Safe use of LibreOffice

A guide to securely setting up the free office suite for organizations.

A guide to centralized configuration of the free office suite

The aggressive introduction of AI in Microsoft products, geopolitical tensions, and a series of cybersecurity incidents involving the Redmond giant are pushing many organizations worldwide to switch to open-source alternatives to Windows and Office. To replace the latter, both OpenOffice and its offshoot LibreOffice are very popular. They’re available on all major platforms — including Linux, offer functionality comparable to MS Office, and come with the licenses suitable for large companies.

Due to their similarity to MS Office, the risks associated with using these suites are also similar: software vulnerabilities or unsecure settings can result in the execution of malicious code on the computer, or stealthily redirect the user to phishing links. And these threats aren’t mere theory — malicious documents in .odt files and other “open” document formats have been encountered in the wild. To mitigate these risks, the German Federal Office for Information Security (BSI) has issued public recommendations for secure LibreOffice settings. Let’s look together at the most important ones when using LibreOffice in organizations.

Configuration tips

The tips below apply to safe setup of LibreOffice on Linux, MacOS, or Windows in a managed corporate environment (through group policies and other centralized control tools). The tips concern the Writer, Calc, Impress, Base, Math, and Draw components of version 7.2.x. The recommended settings are based on the following considerations:

  • The end user should make the fewest possible decisions affecting security.
  • The functionality of the application should not be significantly reduced.
  • Unnecessary features should be deactivated to reduce the attack surface.
  • Whenever possible, transfer of data from the product to the manufacturer should be disabled.
  • External cloud services should be avoided unless they’re necessary for the organization’s business processes.

Configuration storage

LibreOffice settings can be modified by the administrator or by the user. Initial administrative settings are stored in the LibreOffice folder. On all platforms, the settings are applied as XML files (settings.xml), but they can also be stored in platform-specific formats (registry in Windows, dconf in Linux). For medium and large organizations, XML is recommended.

If a setting shouldn’t be modified by users, it can be marked as finalized in the administrator settings.
For example, below is a settings snippet that disables saving the document-author information (the RemovePersonalInfoOnSaving setting in the group org.openoffice.Office.Common/Security/Scripting) and prohibits changing this setting:

<item oor:path="/org.openoffice.Office.Common/Security/Scripting">
<prop about:name="RemovePersonalInfoOnSaving" about:finalized="false" about:op="fuse" oor:type="xs:boolean">
<value>true</value>
</prop>
</item>

Folders for administrative settings (in version 7.2) are listed below:

  • Linux: /opt/libreoffice7.2/share/registry/res
  • MacOS: /Applications/LibreOffice.app/Contents/Resources/registry/res
  • Windows: C:\Program Files\LibreOffice\share\registry\res

Settings to change

Many of LibreOffice’s settings are secure by default. Here, we’ll focus on those that need to be tightened.

Macro execution

By default, any signed macros are executed, so this setting must be tightened to the max — allowing only macros from trusted folders to be executed. So in the group org.openoffice.Office.Common/Security/Scripting, set the MacroSecurityLevel to 3:

<prop over:name="MacroSecurityLevel" over:finalized="true" over:op="fuse" over:type="xs:int">
<value>3</value>
</prop>

To disable macros entirely, set the DisableMacrosExecution option from the same group to true with the finalized tag.

Trusted folders

By default, LibreOffice updates the list of trusted folders based on user activity — often including folders like Downloads. To clearly set trusted document storage locations, list them in the SecureURL option. The list can be left empty.

<item oor:path="/org.openoffice.Office.Common/Security/Scripting ear:type="oor:string-list">
<plug about:name="SecureURL" about:finalized="true" about:op="fuse"/>
</item>

Loading external images

Images from external sources can be embedded into documents. This creates significant risks of phishing and vulnerability exploitation, so this option should be disabled: set BlockUntrustedRefererLinks to true with the finalized tag in the /org.openoffice.Office.Common/Security/Scripting group.

Updating linked data

Linked content loaded in Calc can also be malicious, so updates should be blocked by setting the Link option to 1+finalized in the /org.openoffice.Office.Calc/Content/Update group.

