembly to the allowable list, add a new String Value entry that corresponds to the APTCA key. The Value Name field should be the public key token for the assembly and the Value Data field should be 1 for InfoPath 2007 to allow loading the assembly. If the Value Data field is not 1, the assembly will fail to load. Table 2.6. InfoPath APTCA Assembly allowable list Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Not configured setting (EC) Recommended Not configured setting (SSLF) CCE ID CCE-1169 Impact This setting does not change the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are added to the allowable list. InfoPath APTCA Assembly Allowable List Enforcement Applies to: InfoPath This setting controls whether InfoPath 2007 can call into assemblies that are not on the APTCA Assembly Allowable List. Vulnerability By default, an InfoPath 2007 form's business logic can only call into Global Assembly Cache (GAC) assemblies that are listed in the APTCA Assembly Allowable List. If this configuration is changed, forms can call into any assembly in the GAC that has the Allow Partially Trust Callers Attribute (APTCA) set. This configuration could allow malicious developers to access assemblies in the GAC that were not intended to be used by InfoPath forms. Countermeasure If this setting is Enabled, InfoPath 2007 forms cannot call into any assembly that is not on the APTCA Assembly Allowable List and overrides any configuration changes on the local computer. Technical White Paper – by George Coutsoumbidis Page 6
  • 7.
    Application Security Threats2011 Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office InfoPath 2007 (machine)Security ADM file inf12.adm Recommended Enabled setting (EC) Recommended Enabled setting (SSLF) CCE ID CCE-1739 Impact This setting enforces the default configuration and therefore should not have any effect on usability. If it is necessary for an InfoPath 2007 form to use assemblies in the GAC, you must ensure that those assemblies have the ACPTA attribute set, and that they are listed in the allowable list. Navigate URL Applies to: 2007 Office system This setting controls whether Internet Explorer attempts to load malformed URLs that are passed to it from 2007 Office applications. Vulnerability To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will block any malformed URLs that are passed to it by the selected applications. Table 2.8. Navigate URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1034, CCE-1435, CCE-1708, CCE-808, CCE-1650, CCE-1223, CCE-1764, CCE-1769 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Technical White Paper – by George Coutsoumbidis Page 7
  • 8.
    Application Security Threats2011 Impact Enabling this setting does not block any legitimate URLs, and is therefore unlikely to cause usability issues for any 2007 Office users. Saved from URL Applies to: 2007 Office system This setting controls whether Internet Explorer evaluates URLs passed to it by 2007 Office applications for Mark of the Web (MOTW) comments. Vulnerability Typically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run. Countermeasure If this setting is Enabled, you can select check boxes for one or more 2007 Office applications that display in a list. Internet Explorer will evaluate any URLs that are passed to it by the selected applications for MOTW comments. Table 2.9. Saved from URL Group Policy Computer ConfigurationAdministrative TemplatesClassic location Administrative Templates (ADM)Microsoft Office 2007 system (Machine)Security SettingsIE Security ADM file office12.adm Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (EC) outlook.exe, spDesign.exe, msaccess.exe) Recommended Enabled (excel.exe, powerpnt.exe, pptview.exe, winword.exe, setting (SSLF) outlook.exe, spDesign.exe, msaccess.exe) CCE IDs CCE-1193, CCE-1352, CCE-928, CCE-1576, CCE-1100, CCE-1232, CCE-1774, CCE-906 For more information about the specific configurations these CCE IDs address, see the Security Settings workbook in this Solution Accelerator. Impact Enabling this setting can cause some Web pages saved on UNC shares to run in a more restrictive security zone when opened from 2007 Office applications than they would if the setting were disabled or not configured. However, a page with a MOTW indicating it was saved from an Internet site is presumed to have been designed to run in the Internet zone in the first place, so most users should not experience significant usability issues. The following table contains the Group Policy settings that are obsolete in the 2007 Microsoft Office system Group Policy setting Product Allow in-place activation of embedded OLE objects Outlook 2007 Allow the use of ActiveX Custom Controls in InfoPath forms InfoPath 2007 Technical White Paper – by George Coutsoumbidis Page 8
  • 9.
    Application Security Threats2011 Always use Rich Text formatting in S/MIME messages Outlook 2007 Assume structured storage format of workbook is intact when Excel 2007 recovering data Automatic Query Refresh Excel 2007 Automatically download enclosures Outlook 2007 Completely disable the Smart Documents feature in Word and 2007 Office Excel system Control behavior when opening forms in the Local Machine InfoPath security zone 2007 Disable Password Caching 2007 Office system Display a warning that a form is digitally signed InfoPath 2007 Display OLE package objects Outlook 2007 Do not allow users to upgrade Information Rights Management 2007 Office configuration system Do not upload media files 2007 Office system Download Office Controls 2007 Office system Enable Cryptography Icons Outlook 2007 Hide Spotlight entry point 2007 Office system Locally cache network file storages Excel 2007 Locally cache PivotTable reports Excel 2007 Microsoft Office Online 2007 Office system OLAP PivotTable connect warning Excel 2007 OLAP PivotTable User Defined Function (UDF) security setting Excel 2007 PivotTable External Data Source connect warning Excel 2007 Prevent access to Web-based file storage 2007 Office system Prevent Word and Excel from loading managed code extensions 2007 Office system Refresh Alert Settings Excel 2007 Run forms in restricted mode if they do not specify a publish InfoPath location and use only features introduced before InfoPath 2003 2007 SP1 Technical White Paper – by George Coutsoumbidis Page 9
  • 10.
    Application Security Threats2011 Send copy of pictures with HTML messages instead of reference to Outlook 2007 Internet location Suppress High Security Macro alert for unsigned Macros Excel 2007 Windows Internet Explorer Feature 2007 Office system Technical White Paper – by George Coutsoumbidis Page 10