Description: German authorities have published recommended changes of security settings for libre office at https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Freie-Software/Sicherheit_LibreOffice/Sicherheit_LibreOffice_node.html (You may have to switch to the English language and even then, some details may be in German only.) Would it be possible to present a check box in the installer that (unless unchecked) makes all those settings active? Steps to Reproduce: Not possible; I'm suggesting a new feature for the Libre Office installer. Actual Results: The current installer sets up Libre Office in a way that may not be optimally secure; according to German government this can be improved. Expected Results: Everyone that installs Libre Office will have the German security settings applied, unless they uncheck the "apply German recommended security settings" check box. Reproducible: Always User Profile Reset: No Additional Info: There was an item about this German development on the Dutch forum Security.nl (in Dutch) https://www.security.nl/posting/852952/Duitse+overheid+publiceert+%27veilige+configuraties%27+voor+LibreOffice?channel=rss
I'll attempt to summarize the settings that the German Bundesamt fuer Sichterheit in der Informationstechnik suggest to change from their current defaults. RemovePersonalInfoOnSaving: change from Deactivated to Activated (reason: the author can accidentally store personal information in the document) BlockUntrustedRefererLinks: change from Deactivated to Activated (reason: inadvertant disclosure of user's IP address and time of opening of the document, used office software package. May also reload malicious content) MacroSecurityLevel: change from High to Very high (reason: macros should only be run when document is from a trusted source) SecureURL: optionally change from Empty to List of paths with limited write permission (reason: related to MacroSecurityLevel) CertDir: optionally change from Empty to NSS store of the user (to enable signing of documents) TSAURLs: change from Empty to https://zeitstempel.dfn.de, https://freetsa.org/tsr (reason: without a time-stamp-service it is not possible to sign PDF documents with time stamp. I hope I got that one correct/PK) Link (Calc): (refresh linked data(?)) change from On request to Never (Linking documents is a security risk. Untrusted documents could automatically import data from other documents, store that and consequently disclose it) Link (Writer): (refresh linked data (?)) change from Always to Never (Linking documents is a security risk. Untrusted documents could automatically import data from other documents, store that and consequently disclose it) CheckInterval: change from Weekly to daily (For importent security updates an interval of 7 days delays installation of updates unnecessarily) CrashReport: change from Active to Inactive (Working memory can contain sensitive information that should not be embedded in a crash report) The full document can be found at https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_147.pdf?__blob=publicationFile&v=6