Topics in this chapter   Protecting Office Documents     Running Office in a Secure Environment     Office Macro Security Settings     Security Settings and Related System Policies     Microsoft Office Tools on the Web Security Scenarios

Office Macro Security Settings

This topic discusses macro security settings for Microsoft Word, Microsoft Excel, Microsoft PowerPoint, and Microsoft Outlook. All macro security settings are the same for these applications. Even though macro security is the same among these applications, a review of how each security setting affects associated features in an application is recommended since disabling an ActiveX control, for example, in Outlook or Excel may limit functionality in each application to different degrees that are acceptable or unacceptable for users.

Macro security depends on a certificate being associated with the application's data file or executable code attached to a document, workbook, presentation, or e-mail message. The validation of this certificate requires legitimate authentication of the author who signed the certificate, and authentication of the digital signature created for the author. Attaching a certificate of authenticity to a file, executable, ActiveX control, dynamic-link library (DLL) file, etc., requires obtaining a certificate from a Certificate Authority such as VeriSign™. For more information about digital signatures and certificates, see Protecting Office Documents.

Use of the term macro also implies ActiveX controls, COM objects, OLE objects, and any executable that can be attached to a document, worksheet, e-mail message, etc., for Word, Excel, or PowerPoint. For Outlook, Microsoft Publisher, and Microsoft FrontPage®, the term macro is explicitly used for macros used by Visual Basic for Applications.

The security settings of Microsoft Internet Explorer are inherited by Microsoft Office applications that make calls to Internet addresses. Each application can optionally instruct the core Internet Explorer components to use different security settings when it makes the call to open the URL if required.

The Outlook Security dialog does not provide a method of setting the Trust all installed add-ins and templates check box in the Trusted Source tab as with other applications.

Anti-virus software

Under all security-setting levels, if anti-virus software compatible with the Microsoft Office 2000 or Microsoft Office XP anti-virus API is installed, and you open a document that contains macros, the anti-virus software scans the document for known viruses.

There are two types of anti-virus software you can use with Office. One type looks at the file as it arrives either from a disk or from over the network; the other type looks at the file whenever the file is opened by an application. Anti-virus software compatible with the Office anti-virus API examines a file when the file is being opened by the application. If the file is found to have a virus, the user is notified prior to the file being activated and displayed in the work area of the application. Virus software compatible with the Office anti-virus API and installed on the computer is noted at the bottom of the Security dialog of the application. If the computer does not have anti-virus software that is compatible with the API, "No virus scanner installed." appears at the bottom of the Security dialog.

Macro security levels in Word, Excel, PowerPoint, and Outlook

The following list summarizes how macro-virus protection reacts to the different types of signed and unsigned macros encountered under each setting. Users can change these settings through the Security Level tab in the Security dialog box (Tools menu, Macro submenu).

In all cases Low security presents no prompt to the user, and macros are allowed to run. Any certificates attached to macros that are run under low security are not posted to the trusted source list for Office applications. Only when security is set to Medium or High, and a user agrees to trust a certificate, will a certificate be added to the trusted source list for Office. This list of security settings does not present the Low Security option since low security is the same for all cases.

• Unsigned macros

  High — Macros are disabled, and the document, workbook, presentation, or e-mail message is opened.

  Medium — User is prompted to enable or disable macros.

• Signed macros from a trusted source with a valid certificate

  High and Medium — Macros are enabled, and the document, workbook, presentation, or e-mail message is opened.

• Signed macros from an unknown source with a valid certificate

  High and Medium— A dialog box appears with information about the certificate. Users must then determine whether they should enable any macros based on the content of the certificate. To enable the macros, users must accept the certificate.

Note   A network administrator can lock the list of trusted sources and prevent a user from adding the certificate to the list, thereby disabling any macros associated with the document, workbook, presentation, or e-mail message.

• Signed macros from any source with an invalid certificate

  High and Medium — User is warned of a possible virus. Macros are disabled.

• Signed macros from any source, in which validation of the certificate is not possible because the public key is missing or an incompatible encryption method was used

  High — User is warned that certificate validation is not possible. Macros are disabled.

  Medium — User is warned that certificate validation is not possible. User is given the option to enable or disable macros.

• Signed macros from any source, in which the macro was signed after the certificate had expired or was revoked by the Certificate Authority

  High — User is warned that the certificate has expired or was revoked. Macros are disabled.

  Medium — User is warned that the certificate has expired or was revoked. User is given the option to enable or disable macros.

Programming-related security issue

Macro security prior to Office XP was not enabled — that is, security was set to Low — by Office applications started by an executable program making a call into the application object. Therefore, any macro would run when an application like Word opened a document and instructed it to run a macro, regardless of whether the macro was trusted or not. To address this issue of low security, a new security method was added to all VBA application objects called AutomationSecurity. This method can be used with the application object for each Office application.

Example:

Application.AutomationSecurity=msoAutomationSecurityLow

The values for use with this method are:

• msoAutomationSecurityLow

  Sets the macro security to Low for this application; macros run without checking their certificate for authenticity.

• msoAutomationSecurityByUI

  Sets the macro security to the same level as currently set in the user interface for the application (as found in the Security dialog).

• msoAutomationSecurityForceDisable

  Sets the macro security level to High; all macros must be from a trusted source in order to run.

For programmers who need to instruct Office applications to open files and run macros, it is recommended they set this method to msoAutomationSecurityByUI prior to opening a file to conform to the security level set for the application by the user. For instances where high security is required, use the msoAutomationSecurityForceDisable to disable the running of any macros.

High Security and Excel 4 (.xlm) macros

If you plan to use Excel 4 macros (.xlm) with Excel 2002, you need to add a registry entry to enable them if you also plan to use High Security. All Office applications are set to High Security by default when installed, unless a lower security level has been specified in a transform (MST file).

This registry entry is necessary because Excel .xlm macros cannot be digitally signed and, therefore, cannot load when High Security is enabled. (High Security requires a macro to be signed with a valid certificate from a trusted source.) Because some Excel add-ins were created using .xlm, you will need to add this registry entry to each user's computer to allow the macros to run. To allow add-ins created from .xlm macros to run as exceptions under High Security in Excel 2002, add the following registry entry to each user's computer using a transform, configuration maintenance file (CMW file), or .reg file:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Excel\Security

Value name: XLM

Data type: DWORD (integer)

Value Data: [ 0 | 1 ]

Creating and setting the XLM registry value to 1 allows users to load .xlm macros. Setting this value to 0 returns Excel 2002 to its default behavior of not allowing .xlm macros to run in High Security.

When this registry entry is added and set to 1, users are warned about .xlm macros when they attempt to open a workbook and are given the option to open the workbook and enable the use of macros. End-users should run a virus check on any .xlm macro before they enable it. Even though .xlm macros are allowed through the High Security check, the High Security feature for all forms of macros (such as VBA macros) is still enabled.

Setting this registry entry allows for automatic and silent disabling of non-signed VBA macros; however, the .xlm macros are evaluated as if Excel was set to Medium Security. The administrator of the machine can force the running of signed and trusted VBA macros, but also allow exceptions for Excel 4 macros. If you set this registry entry, users should be educated about Excel 4 viruses and how they are enabled if a workbook is opened.

Note   Addition of this registry entry provides no indication through the user interface to the end user that the system is running a modified or reduced level of High Security.