Advances in Microsoft Office Client Security: Keeping Enterprise Data SafeBrad AlbrechtSenior Security Program ManagerMicrosoft Corporation

SESSION CODE: OSP201

Session Objectives and Takeaways

Session Objective(s): Explain Office 2010 Security

Today’s risk is not macrosSecurity is working in the backgroundOffice 2010 security is game changingFile Validation, Protected View, Better user experience

Threat Landscape

* Diagram from SANS – The Top Cyber Security Risks

Num

ber o

f Vul

nera

biliti

es

Applications

OS Libraries

OS Transport

Network

How do we protect ourselves from these threats?

• Attack Resilience• Layered Defences• Integrity Protection

Protection Technology

• Encryption• Data Protection• Enterprise Management• Secure Collaboration

Core Security

• Threat Modelling• Validation Tools• Secure Coding Practices• Security Development Lifecycle• Intensive Distributing Fuzzing

Security Engineering

Security Engineering

Valid File Fuzzer Fuzzed File

Target Application

Security Development Lifecycle (SDL)Intensive Distributing Fuzzing

Layered Defenses

Harden the Attack Surface

Reduce the Attack Surface

Improve User Experience

Mitigate the Exploits

Security EngineeringSecurity Development Lifecycle FoundationIntensive Distributed Fuzzing

Integrate OS AdvancesSupport for DEP/NXLeverage WIC Image ParsersRobust & Agile Cryptography

Harden the Attack Surface

Harden the Attack Surface

Reduce the Attack Surface

Reduce the Attack Surface

Office File ValidationBinary filesRuns automatically on openEvaluates file for ‘correctness’Protects against unknown exploitsFaster updates for changes to rulesReduce the

Attack Surface

Reduce the Attack Surface

Gatekeeper vs MSRC cases

Mitigate the Exploits

Protected Viewer ‘Sandbox’

Word, Excel, PPT files can run in the ‘sandbox’Prevents harmful documents from damaging user data and OSHelp users make better trust decisions

Protected Viewer

Office Protected Viewer

Files that failed File Validation Files that don’t comply

with File Block Policy

Files in unsafe folders

All Outlook Attachments

Files from the Internet Zone

Mitigate the Exploits

Improve User Experience

Better information to make trust decisionsAvoid forcing choice between security and productivityRemembers users selections for security decisions, and does not ask againReduced Prompts

Improve User Experience

‘My Stuff’...

Improve User Experience

IncomingStrong protection from all classes of malware

inside sandbox.

Trust decisions are ‘sticky’View document before trust decision is made. Many

scenarios stop here – reading is enough.

Open email attachment

‘Gatekeeper’Validation

SandboxedViewer

User Clicks ‘Enable’

Document opens, fully enabled

SaveDocument

ReopenDocument

Office 2007 Prompts

Protecting your documents

Encryption EnterpriseMgmtData Protection Digital Signature

Information Rights ManagementUsers can control permissionsRestrictions on sensitive dataCopy prevention

Enable Collaboration between two enterprisesCan lock down content

Data Protection

Data Protection

Encryption

Full Crypto Agility via native CNG SupportAllows agility in organizationsEffective in Govt organizations

Integrity ChecksValidates encrypted messages

Enforce Domain password complexityEnabled through GPO

Encryption

Digital Signature

Timestamping RFC 3161Documents valid after certificate expires

XAdESInternational standardEnables stronger signatures

Digital Signature

EnterpriseMgmt

Define policies and use Office to enforce themMore IT Admin control in 2010More granularity within group policy management

Enterprise Management

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

htResources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet

OfficeITPro.com

http://microsoft.com/msdn

http://msdn.microsoft.com/office

Learning

Complete an evaluation on CommNet and enter to win!

Play the Microsoft Office & SharePoint Track Tag Contest

Download the Microsoft Tag ReaderOpen the internet browser on your mobile phone and visit http://gettag.mobi

Come to the Expo Hall – Yellow Section OSP Info Desk for Official Rules & Collect Additional Tags!

Grand Prize (1)Xbox 360 Prize Package and Microsoft®

Office 2010

Daily Prizes40 copies of

Microsoft® Office 2010

© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

JUNE 7-10, 2010 | NEW ORLEANS, LA