Deploying Office XP Trusted Sources

If you're deploying Windows XP, odds are good that you're deploying Office XP. And if you're deploying Office XP, odds are good that you're concerned about security. Rightfully so, too. The security best practices that Microsoft prescribes will protect your business from most macro viruses. Those best practices are first to set the security level to high for all Office XP programs, which means that users can run only signed macros from trusted sources, and then to lock the list of trusted sources so users can't add to it. But how are users going to work if they can't run unsigned macros and they can't add sources to the list of trusted sources?

When a user opens a document that contains signed code, enables those macros, and then adds the source to the list of trusted sources, HKCU\Software\Microsoft\VBA\Trusted is where Office XP stores those certificates. To enable user to add sources to the list of trusted sources, distribute the list of trusted sources along with Office XP. The deployment tools don't provide a user interface for doing this, so here's my solution:

1. Create a document that contains code, and then sign the code using a certificate you want to deploy. Repeat this for each certificate.

2. Install Office XP on a lab computer and set the security levels to high.

3. Open each document containing a certificate you want to deploy. Enable the document's macros, and then add the source to the list of trusted sources. Figure 15-6 shows you an example.

   
   Figure 15-6: High security in combination with code signing protects your business from viruses.

4. Export the key HKCU\Software\Microsoft\VBA\Trusted to a REG file, and include this REG file in your deployment. Chapter 14, "Deploying Office XP Settings," describes how to deploy registry settings with Office XP.