18.2. Customizing Trust Center Settings With its macro-writing language Visual Basic for Applications (also knows as VBA), Microsoft gave programmers the ability to control just about every aspect of Word, along with the PC's file system. In the right hands, this kind of programming power is marvelous. Programmers created all sorts of fancy applications based on Word, Excel, and other Office programs. Companies like Adobe and Symantec wrote programs so that their products could share information and work smoothly with Word. Unfortunately, troublemakers used the same power to create programs that deleted files, scrambled directories, and stole credit card details. Over the years , Microsoft got boatloads of criticism for the way VBA let evildoers introduce viruses and other malware into unsuspecting computers. So with Office 2007, Microsoft has taken steps to keep macros under control but still let people automate their Word documents. 18.2.1. Protecting Yourself from Malicious Macros One common security problem is that people often never even know when a macro is running in Word. To introduce a bad program, all the bad guys have to do is email you a Word document. If you open that document, the macro runs, and you're cooked : the malware deletes your files or reads your personal information before you even know it. To some degree, that scenario has changed with the new file formats .docx and .docm. When a file that ends in .docx, you can open it and be confident that it won't run any macros. Filenames that end with an "m" are a signal that the file includes macros. When you open a document that ends in .docm, Word checks to see whether the document comes from a Trusted Publisher. If it doesn't, Word opens the document, but doesn't run any macros unless you specifically choose to allow it (Figure 18-10). Word templates and other Office programs use a similar file naming system: If a file ends with an "m," as in .dotm, then you know the file contains macros. Whether or not they run is up to you, as described in the rest of this section. | Figure 18-10. If you know where a document comes from and want macros to run, click Options in the Security Warning box to open the Security Options box, shown here. It provides document information and lets you activate (enable) the macros. If you want to view the settings in your Trust Center, click the link in the lower-left corner. | | 18.2.2. Choosing Trusted Publishers With the new file formats and filenames, it's easier to tell when a document contains macros. Still, you want to be able to use templates that have macros and take advantage of all the cool add-on programs out there. You need a way to know whether it's safe to open a file that contains macros. That's why Microsoft created Office 2007's Trust Center. It lets you run macros and add-ins that come from trusted publishers like Adobe and Microsoft, but warns you before you run macros from questionable sources. Word and the other Office programs use digital signatures (Section 18.1) and a list of Trusted Publishers to make sure documents come from a trusted source. To see your list of Trusted Publishers, go to Office Word Options and click the Trust Center button on the left. You see topics like "Protecting your privacy," "Security & more," and Microsoft Office Word Trust Center. Click the Trust Center Settings button at right to see the current settings (Figure 18-11). | Figure 18-11. The Trust Center box looks and works like the Word Options box. Click one of the buttons at left to view the settings in the main window. In this view, Trusted Publishers are listed at the top, showing the publisher's name , the Certificate Authority issuing the digital signature, and the certificate's expiration date. | | When you open a document from a source that isn't on the list of trusted publishers, Word displays an alert message below the ribbon (similar to the one shown in Figure 18-10). You see any signature information that's available and, depending on the circumstances, you have up to three choices: -
Help protect me from unknown content . This option is the safest when you're not sure where a document came from or who created it. -
Enable this content . If you know and trust a particular document and want its macros to run, choose this option. -
Trust all documents from this publisher . If you know and trust a publisheryour employer or a major software developer, for exampleyou can add it to your list of trusted publishers. That way, you don't keep getting all these warnings. (This option appears only if the document has a valid digital signature.) 18.2.3. Creating a Trusted Location Trusted locations are sort of like trusted publishers. You can tell Office programs that files found in a specific folder should be considered safe. When you open a file that is stored in a trusted location, it isn't checked against the list of Trusted Publishers because the assumption is that you've already determined it to be a safe file. Files inside of trusted folders can be opened without being checked by the Trust Center. Typically, a trusted location is a folder on your computer. It could also be a folder on a network, but that's not quite as safe because many other people may get into a network folder. Ideally, your trusted location is a folder inside your My Documents folder. Here's a step-by-step example showing how to designate a folder named Trusted Stuff as a trusted location. First, create a folder called Trusted Stuff in your my documents folder. For example, go to Start My Documents to open My Documents in Windows Explorer. Then choose File New Folder to create a new folder. Name it Trusted Stuff and then follow these steps: -
Go to Office Word Options Trust Center . The Trust Center panel shows you information about computer security. On the right side, you see a button named Trust Center Settings. -
Click Trust Center Settings to open the Trust Center box. In the list at left, click Trusted Locations . In the Trusted Locations panel, you see a list box with the headings Path , Description, and Date Modified. Word automatically creates a couple of trusted locations, like its template folders and Word's startup folder. You want to add Trusted Stuff to this list. -
Near the bottom of the window, click "Add new location" to open the Microsoft Office Trusted Location box (Figure 18-12) . The Microsoft Office Trusted Location box shows a warning at top, just to make sure you understand that you're creating a trusted folder. Below the warning you see a text box labeled Path. -
Click Browse. When the Browse box opens, navigate to My Documents Trusted Stuff and then click OK . Leave the "Subfolders of this location are also trusted" checkbox turned off for now. (Security-wise, it's better to give your folders trusted status individually as you create them.) -
In the Description text box, type any information that may help you remember what this folder is all about . For example, if the folder contains documents or templates created by the computer gurus at your company, you might type, These documents and templates were created by the computer geeks at All Through the Year Publishing Company . | Figure 18-12. Use the Microsoft Office Trusted Location box to designate a new trusted location. Click the Browse button to add a folder to the Trusted Locations. In this example, the Trusted Stuff folder is selected. | | -
