Microsoft Gets Serious About Office 2010 Security
Office 2010 boasts added security as part of Microsoft's overall strategy of ramping up security in the Windows 7/Server 2008 ecosystem.
Microsoft has just released details of a new password rules feature in Office 2010.
The new password feature encrypts passwords and allows password complexity to be set -- the same type of complexity required for logging onto your work computer.
Users can opt to encrypt passwords one of two ways: by going into a document's Backstage View and selecting the "Encrypt with Password" option or using the "Password to open" option, in the General Options setting, initiated by clicking "Save As."
Administrators will be able to enforce password complexity for Office 2010 by using one of two methods. The first is via the Office Customization Tool (OCT). However, the feature is not available as of yet in OCT. The second method involves registry settings and is explained thusly in the Microsoft Office 2010 Engineering Blog:
"There are 2 registry settings to control this, PolicyLevel and MinLength.
HKEY_CURRENT_USER\Software\Microsoft\
Office\14.0\Common\Security\PasswordComplexity
HKEY_CURRENT_USER\Software\Policies\Microsoft\
Office\14.0\Common\Security\PasswordComplexity
- Value name: PolicyLevel
- Value type: DWORD
- Value data: [ 0 | 1 | 2 | 3 ]
- Use 0 to for no complexity (default), 1 for minimum length, 2 for minimum length plus requiring 3 of 4 character groups, and 3 for all these checks plus enforcing Windows domain password rules.
- Value name: MinLength
- Value type: DWORD
- Specifies the minimum length of password required.
- When the policy level is 2 or 3, then the password must contain characters from at least three of four character sets, lowercase a-z, uppercase A-Z, digits 0-9 or non-alphabetic character. When this complexity is enforced, the minimum password length needs to be at least 6, but can be more depending on the MinLength."
- The blog answers probably one of the most logical questions Windows administrators could pose: "Why not just use the Windows domain password policy?" The blog post explains:
- "When the policy level setting is 3, then Office will use the Windows domain policy as well as all the settings at level 2. This allows a custom password filter that is installed for Windows passwords to be used. If you are offline or a domain controller cannot be contacted, then the Windows password settings aren't used, and only the level 2 settings are used. If you don't have a custom password filter, then using level 2 saves a trip across the network, and would be the best choice."
- Microsoft also gives a little back-story on the evolution of password encryption on Office.
- Word and Excel historically used 40-bit RC4 encryption, considered weak encryption by today's standards.
- The Open Office XML format introduced in Office 2007 provided the ability to use 128-bit AES encryption. This level of encryption plus password complexity requirements make it harder to compromise Office 2010 documents, especially in the case of brute force password guessing attacks.
- The blog mentions one caveat: Encrypted passwords that are lost or forgotten cannot be recovered by Microsoft engineers. Administrators can opt to disable setting new passwords in Office, however.
- You can read more about the enhanced password features in Office 2010 on Microsoft's Office 2010 blog.