Trust Center Part 3: Making Sense of Security Settings

Today we have the third guest post from Sam Radakovitz, Excel Program Manager.  Sam is writing about the Trust Centre, a new feature for Office 2007.

Our goal is to have secured and reasonable default settings to allow customers get most work done while staying safe, however, from time to time there is also value in being able to easily and quickly verify that your settings remain secure. In previous versions of Office, checking one’s security settings was often a significant challenge due to the way the various Office security models for everything from Macros to Data Connections have evolved these settings were added to the Office UI as individual decisions. The result is checking your security settings can be a daunting task.

Office 2007 introduces a new user paradigm for Office trust settings, the Office Trust Center (located in the new Office Center with all other application settings).  By collecting all Trust, Privacy and Security settings in one central place we allow customers to manage their security stance quickly and easily.

The Trust Center provides further levels of detail on a broad selection of security settings. The discrete nature of the new Office settings results in some more settings than previous releases but in return gives you more control and transparency in your settings.  In the screenshot below, on the left side of the Trust Center dialog, you can see the breadth of settings managed by the Trust Center.

(Click to enlarge)

The Trust Center attempts to bring together all the relevant settings used to manage the security and privacy options of the application into a single easy to navigate structure.  Given the breadth of security models in Office 2007, the Trust Center design presented a number of challenges:

Density – having a separate dashboard for every setting in every security model would have made for a huge number of overlapping settings. To solve this problem we moved to break out settings in a couple of different types with logical groupings:

  • Shared Evidence settings;  Trusted locations, Trusted Publishers are pieces of evidence that multiple security models use
  • Security model settings/status; even though centralizing the evidence options simplifies the Trust Center a lot, there remains a set of detailed flexibility options and information for VBA, Add-ins and Active-X controls etc. that needs to be hosted
  • Privacy controls and opt-ins. Since security and privacy often go hand in hand having application relevant settings in the Trust Center makes sense.

Relevance – centralizing settings can help in the case where you know what you are looking for, but often a setting is more relevant in another context. For example, setting a password on a document is much more appropriate at file save time, when specifying the file name and other properties, rather than having to go to the central privacy settings location.  To this end we focused the Trust Center largely on application specific settings, where they apply to all documents, while leaving some document specific scenarios with their more appropriate work flow.

Customer Confusion – some of the Office security models and settings have been around for three versions, and users are comfortable with the settings and how to use them.  Any attempt to move them around will inevitably cause some degree of confusion and adjustment, and we needed to ensure that we were really making things markedly better with these changes.  Overall we felt that the lack of clarity in the existing settings – both due to their being scattered throughout the user interface and because their descriptions were typically overloaded and cryptic – made the transition well worth it.

More Notable Changes
I’d also like to take part of this post to point out another couple significant changes in Office 2007: high, medium, and low security settings have been replaced by more explicit options and the new default security setting for Office 2007 will provide notification for unsigned macros and not force disable them with no option of enabling as previous versions of Office did by default.

High/Med/Low Security? – What is ‘High’ security?  How does that compare to ‘Medium’ security?  Or ‘Very High’ security for that matter?  How will my Active-X controls react in any of those modes?  For Office 2007 we’ve tried to remove a bunch of ambiguity and part of it was cleaning up the high to low options.  Now each feature is broken out in the Trust Center and has more explicit security options.  For macros you can control the default enabled or disabled state, and if it should show a trust bar or warning.  The same is true for the other features secured by the Trust Center as well.

Default Settings – Since Office 2007 does not actually “block” the user from opening the document, and the code does not run, providing trust bar notification where macros are disabled is deemed acceptable.  From a security point of view the macros still do not run, and from a usability point of view customers have an easier time both getting their work done without an unnecessary trust decision and enabling the macros if necessary.

Balancing all the risks has been a challenge but in the end the Trust Center is a significant improvement for both normal and technically advanced users.  The structure allows the ability to be more verbose in describing the customer’s options and lead to better security decisions.  The transparency around things like add-ins etc. means that customers are better informed about what code other than the core Office code is running within their application.  They can therefore assess the possible security and reliability implications more effectively.