{"id":52034,"date":"2024-08-26T11:14:39","date_gmt":"2024-08-26T15:14:39","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=52034"},"modified":"2024-08-26T11:14:39","modified_gmt":"2024-08-26T15:14:39","slug":"secure-libreoffice-configuration-for-organizations","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/secure-libreoffice-configuration-for-organizations\/52034\/","title":{"rendered":"Safe use of LibreOffice"},"content":{"rendered":"<p>The aggressive <a href=\"https:\/\/www.tomsguide.com\/computing\/laptops\/microsoft-recall-gets-a-total-recall-so-whats-the-point-of-copilot-pcs-again\" target=\"_blank\" rel=\"noopener nofollow\">introduction of AI in Microsoft products<\/a>, geopolitical tensions, and a <a href=\"https:\/\/www.lawfaremedia.org\/article\/csrb-lashes-microsoft-s-cascade-of-security-failures-supply-chain-compromises\" target=\"_blank\" rel=\"noopener nofollow\">series of cybersecurity incidents<\/a> involving the Redmond giant are pushing many organizations worldwide to switch to open-source alternatives to Windows and Office. To replace the latter, both <a href=\"https:\/\/www.openoffice.org\/\" target=\"_blank\" rel=\"noopener nofollow\">OpenOffice<\/a> and its offshoot <a href=\"https:\/\/www.libreoffice.org\/\" target=\"_blank\" rel=\"noopener nofollow\">LibreOffice<\/a> are very popular. They\u2019re available on all major platforms \u2014 including Linux, offer functionality comparable to MS Office, and come with the licenses suitable for large companies.<\/p>\n<p>Due to their similarity to MS Office, the risks associated with using these suites are also similar: software vulnerabilities or unsecure settings can result in the execution of malicious code on the computer, or stealthily redirect the user to phishing links. And these threats aren\u2019t mere theory \u2014 malicious documents in <a href=\"https:\/\/www.ghacks.net\/2022\/07\/19\/opendocument-text-files-odt-malware-campaign-discovered\/\" target=\"_blank\" rel=\"noopener nofollow\">.odt files<\/a> and other \u201copen\u201d document formats have been <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/under-detected-odt-files-deliver-common-remote-access-trojans\/\" target=\"_blank\" rel=\"noopener nofollow\">encountered in the wild<\/a>. To mitigate these risks, the German Federal Office for Information Security (<a href=\"https:\/\/www.bsi.bund.de\/EN\/Home\/home_node.html\" target=\"_blank\" rel=\"noopener nofollow\">BSI<\/a>) has issued <a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Unternehmen-und-Organisationen\/Informationen-und-Empfehlungen\/Freie-Software\/Sicherheit_LibreOffice\/Sicherheit_LibreOffice_node.html\" target=\"_blank\" rel=\"noopener nofollow\">public recommendations<\/a> for secure LibreOffice settings. Let\u2019s look together at the most important ones when using LibreOffice in organizations.<\/p>\n<h2>Configuration tips<\/h2>\n<p>The tips below apply to safe setup of LibreOffice on Linux, MacOS, or Windows in a managed corporate environment (through group policies and other centralized control tools). The tips concern the Writer, Calc, Impress, Base, Math, and Draw components of version 7.2.x. The recommended settings are based on the following considerations:<\/p>\n<ul>\n<li>The end user should make the fewest possible decisions affecting security.<\/li>\n<li>The functionality of the application should not be significantly reduced.<\/li>\n<li>Unnecessary features should be deactivated to reduce the attack surface.<\/li>\n<li>Whenever possible, transfer of data from the product to the manufacturer should be disabled.<\/li>\n<li>External cloud services should be avoided unless they\u2019re necessary for the organization\u2019s business processes.