Controlling VBA Security


With a full-blown programming languageVisual Basic for Applicationsbuilt in to the very fabric of the major Office applications, the security of that language becomes a major issue. With VBA and Office, you need to think of security from two perspectives:

  • The user From the user's perspective, VBA is a security threat because scripts attached to other people's documents can be malicious (for example, deleting the user's files or folders).

  • The developer From the developer's perspective, VBA is a security threat because other people can easily open the VBA Editor and accidentally or purposely alter or delete code.

The next few sections show you how to set up VBA security to handle both scenarios.

Setting the Macro Security Level

Go to any antivirus site and run a search on the words "VBA" and "virus" and you'll probably come up with thousandsyes, thousandsof hits. Malicious programs coded in VBA and attached to innocent-looking Word, Excel, and PowerPoint files are legion and are one of the most common sources of virus infection. In Chapter 15, "Enhancing Outlook Email Security and Privacy," you'll learn that Outlook 2003 blocks most potentially dangerous attachments, including executable files, batch files, and Windows Scripting Host files. However, Outlook 2003 doesn't block Word, Excel, and PowerPoint documents, so you need an extra layer or two of defense.

For more information on Outlook and email attachments, see "Handling Attachments," p. 486



Your first line of defense should always be a top-of-the-line virus scanner, particularly one that scans Office documents for viruses before allowing you to open them. Install the scanner and, most importantly, keep its virus definitions up-to-date.

Even with a high-end antivirus program on the job, it's still possible (although highly unlikely) for a virus that the scanner doesn't recognize to sneak through. Because of this, you should add a second line of defense: setting the macro security level in each Office application that can run macros. Here are the steps to follow:

1.

In any VBA-enabled Office application, select Tools, Macro Security to display the Security dialog box shown in Figure 14.19.

Figure 14.19. Use the Security dialog box to set the macro security level in each VBA-enabled Office application.


2.

In the Security Level tab, activate one of the following security levels (not all levels are available in some Office applications):

  • Very High If you select this option, the Office application enables macros only if they're installed in a trusted folder on your hard disk. This gives you near-total macro safety, but for most applications, the need to set up a trusted location is overkill.

  • High If you select this option, the Office application enables macros only if they come from a trusted sourcethat is, a source that has digitally signed the VBA project using a trusted code-signing certificate. Macros from any other source are automatically disabled. This is the default security level for all Office applications and it gives you almost total macro safety. (If you develop macros for your own use, this level can cause problems. See "Self-Certifying Your VBA Projects," later in this chapter, for more information.) To use macros with this security level, look for the Security Warning dialog box when you open a document with a digitally signed VBA project. Activate the Always Trust Macros from This Publisher check box and then click Enable Macros.

  • Medium If you select this option, the Office application warns you when a document you're about to open contains macros and gives you the option of enabling or disabling the macros. This is a useful option if you often open third-party documents. If you're expecting the document to contain macros, you can go ahead and enable them; if you're not expecting macros, disable them and then check out the code to see if it's malicious.

  • Low If you select this option, the Office application runs all macros without prompting. If you don't have a virus scanner installed, use this level if you run only your own macros and you never open documents created by a third-party. If you do have a virus scanner, this level is probably safe if you open third-party documents only from people or sources you know. (However, you run the risk of opening documents containing malicious code that the scanner doesn't recognize.)

3.

Click OK.

Self-Certifying Your VBA Projects

If you're a VBA developer and you set the macro security level to High, you'll immediately run into a problem: Office won't allow you to run your own macros! The problem is an obvious one, if you think about it: Office doesn't know that you created the macros yourself. Fortunately, it's possible to "prove" that you're the author of your own macros. You do that by self-certifying, which creates a trust certificate that applies only to your own work and to using that work on your own computer. The certificate is not valid on any other computer and so isn't a substitute for getting a proper code-signing digital certificate. However, if you all you want to do is run your own macros, self-certifying enables you to do that while still using the High macro security level.

