Hi, my name is Maithili Dandige. I am a Program Manager at Microsoft working in the Office Security team. For this release, I’ve worked on several security and privacy-related features such as Office File Validation, Recommended Settings, improvements to Document Inspector, and Trusted Documents. I will be talking about all these in the upcoming months. Today, I am here to give you some insight to the Trusted Documents feature, a simple enhancement that improves the user experience when interacting with our security features. You can go here if you are interested in reading about other security features on our team. Trusted Documents alleviates my personal long-term frustration as an end user by reducing the number security prompts seen when working with Office documents containing Macros, ActiveX controls, Data Connections and other types of active content that are blocked by Office Trust Center.
Why Trusted Documents?
Before we go into the details of how Trusted Documents work, I’d like to spend a few minutes on why we built this feature. Versions of Office before Office 2007 showed you modal prompts for macros and other types of active contents before opening documents. Those dialogs were useful but problematic; you were shown the prompt that said - “Do you want to enable macros?” before letting you interact with the file. Many users who didn’t need to enable those macros also ended up enabling them, although often all they wanted to do was read the document.
In Office 2007 we fixed that. We didn’t show you the modal prompt before opening the document; instead we showed you what we call the Message Bar. This was a significant improvement as you could read or edit your document safely and deal with the security warnings later. Unfortunately, for a document with macros you created, or a workbook with data connections that you worked on every day, you’d need to enable the content every single time from the Message Bar. This could be a frustrating user experience because now not only did it take you two additional clicks to get to your next task, it didn’t seem to provide any real security benefit for a document. This is why:
a) First, how likely are you to change your mind about trusting a document? If you enable content once, you are almost certainly going to again do it the next time round as you need your document to work properly.
b) Second, if there was malicious intent that created the macros or other type of content, your machine was probably compromised by it the first time you enabled the macros, so prompting you the next time for the same file does not add any additional security benefit.
So this motivated us to provide users with a better security experience which we call the Trusted Documents feature: In Office 14 we now remember which active content you have enabled, and don’t prompt you again the next time you open the same document.
What are Trusted Documents?
So what are Trusted Documents? – Trusted Documents provides a simple one click step to always enable active content (e.g. Macros, ActiveX controls etc.) in a document. We remember your trust decision on the file and don’t show you the security prompt the next time you open the file.
It more closely reflects how people work. If I create a document with a macro in it, I don’t want to be prompted to enable the macro the next time I open it. Or, if I get a document with daily reports from my co-worker that has a pivot table, I don’t want to enable the data connection to our trusted server every time I want updated numbers. Also, I may be opening documents from multiple folders (SharePoint, network shares, desktop, attachments received in email). I don’t necessarily want to put them into a trusted folder every time I open them. Trusted Documents helps with all the above. It remembers the first time you enabled the content and unless the trust record for that document changes, it doesn’t bother you with a security notification for the content anymore.
With Trusted Documents, the trust is recorded on a per file basis. The trust record is added to the Current User section of your local registry and contains the file’s full path along with other data such as the created time for a document. Note that because ‘trust records’ are stored on a specific machine you’ll get prompted again if you open the file on another computer. Also since the trust record consists of more than just the file’s path it protects against social engineering attacks such as replacing existing trusted documents with malicious documents that have the same name.
Protected View helps us create a good security boundary between documents that are on your machine which you may have trusted vs. new incoming untrusted documents opened from the Internet, attachments, etc. For example, an attachment containing macros is first opened in Protected View. If you trust the file and exit Protected View we do not enable the macros automatically. Instead we show another Message Bar to enable the macros. By disallowing macros from running automatically while exiting Protected View we prevent opening up the computer to additional risk where the user may have intended to just reply to the document with comments and not run the macros. Now, if you explicitly save the attachment and also enable the macros we make it trusted and the next time you open the document it does not open in Protected View and active content is enabled for that document.
Trusted Documents: Security User Experience
In Office 2010, you will continue to see the Message Bar when a macro, data connection, ActiveX control or other type of active content is in the document. Here is the Message Bar that comes up when more than one type of active content is disabled (e.g. macros and ActiveX controls).
There are two entry points to make a document Trusted. If you click Enable Content on the Message Bar the document will be automatically added to Trusted Documents list in your registry. Second, you can click the Message Bar for details; it will take you to the Backstage view. In the Backstage view you can click the Enable Content button which will bring up two options.
a) You can enable all the content and make it a trusted document. This will enable macros and ActiveX controls in the document and add the document to your list of trusted documents in the registry. This option provides you with a simple one-click option to enable all the content at once and make it a trusted document. The next time you open this document you will not be shown the security warning.
b) If you are an advanced user who wants more control over the types of content to enable/disable then you can click the Advanced Options button, which brings up the Security Notifications dialog that has options for enabling content for one time (this is similar to Office 2007).
Trusted Documents – Security settings
Similar to Trusted Locations we have security restrictions and settings around trusted documents. For example, we do not allow users to trust documents from untrusted locations such as Temporary Internet Files (TIF) or TEMP.
Trusting documents on a network share is riskier than trusting documents on your local hard drive as other users who have access to the network locations can modify the contents of your file. For this reason, we show you a security warning the first time you try to trust a document on a network location. In Trust Center, you can disallow documents on a trusted location to be trusted, causing Office to show you the security notification every time you open a document from a network location. We also provide you with more options in the Trust Center, such as disabling all trusted documents completely or purging the documents you have trusted. All these options can be found under Trust Center settings for an application. Similarly all these settings can also be configured by an administrator of an IT organization via group policy (e.g. an administrator can configure for disallowing trusted documents to be created on network shares thus limiting the use only to your local hard drive).
To summarize, the main security UX goal we are striving to reach in Office 14 with Trusted Documents and other security features is to make unnecessary prompts go away and to only prompt users when necessary. By reducing ‘prompt fatigue’ we hope to enable users to make better, more informed decisions when they do encounter security prompts