In a Windows Server 2003, a asp.net web application needs to convert Word documents to PDF. For that functionality, developers were asking to install MS-Office 2007 in our Windows Server 2003. My boss said no, because installing MS-Office in a server will make it more vulnerable in security issues, and would be worry to keep update with latest patches for MS-Office.
Do you think is that true?
It's not so black and white.
Technically you are increasing your risk by adding services and applications that can be compromised. And you do need to patch the office installations, so it does add overhead. If you are wanting to counter the assessment, then you probably need to do a Risk assessment your self and present the findings and mitigations. Be sure to weigh the value of the request against the Risk/Impact of having those items installed.
Examples of how to mitigate some of the risk.
This assumes other things like the server is already running in least privileged mode and hardened appropriately, you are using Defense in Depth, etc.
Yes, it's true.
Every bit of software you install on a server increases the number of potential attack vectors on that server. And Office is a particularly huge, bloated suite of applications that comes with a lot security patches and updates and exploits.
MS Office is very handy to have on your workstation, but you should never install Office on a server. If you absolutely have to for your business to function, then make sure you install only the parts of it that you absolutely need.