In the Microsoft Office Trusted Location box, click OK . When the Trusted Location box closes , you see your Trusted Stuff folder listed at the top of the list (Figure 18-13), with the folder path at left. The Description is in the middle, and the date you added the folder to Trusted Locations is at right. | Figure 18-13. The Trust Center Trusted Locations panel lists the paths and description for folders you add to the Trusted Location list. | | -
18.2.4. Setting Add-in Behaviors Add-ins are programs that run inside of Word, providing additional features. For example, the Adobe's Acrobat add-in provides special tools for creating PDF files with Word. To change the settings for Word add-ins, go to Office Word Options Trust Center and then click the Trust Center Settings button at right to open the Trust Center box. Click Add-ins on the left to see the Add-in options. You see three choices, but depending on your computer setup, they may not all be available (unavailable settings appear grayed out). Heres what the options do: -
Require Application Add-ins to be signed by a Trusted Publisher . As long as an add-in comes from one of the publishers on your Trusted Publisher list, it will run just fine. If you turn on this box, add-ins from other sources don't work. -
Disable notification for unsigned add-ins (code will remain disabled) . If you turn on the first checkbox, then this option becomes active. If you turn on this option as well, not only does Word not run the add-ins, it won't even tell you that the add-ins are there. -
Disable all Application Add-ins (may impair functionality) . This option is for the super paranoid . Word won't run any add-ins at all, even if they are from a trusted publisher. 18.2.5. Setting ActiveX Control Behaviors ActiveX controls are powerful widgets that run inside of host programs like Word and Internet Explorer. Examples of ActiveX controls might be a drop-down menu that lets you select from a list of states or a handy toolbar that lets you create an Adobe PDF file from within Word. ActiveX controls can tap into the inner workings of your computer, making them versatile, powerful, andin the wrong handsdangerous. For example, a malicious ActiveX control could delete files from your computer or send private information to an Internet address. That's why, in Office 2007, Microsoft lets you limit what ActiveX controls can do on your computer. You have two ways to protect yourself from dangerous ActiveX controls. First, you can make sure that the control comes from a trusted publisher. Second, with the help of the Trust Center, you can examine the ActiveX program to make sure that it conforms to safe programming practices. Your safest option is to leave the ActiveX security settings as they are when you install Word. To review and change your settings, open the Word Options box (Alt+F, I) and then click Trust Center Trust Center Settings. When the Trust Center window opens, click ActiveX Settings to display the options in Figure 18-14. | Figure 18-14. ActiveX controls are widgets like buttons or drop-down menus that can be embedded in Word documents. Use the settings in the Trust Center to rein in the controls, so that they can't run programs without your knowledge and consent . | | Here's a description of the different settings: -
Disable all controls without notification . This option is safest, since it prevents any ActiveX controls from running. -
Prompt me before enabling Unsafe for Initialization (UFI) controls with additional restrictions and Safe for Initialization (SFI) controls with minimal restrictions . Just reading this option takes the better part of a day, and understanding it takes about a week. Here's the lowdown: Some controls have additional programs attached to them making them potentially more dangerous. This option behaves differently depending on the type of ActiveX control, putting more restrictions on dangerous-looking controls. -
Prompt me before enabling all controls with minimal restrictions . Word uses this option out of the box. The program notifies you before it lets any ActiveX controls work. -
Enable all controls without restrictions and without prompting (not recommended; potentially dangerous controls can run) . This option is the most dangerous, since it lets any ActiveX control run without letting you know. If you like to walk under ladders and break mirrors on Friday the 13th, give it a try. But the danger with this option is no joke: You can have an ActiveX control running on your computer and not even know if. Even if you're sure that the Word files you open are clean, it's safer to get a prompt as described in the previous option. Tip: It's good to match your security settings to the way your computer is used. Some computers live safer lives than others. An office computer with only one person using it with company-approved documents is less likely to get into trouble than a computer used by several different people for downloading music, experimenting with shareware, and logging into multiplayer games . 18.2.6. Setting Macro Behaviors The settings for macros are similar to the settings for ActiveX controlsafter all, they're both part of Word's programming environment. While ActiveX controls are widgets that you see in a Word document, macros are programs that run in the background. Macros pop up in all kinds of places, whether you're aware of them or not. For example, you can trigger a macro yourself by choosing from a menu or pressing a keyboard shortcut. Some macros are set up to run automatically when you perform a certain action, like opening a document. An ActiveX control can even trigger a macro as part of its activities. To review and change the macro settings, go to Office Word Options Trust Center and then click the Trust Center Settings button. In the Trust Center dialog box, click the Macro Settings button at left. The Macro Settings panel (Figure 18-15) has radio buttons for the following four settings: -
Disable all macros without notification . This super-caution option prevents all macros from running. It doesn't even give you the opportunity to run them if you wanted to. -
Disable all macros with notification . If Word detects macros, it pops up a security alert asking whether or not you want to let the macros run. This flexible option is Word's factory setting. -
Disable all macros except digitally signed macros . Using this option, macros that have a valid signature from a trusted publisher can run without a warning. Other macros trigger a security alert so you can decide whether or not they run. -
Enable all macros (not recommended; potentially dangerous code can run) . With this daredevil's option, macros run automatically and Word doesn't even warn you about their presence. | Figure 18-15. The Trust Center's Macro Settings let you review and make changes to the way macros run in Word. If you're in doubt about the options, just leave the factory setting turned on: "Disable all macros with notification." That way, Word warns you when a document contains macros and you can choose whether or not they run. | | Note: At the bottom of the Macro Settings panel, you see a checkbox labeled "Trust access to the VBA project object model." If you value your computer's safety, leave this box turned off. It gives macros access to the inner workings of your computer system. |