-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable OLE object execution and macros in LibreOffice/OpenOffice as well #30
Comments
Hi Dyras, thanks for your suggestion. Do you have a tutorial on how to do harden LibreOffice on Windows? |
I've tried looking for a tutorial but I've yet to find anything, however under LibreOffice settings under "Security" there is "Macro security" which should probably be hardened by being set to "Very high" instead of "High". No idea where to find something on OLE though. |
Macro security can be changed in file registrymodifications.xcu. It is located in the user profile. For Windows it could be e.g.: I couldn't find anything for OLE. I don't think it's possible to disable it. The only way seems to be asking on LibreOffice forum and probably making a feature request. There are some other interesting security options that can be changed in that file:
I don't know what is the best value for |
Seems all settings can be managed directly with Registry Keys: https://wiki.documentfoundation.org/Deployment_and_Migration#Windows_Registry (Example already shows how to set MacroSecurityLevel and UpdateCheck) excerpt:
|
This gives an good overview of security relevant settings in LibreOffice (German only!): https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_147.pdf?__blob=publicationFile&v=6 I've selected and (auto-)translated the following settings that could be relevant for Hardentools: HyperlinksWithCtrlClick: If this option is enabled, one mouse click is not enough to follow a hyperlink. must be held. BlockUntrustedRefererLinks: Defines whether linked images from external sources may be retrieved. A corresponding restriction does not apply to documents stored in trusted locations. The option is only for images. This option does not restrict the retrieval of other media files or linked documents. The option does not restrict retrieval of other media files or linked documents. MacroSecurityLevel: Defines the security level for handling macros. The following values are possible:
SecureURL: Defines a list of trusted file paths. All documents stored at a trusted file path are allowed to run macros without restriction. TrustedAuthors: not relevant, if MacroSecurityLevel is set to "very high" Link (Calc) & Link (Writer): Defines whether values from linked documents should be loaded automatically when the file is opened. This allows for example to include values from a spreadsheet file into another file. Furthermore, it is also possible to load values via a network. In this case data can be transferred from the open document to another system. The following values are possible:
UseStorage: The option specifies whether the LibreOffice password store is enabled. In this memory you can store access data for services that are accessed via HTTP, WebDav, FTP, SSH or Windows SharePoint (CMIS). If credentials are stored, files can be retrieved from the respective service without a new password request. AutoCheckEnabled: Specifies whether to automatically check for available updates. The user will be is informed about available updates with a message. There is no automatic installation. CheckInterval: Defines the interval at which new updates should be checked for. The option has no function, if AutoCheckEnabled is disabled. The following values are possible:
|
Published a pre-release / beta version here: https://github.com/securitywithoutborders/hardentools/releases/tag/v2.6-beta @Dyras , @einsteinsfool Would be very nice, if you could do some testing and provide me feedback. |
Greetings! I just discovered this excellent program and I propose you harden LibreOffice as well. It's popular for us poor poor students after all.
PS: There's a spelling error on the description for this program
It should say "a utility" since utility is pronounced "youtility"
The text was updated successfully, but these errors were encountered: