6.11. Distribute Security Settings Changing macros security settings on individual computers is fine for personal use, but it doesn't work very well when trying to manage security for an organization. To solve that problem, Microsoft provides the following tools: The Microsoft Office Resource Kit provides the Custom Installation Wizard (CIW), Custom Maintenance Wizard, and Profile Template Wizard that automate the installation and configuration of Microsoft Office across your organization. The Certificate Manager (CertMgr.exe) lets you export, distribute, and install certificates for Trusted Publishers on users' machines.
6.11.1. Use the Install/Maintenance Wizards The Microsoft Office Resource Kit does not come included with the Microsoft Office product, but is available as a free download from Microsoft (see What about...). Table 6-8 lists the four primary tools that come with the Office Resource Kit. Table 6-8. Office Resource Kit tools| Tool | Use to |
|---|
| Custom Installation Wizard | Create customized installations for your organization. You can remove Office components, add your own components, set default installation paths, and determine Start menu and Desktop items created by Setup. | | Custom Maintenance Wizard | Deploy changes to Office installations including new components and updates. This is similar to the Installation Wizard, but it is designed for modifying existing installations rather than creating new ones. | | Removal Wizard | Removes previous versions of Office applications. | | Profile Wizard | Deploy Office user settings, such as Macro Security settings. |
The basic steps for using the Custom Installation and Custom Maintenance Wizards are the same: Set up an administrative installation point on your network. This is the location from which Setup will run, and it includes the Windows installer files (.msi) for Office. Run the Wizard to create a Windows Installer transform (.mst) containing the modifications you wish to make to the Office installation. You can also add components (such as ActiveX controls or SmartTags) to the installation by including their .msi files to create chained installations. Execute the installation from the client machines using remote administration, instructions to the user, or installation scripts. See Setup.htm on the Office installation CD for information on Setup command-line options and unattended installation.
The Custom Installation and Maintenance Wizards are important to security because they can remove components that might pose security risks for some users. For example, you may choose not to install Visual Basic for Applications and .NET Programmability Support (the Office .NET Primary InterOp Assemblies or PIAs) to impede macros from running at allthat may be an appropriate setting for public workstations, such as those available in libraries. Use the Profile Wizard to create a file containing the Excel security settings you want to apply to client computers. For example, you may want to make sure all clients use the Very High macro security setting and disable Trust access to VBA projects. To use the Policy Wizard, follow these steps: Set up a computer with the user settings you want to export to all other clients. Run the Profile Wizard on that computer and export the settings to copy to other clients. Figure 6-31 shows the Profile Wizard ready to export Excel security user settings. Figure 6-31. Exporting user security settings 
Run the Profile Template Wizard on client machines using the template exported in Step 2. The wizard can be run from the command-line; run proflwz.exe /? to see the command-line options.
6.11.2. Distribute certificates If you set macro security settings to Very High, Excel will not prompt the user to install certificates from new publishers. The only way the user can run those macros is to lower the security, reload the document, and select Always trust macros from this publisher. If you are using the Very High security setting, you probably don't want users lowering it, installing certificates, then (maybe) raising it again. To avoid this problem, you can distribute the certificates from trusted publishers beforehand using the Certificate Manager (CertMgr.exe). The Certificate Manager is available for download from Microsoft (see What about...) and comes with other certificate-related tools such as SignCode.exe. To use the Certificate Manager to distribute certificates from trusted publishers: Set up a computer with the certificates you want to distribute. Run the Certificate Manager (Figure 6-32) and export the desired certificates without their private keys. The Certificate Manager provides a wizard to walk you through the export process. Use the resulting certificate files (.cer or .p7b) with the command-line interface of the Certificate Manager to install those certificates on client machines.
Figure 6-32. Use the Certificate Manager to export and import certificates from trusted publishers 
Alternatively, you can manage certificates using the Microsoft Management Console Certificates snap-in (CertMgr.msc). Figure 6-33 shows the Certificate snap-in administering certificates on a remote computer. Figure 6-33. Use the Certificate snap-in to administer certificates over the network 
6.11.3. What about... | To learn about | Look here |
|---|
| Microsoft Office 2003 Resource Kit | www.microsoft.com/office/ork/2003/tools/default.htm | | Microsoft Office XP Resource Kit | www.microsoft.com/office/ork/xp/default.htm | | Microsoft Office 2000 Resource Kit | www.microsoft.com/office/ork/2000/default.htm | | Certificate management and code signing tools | office.microsoft.com/downloads/2000/pvkimprt.aspx |
|
