Thoughts on Microsoft Office Security

The Trust Center stuff in MS Office has been bugging me for a while now. I get sick of having to “enable editing” on documents that I created on another system, but may now be on a network drive location or floating about elsewhere. The thing that makes this more annoying is the part where I am a domain user in an Active Directory environment, so theoretically, there is a unique code that each installation of Office could use to validate me as the creator of the work. I know that my user-id is stored (as KULARSKI\curtis I believe) in the document’s meta data, but that isn’t reliable, so I understand why that isn’t validated to determine if the document can be assumed to be safe (because it originates from me). Each object (including users) in Active Directory has a unique ID, referred to as either an SID (cause they are like S-1-####), or a UID (for unique ID). It seems reasonable to me that perhaps Microsoft could have written Office to pick up on that ID (from a network OS model they designed) to help with eliminating redundant prompts for authorization to edit documents created by the user at a different location. Another thought that has occurred to me on this line is the idea that perhaps future versions of Windows should by default have the ability to carry a user certificate, without the aid of AD Certificate Services, for basic in-domain authentication tasks, such as automatically assigning a digital signature to documents or allowing a user a temporary login to a part-time connected domain client system utilizing a file on a removable storage device to authenticate. These implementations are things that I would consider to be “low security” situations. Obviously not a good practice for financial institutions, military or other high-security situations, but for situations where physical security is pretty well established or there is a low risk of falsification of the credentials, it is a workable solution that could make things a lot easier and avoid certain problems, such as verifying a document’s source (when you wrote it) or not being able to log into a domain system just because it can’t connect to a domain controller/global catalog server to authorize a login.

This is probably an irrelevant rant, but in some ways I feel like Windows security could be aided by adding some simple measures of authentication. It may be basic but it may help. If a low-security user-check stops users from disabling the security features all together, then maybe there is an overall increase in security?