<\/li>\n<\/ul>\n<h2>Configuration storage<\/h2>\n<p>LibreOffice settings can be modified by the administrator or by the user. Initial administrative settings are stored in the LibreOffice folder. On all platforms, the settings are applied as XML files (settings.xml), but they can also be stored in platform-specific formats (registry in Windows, dconf in Linux). For medium and large organizations, XML is recommended.<\/p>\n<p>If a setting shouldn\u2019t be modified by users, it can be marked as <em>finalized<\/em> in the administrator settings.<br>\nFor example, below is a settings snippet that disables saving the document-author information (the <em>RemovePersonalInfoOnSaving<\/em> setting in the group<em> org.openoffice.Office.Common\/Security\/Scripting<\/em>) and prohibits changing this setting:<\/p>\n<p><code>&lt;item\u00a0oor:path=\"\/org.openoffice.Office.Common\/Security\/Scripting\"&gt;<\/code><br>\n<code>&lt;prop\u00a0about:name=\"RemovePersonalInfoOnSaving\"\u00a0about:finalized=\"false\"\u00a0about:op=\"fuse\"\u00a0oor:type=\"xs:boolean\"&gt;<\/code><br>\n<code>&lt;value&gt;true&lt;\/value&gt;<\/code><br>\n<code>&lt;\/prop&gt;<\/code><br>\n<code>&lt;\/item&gt;<\/code><\/p>\n<p>Folders for administrative settings (in version 7.2) are listed below:<\/p>\n<ul>\n<li>Linux: <em>\/opt\/libreoffice7.2\/share\/registry\/res<\/em><\/li>\n<li>MacOS: <em>\/Applications\/LibreOffice.app\/Contents\/Resources\/registry\/res<\/em><\/li>\n<li>Windows: <em>C:\\Program Files\\LibreOffice\\share\\registry\\res<\/em><\/li>\n<\/ul>\n<h2>Settings to change<\/h2>\n<p>Many of LibreOffice\u2019s settings are secure by default. Here, we\u2019ll focus on those that need to be tightened.<\/p>\n<h3>Macro execution<\/h3>\n<p>By default, any signed macros are executed, so this setting must be tightened to the max \u2014 allowing only macros from trusted folders to be executed. So in the group <em>org.openoffice.Office.Common\/Security\/Scripting<\/em>, set the <em>MacroSecurityLevel<\/em> to <em>3<\/em>:<\/p>\n<p><code>&lt;prop\u00a0over:name=\"MacroSecurityLevel\"\u00a0over:finalized=\"true\"\u00a0over:op=\"fuse\"\u00a0over:type=\"xs:int\"&gt;<\/code><br>\n<code>&lt;value&gt;3&lt;\/value&gt;<\/code><br>\n<code>&lt;\/prop&gt;<\/code><\/p>\n<p>To disable macros entirely, set the <em>DisableMacrosExecution<\/em> option from the same group to <em>true<\/em> with the <em>finalized<\/em> tag.<\/p>\n<h3>Trusted folders<\/h3>\n<p>By default, LibreOffice updates the list of trusted folders based on user activity \u2014 often including folders like Downloads. To clearly set trusted document storage locations, list them in the <em>SecureURL<\/em> option. The list can be left empty.<\/p>\n<p><code>&lt;item\u00a0oor:path=\"\/org.openoffice.Office.Common\/Security\/Scripting\u00a0ear:type=\"oor:string-list\"&gt;<\/code><br>\n<code>&lt;plug\u00a0about:name=\"SecureURL\"\u00a0about:finalized=\"true\"\u00a0about:op=\"fuse\"\/&gt;<\/code><br>\n<code>&lt;\/item&gt;<\/code><\/p>\n<h3>Loading external images<\/h3>\n<p>Images from external sources can be embedded into documents. This creates significant risks of phishing and vulnerability exploitation, so this option should be disabled: set <em>BlockUntrustedRefererLinks<\/em> to true with the finalized tag in the <em>\/org.openoffice.Office.Common\/Security\/Scripting group<\/em>.<\/p>\n<h3>Updating linked data<\/h3>\n<p>Linked content loaded in Calc can also be malicious, so updates should be blocked by setting the Link option to <em>1+finalized<\/em> in the <em>\/org.openoffice.Office.Calc\/Content\/Update<\/em> group.<\/p>\n<p>The corresponding setting in Writer has different numeric values for some reason; block it by setting Link to <em>0+finalized<\/em> in <em>\/org.openoffice.Office.Writer\/Content\/Update<\/em>.<\/p>\n<h3>Exotic files<\/h3>\n<p>To disable loading of Abiword, Hangul Office, StarOffice XML, and other irrelevant formats, set <em>LoadExoticFileFormats<\/em> to <em>0<\/em> in the <em>\/org.openoffice.Office.Common\/Security <\/em>group.