Best Practice to Sanitize a Word Doc

Topic

New Reply

1. What’s the best security practice to desensitize and sanitize a Word-based document such as an Affidavit and an investigation report?
2. What data should be removed from the document before clearing for transmission?
3. Is it better off producing a duplicate with sensitive data removed instead of sending the original copy?.
4. How to prevent readers from viewing the comments in Word documents?
5. How safe is Word’s Protect Document feature?
6. How safe is to transmit Word document in PDF format?
7. Is there any standard procedure available on the internet?

Please kindly share your experience with us. Thanks.

Armstrong

Reply | Quote

Replies

You can remove personal information by ticking “Remove personal information on save” in the Security tab of Tools | Options (in Word 2002/2003, I don’t know what the equivalent in Word 2007 is).

This won’t remove comments, but it will remove the name of the author of comments.
Word’s default document protection is easily hacked.

Others will have to answer your other questions.

Reply | Quote

1. What’s the best security practice to desensitize and sanitize a Word-based document such as an Affidavit and an investigation report?
2. What data should be removed from the document before clearing for transmission?
3. Is it better off producing a duplicate with sensitive data removed instead of sending the original copy?.
4. How to prevent readers from viewing the comments in Word documents?
5. How safe is Word’s Protect Document feature?
6. How safe is to transmit Word document in PDF format?
7. Is there any standard procedure available on the internet?

You have asked a lot of questions here, and none of them has a simple answer. Especially as you haven’t made clear exactly what you need to do with these Word documents.

[*]This question cannot be answered. For maximum security you could format and shred the hard drive that had a copy of the word document, but I suspect you want something a bit less extreme than this so the answer then depends on what data you need to preserve and what you want to get rid of.
[*]This is a business question, not a technical one. In general Word is not a suitable format for sharing with people that you do not completely trust, you could print the documents and send hard copies, or at least convert to a format such as PDF. Another alternative is to set the check box under Tools > Options > Security that is marked “Remove personal information from file properties on save”.
[*]Do not send Word documents to people you don’t completely trust, it is too hard to remove sensitive data.
[*]The only way to prevent people from viewing comments is to delete them, but again I would suggest that you don’t send them Word documents that have had comments in since it is so hard to be sure that there are no remnants of the comments in the file metadata.
[*]In recent versions of Word, the password to open a document uses fairly secure encryption algorithms . You need to make sure that you have specified a mode that uses decent encryption, and is therefore not compatible with older versions of Word, and you must use a strong password (not in a dictionary, upper and lower case and numbers and punctuation marks, at least 12 characters long etc.).
[*]Converting Word to PDF is a good idea if you want to make sure you don’t accidentally send any metadata with the document.
[*]I don’t know of a standard procedure, it all depends on how much you want to spend, how much time you have, how sensitive your data is. In an extreme case you could even get someone to completely retype your documents on a clean computer and send documents from there. There are many articles on the web, and quite a few of them (like this one) are based on old articles from Woody’s Office Watch.

Reply | Quote

You have asked a lot of questions here, and none of them has a simple answer. Especially as you haven’t made clear exactly what you need to do with these Word documents…

Hi StuartR,
Thanks for your thought-provoking feedback. My objective here is learn about the practical Word security practice actually implemented on a daily basis. It must be simple to run. That’s, what would most corporates and attorneys would do when sending out Word documents?
Some of your descriptions appear to be highly speculative/theorectical and, thus, unhelpful.
Thank you for pointing me to a very useful URL http://addbalance.com/usersguide/metadata.htm.
Thanks.

Regards,
Armstrong

Reply | Quote

My objective here is learn about the practical Word security practice actually implemented on a daily basis. It must be simple to run.

I regularly have to provide documents to other organizations. I never send Word documents, but always convert them to PDF first. I have a standard set of Acrobat settings that ensures I don’t convert comments etc.

On the rare occasion when I do have to send editable Word documents I set the Security option to “Remove personal information …” and save the document as an .RTF file.

Reply | Quote

Hi StuartR,
Thanks for your sharing your Word doc security with us.
My Word 2007 security procedure:
1. Proof the doc.
2. Check all bookmarks and values in field codes.
3. Create a duplicate.
4. Microsoft Office | Prepare | Inspect Document, select all options, click “Inspect”. Remove all.
5. Save the duplicate in PDF.
6. Password the PDF.

If you find any vulnerability in the above procedure, please share with us.
Thanks a lot.

Armstrong

Reply | Quote

5. How safe is Word’s Protect Document feature?

However, for future reference, in Word 97-2003 the protection applied using Tools > Protect Document is quite fragile. For example, it will not survive a Save As to RTF format. So while it is useful to prevent errors (such as destroying a form) or to encourage use of reviewing tools (such as track changes), it certainly is not a guarantee that users cannot work around those features.

I am not sure whether Word 2007 has changed anything in this regard. Unless the protection blocks re-saving the document in RTF format, I suspect not.

Reply | Quote