Macro Security Levels in Office 2003

Macro security is used to help control the activation of executable code embedded within a template, document, workbook, presentation, and in most cases objects connected to these storage files through an OLE link or Dynamic Data Exchange (DDE) connection. Depending on the setting of macro security, the following startup options for files loaded into Microsoft Office 2003 applications are available:

• Run executables automatically when trusted (achieved through High and Medium macro security levels)

• Block executables because they are not trusted (High macro security level)

• Prompt to enable and run an executable because it is currently not trusted (High macro security level)

• Run executables only after user approval (Medium macro security level)

• Run all executables without any security precautions (Low macro security level)

Each of these security levels can be set by administrators and distributed to some or all users in an organization by using the Custom Installation Wizard, Custom Maintenance Wizard, Office Profile Wizard, or the Group Policy snap-in (requires the use of the Active Directory directory service).

Setting macro security levels in Office applications

Macro security for Microsoft Office Word 2003, Microsoft Office Excel 2003, Microsoft Office Outlook 2003, Microsoft Office Publisher 2003, Microsoft Office Access 2003, and Microsoft Office PowerPoint 2003 can be set to High, Medium, or Low through the Security dialog box of the user interface. This dialog box can be found by clicking on the Tools menu, pointing to Macro, and then clicking Security.

It is highly recommended that you select High and only select Medium if absolutely necessary. Setting the security level to Low allows a macro, Microsoft Visual Basic for Applications (VBA) program, or other executable file or program to run without the knowledge or approval of the user.

When you set security levels to High, Medium, or Low, the following conditions apply:

• High security Executables must be signed by an acknowledged trusted source (certificate of trust) in order to run. Otherwise, all executables associated with, or embedded in, documents are automatically disabled without warning the user when the documents are opened. All Office applications are installed with macro security set to High by default.

• Medium security Users are prompted to enable or disable executables in documents when the documents are opened. This level requires the acceptance of a certificate of trust for each executable, which is accepted by adding the certificate to a segment of the registry. Later requests by a macro to run from a trusted source which is accepted and available from the registry are automatically accepted (the executable runs without prompting the user).

• Low security Executables are run without restrictions. This security level does not protect against malicious programs, does not allow for acceptance of certificates of trust, is considered generally insecure and, therefore, is not recommended.

Administrators can set the macro security level by using the Specify Office Security Settings page of either the Custom Installation Wizard or the Custom Maintenance Wizard. These settings will be applied when Office is either installed or a maintenance update is applied.

Users can set the macro security level within Word, Access, Excel, Outlook, or PowerPoint by clicking on Tools, pointing to Macro, and then clicking Security. They can also gain access to the security features of each application by clicking Tools, clicking Options, and then clicking the Security tab.

Digitally signing a macro

You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

• Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

  Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

• Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.

• Selfcert.exe does not provide a certificate of trust with a traceable signature.