Posey's Tips & Tricks

A New Feature that Office Desktop Applications Need Now!

Microsoft could further give users a piece of mind by adding a security focused Role Based Access Control to its productivity suite.

• By Brien Posey
• 11/02/2023

Microsoft Office applications such as Word, Excel and PowerPoint have been around ages. The first version of Microsoft Word was introduced way back in 1983, which is 40 years ago!

Like any other long-lived application, the Office applications have evolved significantly over the years to the point where they don't even really resemble their original versions any more. After all, the engineers who created Microsoft Word 1.0 probably couldn't have conceived of the ideas such as inline spelling and grammar checks, Copilot or dictation.

In spite of these and other revolutionary new features, the bulk of the capabilities that have been bolted on to the Office applications over the years receive little fan fair. Such features largely go unused and many people probably don't even know that some of those features exist. In fact, during the Microsoft 365 Copilot announcement, the speaker mentioned that most PowerPoint users use less than 10 percent of PowerPoint's features.

Over the many years, I have sometimes gotten the feeling that Microsoft created certain features simply because their business model calls for them to release a new version, and it can't release a new version without adding new features. Just for the record, I'm not trying to ridicule Microsoft for creating Office application features that nobody uses. I can only imagine how tough it probably is to think up new and useful features to add to a 40-year-old application suite that has already been updated countless times. Even so, there is one feature that Microsoft really needs to add to the Office applications. I'm talking about a Role Based Access Control (RBAC) mechanism that can be used to control which features users are allowed to use within the Office applications.

I'm sure that right now there are two questions that come to mind. First, why add RBAC to the Office applications instead of just letting the users take advantage of all the Office features? Second, why not just use the Microsoft Office Administrative Templates to control Office feature use via group policy?

I will answer the second question first. The Microsoft Office Administrative Templates do allow administrators to gain a significant amount of control over the Office applications, even if they don't allow you to lock down every feature. The biggest issue with relying on the Microsoft Office Administrative Templates is that they do not align with the way that a lot of organizations are structured. In many organizations, the administrator who manages group policy is not the same person who manages the organization's Microsoft 365 resources.

There is also the issue of the Microsoft Office Administrative Templates only being applicable to domain joined devices. Microsoft needs application level RBAC that is independent of the Active Directory.

Of course, the big question is why? Why in the world would an organization want to lock down features found in the Office applications?

My reason for wanting such a feature is tied to security. Even though the Office applications themselves are relatively secure, there are any number of ways to deliver exploits through Office documents. Even as far back as the 1990s, Microsoft was warning organizations that Excel macros could be used for malicious purposes, but that's really just the tip of the iceberg.

Take Microsoft OneNote, for example. OneNote has long given users the ability to embed files into OneNote documents. Late last year however, OneNote received a lot of attention due to an attack in which cyber criminals managed to embed ISO and ZIP files into OneNote documents and then hid the links to those files beneath design elements.

Since that time, Microsoft has taken steps to block OneNote from accepting various file types that Microsoft considers to be dangerous. Just imagine if administrators had the ability to use an RBAC mechanism to either prevent certain users from embedding files into OneNote documents or if administrators were able to make it so that users could only embed certain types of files (such as Word documents or JPEGs).

I will be the first to admit that not everyone uses OneNote, but the benefits of application-level RBAC extend to all of the Office applications. Such a mechanism would give admins the ability to lock down any feature or capability that they deem to be a security risk, rather than having to wait for Microsoft to take action.