<\/p>\n<p>Additionally, any of the 100+ supported file formats can be blocked by setting the <em>Enabled<\/em> option to <em>false+finalized<\/em> for any format in the group<br>\n<em>\/org.openoffice.TypeDetection.Filter\/Filters\/org.openoffice.TypeDetection.Filter:Filter[\u2018NAME\u2019].<\/em><br>\nReplace <em>NAME<\/em> with the name of the format to be blocked.<\/p>\n<h3>System authentication<\/h3>\n<p>LibreOffice applications can automatically access external URLs using the credentials of the current user, potentially leading to credential leakage. To disable this behavior, set an empty list in the AuthenticateUsingSystemCredentials option:<\/p>\n<p><code>&lt;item\u00a0oor:path=\"\/org.openoffice.Office.Common\/Passwords\"&gt;<\/code><br>\n<code>&lt;prop\u00a0oor:name=\"AuthenticateUsingSystemCredentials\"\u00a0oor:finalized=\"true\"\u00a0over:op=\"fuse\"\u00a0ear:type=\"oor:string-list\"\/&gt;<\/code><br>\n<code>&lt;\/item&gt;<\/code><\/p>\n<h3>Installing extensions<\/h3>\n<p>It\u2019s recommended to disable user installation of extensions and allow extensions to be added only centrally through administrator privileges: set <em>DisableExtensionInstallation<\/em> to <em>true+finalized<\/em> in the <em>\/org.openoffice.Office.ExtensionManager\/ExtensionSecurity<\/em> group.<\/p>\n<p>To centralize the removal of extensions and disable the ability to do this manually by the user, set <em>DisableExtensionRemoval<\/em> to <em>true+finalized<\/em> in the same group.<\/p>\n<h3>Updates<\/h3>\n<p>LibreOffice applications automatically check for updates, and prompt the user to install them. If updates and patches are managed centrally within the organization, this option can be disabled by setting <em>AutoCheckEnabled<\/em> to <em>false+finalized<\/em> in the <em>\/org.openoffice.Office.Jobs\/Jobs\/org.openoffice.Office.Jobs:Job[\u2018UpdateCheck\u2019]\/Arguments<\/em> group.<\/p>\n<h3>Installation of fonts, language packs, and databases (Linux only)<\/h3>\n<p>Although these additions may seem harmless, for security reasons, automatic installation should be disabled. Set the <em>EnableFontInstallation<\/em>, <em>EnableLangpackInstallation<\/em>, and <em>EnableBaseInstallation<\/em> options to <em>false+finalized<\/em> in the <em>\/org.openoffice.Office.Common\/PackageKit<\/em> group.<\/p>\n<h3>Disable telemetry<\/h3>\n<p>Set the <em>CollectUsageInformation<\/em> and <em>CrashReport<\/em> options to <em>false+finalized<\/em> in the <em>\/org.openoffice.Office.Common\/Misc<\/em> group.<\/p>\n<h3>Document-signing certificates (Linux only)<\/h3>\n<p>By default, any folder can be chosen for the NSS database, which stores certificates. This isn\u2019t secure and can lead to certificate leaks from uncontrolled locations. The administrator should specify a storage location designated by the organization using the <em>CertDir<\/em> option:<\/p>\n<p><code>&lt;item\u00a0oor:path=\"\/org.openoffice.Office.Common\/Security\/Scripting\"&gt;<\/code><br>\n<code>&lt;prop\u00a0over:name=\"CertDir\"\u00a0over:op=\"fuse\"\u00a0over:type=\"xs:string\"\/&gt;<\/code><br>\n<code>&lt;\/item&gt;<\/code><\/p>\n<h3>Removing personal data (document author data)<\/h3>\n<p>If document distribution cannot be controlled, author data often needs to be hidden. To make LibreOffice remove this data when saving a document, add the <em>RemovePersonalInfoOnSaving<\/em> setting (<em>true+finalized<\/em>) in the <em>\/org.openoffice.Office.Common\/Security\/Scripting<\/em> group.<\/p>\n<p>This mode makes it more complicated to collaborate on a document as it\u2019s harder to identify the author of any changes, so it\u2019s not suitable for all organizational roles.<\/p>\n<p>BSI also recommends disabling the saving of full PGP keys in signed documents, as they also contain author\u2019s personal data: set <em>MinimalKeyExport<\/em> to <em>true+finalized<\/em> in the <em>\/org.openoffice.Office.Common\/Security\/OpenPGP<\/em> group.<\/p>\n<h2>Settings to lock<\/h2>\n<p>These settings are initially set to be secure, but should be prevented from being changed by adding the <em>finalized<\/em> attribute.