The corresponding setting in Writer has different numeric values for some reason; block it by setting Link to 0+finalized in /org.openoffice.Office.Writer/Content/Update.

Exotic files

To disable loading of Abiword, Hangul Office, StarOffice XML, and other irrelevant formats, set LoadExoticFileFormats to 0 in the /org.openoffice.Office.Common/Security group.

Additionally, any of the 100+ supported file formats can be blocked by setting the Enabled option to false+finalized for any format in the group
/org.openoffice.TypeDetection.Filter/Filters/org.openoffice.TypeDetection.Filter:Filter[‘NAME’].
Replace NAME with the name of the format to be blocked.

System authentication

LibreOffice applications can automatically access external URLs using the credentials of the current user, potentially leading to credential leakage. To disable this behavior, set an empty list in the AuthenticateUsingSystemCredentials option:

<item oor:path="/org.openoffice.Office.Common/Passwords">
<prop oor:name="AuthenticateUsingSystemCredentials" oor:finalized="true" over:op="fuse" ear:type="oor:string-list"/>
</item>

Installing extensions

It’s recommended to disable user installation of extensions and allow extensions to be added only centrally through administrator privileges: set DisableExtensionInstallation to true+finalized in the /org.openoffice.Office.ExtensionManager/ExtensionSecurity group.

To centralize the removal of extensions and disable the ability to do this manually by the user, set DisableExtensionRemoval to true+finalized in the same group.

Updates

LibreOffice applications automatically check for updates, and prompt the user to install them. If updates and patches are managed centrally within the organization, this option can be disabled by setting AutoCheckEnabled to false+finalized in the /org.openoffice.Office.Jobs/Jobs/org.openoffice.Office.Jobs:Job[‘UpdateCheck’]/Arguments group.

Installation of fonts, language packs, and databases (Linux only)

Although these additions may seem harmless, for security reasons, automatic installation should be disabled. Set the EnableFontInstallation, EnableLangpackInstallation, and EnableBaseInstallation options to false+finalized in the /org.openoffice.Office.Common/PackageKit group.

Disable telemetry

Set the CollectUsageInformation and CrashReport options to false+finalized in the /org.openoffice.Office.Common/Misc group.

Document-signing certificates (Linux only)

By default, any folder can be chosen for the NSS database, which stores certificates. This isn’t secure and can lead to certificate leaks from uncontrolled locations. The administrator should specify a storage location designated by the organization using the CertDir option:

<item oor:path="/org.openoffice.Office.Common/Security/Scripting">
<prop over:name="CertDir" over:op="fuse" over:type="xs:string"/>
</item>

Removing personal data (document author data)

If document distribution cannot be controlled, author data often needs to be hidden. To make LibreOffice remove this data when saving a document, add the RemovePersonalInfoOnSaving setting (true+finalized) in the /org.openoffice.Office.Common/Security/Scripting group.

This mode makes it more complicated to collaborate on a document as it’s harder to identify the author of any changes, so it’s not suitable for all organizational roles.

BSI also recommends disabling the saving of full PGP keys in signed documents, as they also contain author’s personal data: set MinimalKeyExport to true+finalized in the /org.openoffice.Office.Common/Security/OpenPGP group.

Settings to lock

These settings are initially set to be secure, but should be prevented from being changed by adding the finalized attribute.

Group name Setting name Value
/org.openoffice.Inet/Settings ooInetProxyType 1
/org.openoffice.Office.Common/Security/Scripting HyperlinksWithCtrlClick true
/org.openoffice.Office.Security/Hyperlinks Open 1
/org.openoffice.Office.Common/Security/Scripting CheckDocumentEvents true
/org.openoffice.Office.Common/Passwords UseStorage False
/org.openoffice.Office.Common/Passwords TrySystemCredentialsFirst false
/org.openoffice.Office.Jobs/Jobs/org.openoffice.Office.Jobs:Job[‘UpdateCheck’]/Arguments ExtendedUserAgent false

 

Additional protective layers

On any platform, users may encounter targeted cyberattacks and malicious documents. Therefore, secure OS and office suite settings should be complemented by a comprehensive set of layered defense measures:

Tips