Hi, my name is Maithili Dandige. I am a Program Manager at Microsoft working in the Office Security team. For this release, I’ve worked on several security and privacy-related features such as Office File Validation, Recommended Settings, improvements to Document Inspector, and Trusted Documents. I will be talking about all these in the upcoming months. Today, I am here to give you some insight to the Trusted Documents feature, a simple enhancement that improves the user experience when interacting with our security features. You can go here if you are interested in reading about other security features on our team. Trusted Documents alleviates my personal long-term frustration as an end user by reducing the number security prompts seen when working with Office documents containing Macros, ActiveX controls, Data Connections and other types of active content that are blocked by Office Trust Center.
Before we go into the details of how Trusted Documents work, I’d like to spend a few minutes on why we built this feature. Versions of Office before Office 2007 showed you modal prompts for macros and other types of active contents before opening documents. Those dialogs were useful but problematic; you were shown the prompt that said - “Do you want to enable macros?” before letting you interact with the file. Many users who didn’t need to enable those macros also ended up enabling them, although often all they wanted to do was read the document.
In Office 2007 we fixed that. We didn’t show you the modal prompt before opening the document; instead we showed you what we call the Message Bar. This was a significant improvement as you could read or edit your document safely and deal with the security warnings later. Unfortunately, for a document with macros you created, or a workbook with data connections that you worked on every day, you’d need to enable the content every single time from the Message Bar. This could be a frustrating user experience because now not only did it take you two additional clicks to get to your next task, it didn’t seem to provide any real security benefit for a document. This is why:
a) First, how likely are you to change your mind about trusting a document? If you enable content once, you are almost certainly going to again do it the next time round as you need your document to work properly.
b) Second, if there was malicious intent that created the macros or other type of content, your machine was probably compromised by it the first time you enabled the macros, so prompting you the next time for the same file does not add any additional security benefit.
So this motivated us to provide users with a better security experience which we call the Trusted Documents feature: In Office 14 we now remember which active content you have enabled, and don’t prompt you again the next time you open the same document.
So what are Trusted Documents? – Trusted Documents provides a simple one click step to always enable active content (e.g. Macros, ActiveX controls etc.) in a document. We remember your trust decision on the file and don’t show you the security prompt the next time you open the file.
It more closely reflects how people work. If I create a document with a macro in it, I don’t want to be prompted to enable the macro the next time I open it. Or, if I get a document with daily reports from my co-worker that has a pivot table, I don’t want to enable the data connection to our trusted server every time I want updated numbers. Also, I may be opening documents from multiple folders (SharePoint, network shares, desktop, attachments received in email). I don’t necessarily want to put them into a trusted folder every time I open them. Trusted Documents helps with all the above. It remembers the first time you enabled the content and unless the trust record for that document changes, it doesn’t bother you with a security notification for the content anymore.
With Trusted Documents, the trust is recorded on a per file basis. The trust record is added to the Current User section of your local registry and contains the file’s full path along with other data such as the created time for a document. Note that because ‘trust records’ are stored on a specific machine you’ll get prompted again if you open the file on another computer. Also since the trust record consists of more than just the file’s path it protects against social engineering attacks such as replacing existing trusted documents with malicious documents that have the same name.
Protected View helps us create a good security boundary between documents that are on your machine which you may have trusted vs. new incoming untrusted documents opened from the Internet, attachments, etc. For example, an attachment containing macros is first opened in Protected View. If you trust the file and exit Protected View we do not enable the macros automatically. Instead we show another Message Bar to enable the macros. By disallowing macros from running automatically while exiting Protected View we prevent opening up the computer to additional risk where the user may have intended to just reply to the document with comments and not run the macros. Now, if you explicitly save the attachment and also enable the macros we make it trusted and the next time you open the document it does not open in Protected View and active content is enabled for that document.