<\/p>\n<table>\n<tbody>\n<tr>\n<td width=\"415\"><strong>Group name<\/strong><\/td>\n<td width=\"170\"><strong>Setting name<\/strong><\/td>\n<td width=\"60\"><strong>Value<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Inet\/Settings<\/td>\n<td width=\"170\">ooInetProxyType<\/td>\n<td width=\"60\">1<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Common\/Security\/Scripting<\/td>\n<td width=\"170\">HyperlinksWithCtrlClick<\/td>\n<td width=\"60\">true<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Security\/Hyperlinks<\/td>\n<td width=\"170\">Open<\/td>\n<td width=\"60\">1<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Common\/Security\/Scripting<\/td>\n<td width=\"170\">CheckDocumentEvents<\/td>\n<td width=\"60\">true<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Common\/Passwords<\/td>\n<td width=\"170\">UseStorage<\/td>\n<td width=\"60\">False<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Common\/Passwords<\/td>\n<td width=\"170\">TrySystemCredentialsFirst<\/td>\n<td width=\"60\">false<\/td>\n<\/tr>\n<tr>\n<td width=\"415\">\/org.openoffice.Office.Jobs\/Jobs\/org.openoffice.Office.Jobs:Job[\u2018UpdateCheck\u2019]\/Arguments<\/td>\n<td width=\"170\">ExtendedUserAgent<\/td>\n<td width=\"60\">false<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u00a0<\/p>\n<h2>Additional protective layers<\/h2>\n<p>On any platform, users may encounter targeted cyberattacks and malicious documents. Therefore, secure OS and office suite settings should be complemented by a comprehensive set of layered defense measures:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.kaspersky.com\/blog\/types-of-two-factor-authentication\/48446\/\" target=\"_blank\" rel=\"noopener nofollow\">Multi-factor authentication<\/a><\/li>\n<li>Centralized access rights management<\/li>\n<li>Mandatory <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener nofollow\">EDR<\/a> agent on all workstations and servers<\/li>\n<li>Centralized <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/unified-monitoring-and-analysis-platform?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">security event monitoring<\/a> using SIEM, or preferably <a href=\"https:\/\/www.kaspersky.com\/next?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____a8c0f733e524af27\" target=\"_blank\" rel=\"noopener nofollow\">XDR<\/a> solutions.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>A guide to securely setting up the free office suite for organizations. <\/p>\n","protected":false},"author":2722,"featured_media":52035,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[932,43,3735,835,131,268,2378],"class_list":{"0":"post-52034","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-office","11":"tag-privacy","12":"tag-remote-work","13":"tag-settings","14":"tag-tips","15":"tag-vulnerabilities","16":"tag-workplace"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-libreoffice-configuration-for-organizations\/52034\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/secure-libreoffice-configuration-for-organizations\/38094\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/secure-libreoffice-configuration-for-organizations\/28211\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/office\/","name":"office"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52034","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=52034"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52034\/revisions"}],"predecessor-version":[{"id":52038,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/52034\/revisions\/52038"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/52035"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=52034"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=52034"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=52034"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}