Q: Our company needs a way to deal with the frequent vulnerabilities associated with Microsoft Office file formats. It often takes weeks for Microsoft to release a security patch, and although our antivirus solution is pretty good at quickly providing coverage, we’d still like to be able to push out a policy that prevents users from opening certain types of files, regardless of where the file came from (e.g., via email, download, or removable storage device). How do you suggest we do so?
A: Office documents are the easiest types of files to disable, thanks to Microsoft's new File Block functionality, which is available in Office 2007 and Office 2003. File Block lets you disable Office from opening specified file types (e.g., .doc, .xls, .vsd) via Group Policy. Because you push the policy out via a Group Policy Object, the policy takes effect on target computers as soon as they refresh Group Policy, which is typically about every 90 minutes. One File Block feature that I think is particularly cool is that you can designate trusted folders. Office will still open blocked file types if the file is in a trusted folder. This functionality helps you avoid breaking the ability to open Office documents by double-clicking them and lets users open critical documents on trusted file servers while preventing them from opening malicious files that originate from outside your company. You can learn more about File Block at http://www.microsoft.com/technet/security/advisory/937696.mspx.