In Office 2010, you will continue to see the Message Bar when a macro, data connection, ActiveX control or other type of active content is in the document. Here is the Message Bar that comes up when more than one type of active content is disabled (e.g. macros and ActiveX controls).
There are two entry points to make a document Trusted. If you click Enable Content on the Message Bar the document will be automatically added to Trusted Documents list in your registry. Second, you can click the Message Bar for details; it will take you to the Backstage view. In the Backstage view you can click the Enable Content button which will bring up two options.
a) You can enable all the content and make it a trusted document. This will enable macros and ActiveX controls in the document and add the document to your list of trusted documents in the registry. This option provides you with a simple one-click option to enable all the content at once and make it a trusted document. The next time you open this document you will not be shown the security warning.
b) If you are an advanced user who wants more control over the types of content to enable/disable then you can click the Advanced Options button, which brings up the Security Notifications dialog that has options for enabling content for one time (this is similar to Office 2007).
Similar to Trusted Locations we have security restrictions and settings around trusted documents. For example, we do not allow users to trust documents from untrusted locations such as Temporary Internet Files (TIF) or TEMP.
Trusting documents on a network share is riskier than trusting documents on your local hard drive as other users who have access to the network locations can modify the contents of your file. For this reason, we show you a security warning the first time you try to trust a document on a network location. In Trust Center, you can disallow documents on a trusted location to be trusted, causing Office to show you the security notification every time you open a document from a network location. We also provide you with more options in the Trust Center, such as disabling all trusted documents completely or purging the documents you have trusted. All these options can be found under Trust Center settings for an application. Similarly all these settings can also be configured by an administrator of an IT organization via group policy (e.g. an administrator can configure for disallowing trusted documents to be created on network shares thus limiting the use only to your local hard drive).
To summarize, the main security UX goal we are striving to reach in Office 14 with Trusted Documents and other security features is to make unnecessary prompts go away and to only prompt users when necessary. By reducing ‘prompt fatigue’ we hope to enable users to make better, more informed decisions when they do encounter security prompts
I find trusted documents or protected view a little annoying actually, won't let me print or search within the document unless I enter edit mode. jh
John, thanks for the feedback. The inability to print is a limitation of protected view in the Technical Preview release. We've heard this feedback a bunch from folks and subsequent releases make it much asier to print from within protected view.
The nice thing about the Trusted Documents feature is that for any given document, you will only have to enable editing once ever. Any time you open that document in the future, we won't bug you about security issues.
I created a database application using Access that opens fine using the full version of Access. When I compile it using the developer extensions and try to open it, it gives me an error 2950, which I believe is a trusted document or location error. I've visited the Trust center and marked the document and location as trusted yet still cannot get rid of the error. Because I've had similar experiences with this concept of "Trusted Documents" or "Trusted Locations" I'm finding the idea is not worth the security I might get from it.
If you've got any ideas about how to solve the immediate problem, I'd appreciate it.
And can you confirm search is also available in protected view moving forward.
Often times I will quickly load a document from the web and do a quick search, having to trust a document to search it could be tiresome.
Hey Steve--I'm on the Access team. I'd like to work with you to figure out your repro steps and see if we can't hunt down your issue. Feel free to drop me an email at (riclewis @at@ microsoft dot com).
I'm looking at automatically trusting an Access file with my popular Auto FE Updater tool. www.autofeupdater.com. What is in the 16 bytes of binary data in the registry associated with the file name? Will this be published at some point in the future?
I do read above where you state "Also since the trust record consists of more than just the file’s path it protects against social engineering attacks " so I can appreciate that MS might not want to let out that information. OTOH it's only 16 bytes so reverse engineering might not be too difficult.
While I'm asking does the Trusted Locations registry key override this setting?
How do I reset a single trusted document?
When I choose the "enable editing" command, all of the text in my Excel or Word document turns to gibberish. How do I prevent this from happening? I'm really close to getting rid of IE and using Firefox or another program.