Getting a Code-Signing Certificate

If you distribute your VBA projects to people running High macro security, the only way they'll be able to run your macros is if you get a proper code-signing digital certificate from a trusted certification authority. If you work for a large corporation or a software company, your network administrator may be able to generate a certificate for you. Otherwise, you'll need to purchase a certificate from a third-party certification authority. To see a list of trusted authorities, check out the following page on Microsoft's MSDN site:

 msdn.microsoft.com/library/en-us/dnsecure/html/rootcertprog.asp 


You self-certify by using a program that ships with Office 2003. Here's how it works:

1.

Select Start, Run to open the Run dialog box.

2.

Type the following and click OK (change d to the letter of the drive in which you installed Office 2003):

 d:\Program Files\Microsoft Office\OFFICE11\SELFCERT.EXE 

3.

In the Create Digital Certificate dialog box, type your name into the text box and then click OK.

4.

When SelfCert reports that the certificate has been created, click OK.

Now that you are self-certified, you need to digitally sign your VBA project to enable its macros. Here are the steps to follow:

1.

In the VBA Editor, select the VBA project you want to digitally sign.

2.

Select Tools, Digital Signature to display the Digital Signature dialog box.

3.

Click Choose to display the Select Certificate dialog box, shown in Figure 14.20.

Figure 14.20. Use the Select Certificate dialog box to select the digital certificate you created via self-certification.


4.

Select your certificate and click OK to return to the Digital Signature dialog box.

5.

Click OK.

6.

Save the document, close it, and then reopen it. The Office application displays a Security Warning dialog box similar to the one shown in Figure 14.21.

Figure 14.21. When you reopen the document that contains your digitally signed VBA project, the Security Warning dialog box appears.


7.

Activate the Always Trust Macros from This Publisher check box.

8.

Click Enable Macros.

Using Your Certificate on Another Computer

In theory, a certificate generated by self-certifying will be authenticated only on the some computer that generated the certificate. However, in practice it's possible to also use the certificate on other computers by telling Windows in advance that the certificate is to be fully trusted. First you need to export your certificate to a file. In the VBA Editor, select Tools, Digital Signature, click Detail, display the Details tab, and then click Copy to File. This launches the Certificate Export Wizard, which takes you step-by-step through the process of exporting your certificate. (Be sure to export the file to a network share or other location that's accessible by the other computer.) After that's done, switch to the other computer, select Start, Run, type certmgr.msc, and click OK. In the Certificates window, select Trusted Root Certification Authority and then select Action, All Tasks, Import. This launches the Certificate Import Wizard. Use the wizard to locate the exported certificate and place it into the Trusted Root Certification Authorities store.


Locking a VBA Project

If you're a VBA developer and you distribute your projects to other users, it's unlikely that you want those users to tamper with your code, either accidentally or purposely. You can prevent that by locking your VBA project, as shown in the following steps:

1.

In the VBA Editor, select the VBA project you want to lock.

2.

Select Tools, Project Properties, where Project is the name of the VBA project.

3.

Select the Protection tab.

4.

Activate the Lock Project for Viewing check box.

5.

Type a password required for viewing the project into both the Password and Confirm Password boxes.

6.

Click OK.

From Here

  • For information on using fields in Word, see the section titled "Using Fields to Insert Dynamic Data," in Chapter 1.

  • For the details on tracking changes in a Word document, see the section titled "Tracking Word Document Changes" in Chapter 7.

  • To learn about variables in VBA programming, see the section titled, "Understanding Program Variables" in Chapter 11.

  • For an in-depth look at Outlook email security, see Chapter 15, "Enhancing Outlook Email Security and Privacy."



Tricks of the Microsoft Office Gurus
Tricks of the Microsoft Office Gurus
ISBN: 0789733692
EAN: 2147483647
Year: 2003
Pages: 129

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net