This Office security tool from Microsoft is a method to stop users from opening certain types of documents – for example .doc or .xls files.
The second part of the Office security tools from Microsoft is a method to stop users from opening certain types of documents – for example .doc or .xls files.
It’s very much intended for network administration use and not individuals, though it lacks some functionality that would make it truly useful for managers.
Office 2007 comes with the File Block Functionality already installed – all you need to do is enable it.
Office 2003 users may already have File Block installed too – that because it was included in two of the security patches Microsoft deployed last week.
- KB 934181 for Word 2003 was issued as one of the ‘remote code execution’ patches in the May 2007 release but it seems to have also included File Block. The KB says ” This update also includes changes that enable blocking of specific file formats in Word 2003.” which would seem to describe the File Block Functionality.
- KB 933666 for Excel 2003 was also initially pushed as a standard security patch but now apparently contains the File Blocking Functionality. Like the Word patch it’s not explicitly labeled as such by using Microsoft’s own terminology.
- KB 933669 is for Powerpoint 2003 and has the File Block Functionality for Powerpoint files.
After you’ve installed the Office 2003 updates or have Office 2007 installed, you have to modify the registry to block certain types of attachments from being opened, saved or both.
You can check out the KB articles for details (see above), suffice to say that you can control opening or saving separately.
Instead of listing the file extensions individually, the registry and admin template has labels for groups of files. For example the DWORD registry label ‘BinaryFiles’ will block .doc and .dot files.
This is a tool for network administrators to block access to certain file types if they believe there’s an immediate risk.
For example, there’s news of an infected Word file that’s being spread around the net. Microsoft hasn’t released a security update yet, until they do managers can use an administrative template or registry change (via group policy) to quickly stop users from opening any files of the endangered type. When a patched is released and deployed, the file block can be lifted.
If a user tries to open a document on the blocked list they’ll get one of these messages (depending on the type of file they’re trying to open).
- You are attempting to open a file type that has been blocked by your registry policy setting.
- You are attempting to open a file type that is blocked by your registry policy setting.
- You are attempting to open a file that was created in an earlier version of Microsoft Office. This file type is blocked from opening in this version by your registry policy setting.
Or if you’re trying to save to a blocked type:
- You are attempting to save a file that is blocked by your registry policy setting.
Bypassing the file block
Blocking all, say, .doc files might seem draconian and it may be, depending on the real level of infection risk. Thankfully (perhaps) there’s a way to bypass the File Block.
Office 2007 has the concept of ‘Trusted Locations’ – folders that are deemed to contain safe files, ignoring the File Block list and other security blocks. You set Trusted Locations at Office menu | Options | Trust Center | Trust Center Settings | Trusted Locations.
Office 2003 doesn’t have ‘Trusted Locations’ but you can create an ‘exemption’ folder for the File Block Functionality only. The registry keys are (verbatim from Microsoft):
Then a new String Value called ExemptDirectory with the path of the trusted folder as the value.
Notice that the ‘File Block Functionality’ registry key is called ‘OICEExemptions’ ? Interesting that. Microsoft says that File Block and MOICE are separate but this registry key would suggest some cross-over. It also implies that MOICE may be bypassed for documents in the exemption folder – though this isn’t described in the (currently scant) MOICE documentation.
The biggest difficulty with File Block Functionality is the lack of a custom message option.
If access to say, .doc, is suddenly blocked on a large network there’s certain to be many complaint phone calls to the help desk – despite any email that’s sent out explaining the reason.
It would be nice if network administrators had the option to include their own message instead of (or additional to) the generic Microsoft one. Something like:
“Due to a virus infection on the Internet, we’ve had to block access to all Excel documents (.xls) temporarily. Once we have protection against this virus, we’ll lift this restriction.
If you have any questions please call the help desk – we promise that someone who doesn’t care and can’t do anything will listen until you get bored and hang up. “
- Excel 2007 exploit ‘in the wild’
- December 2008 security patches for Office
- Reducing the size of email attachments
- March 2008 is an all Office affair
- All about MOICE
- MOICE is a mess
- Microsoft’s new Office Security tools