Disabling Visual Basic for Applications | Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)

Visual Basic for Applications (VBA) was at one time considered a security risk because of its ability to run macros attached to files or e-mail messages. The risk, however, is not with VBA itself—it is with the problems caused when VBA is intentionally used by attackers to disrupt or sabotage work.

Visual Basic for Applications is now an installable feature of Microsoft Office 2003. It can be left out of an installation by changing its installation state.

Note

Not installing VBA does not protect against malicious programs (such as compiled programs) created with other programming languages, nor does it remove the possibility of script-based programs from being used to accomplish the same goal.

VBA can be turned off by setting the install option for VBA to Not Available or Not Available, Hidden, Locked in the Set Feature Installation States page of the Custom Installation Wizard, Custom Maintenance Wizard, or the Setup.exe Advance Customization page; any other installation option turns VBA on (including setting Microsoft Office Access 2003 to Run from My Computer because VBA is required by Access to run).

Turning VBA off presents significant issues:

Access 2003 cannot be installed to a user’s computer and is removed if it is already installed.
Some of the downloads available from Microsoft Office Online and the Microsoft Office 2003 Editions Resource Kit Toolbox will not run.
Macros will not run.
All programs, add-ins, and macros dependent on VBA will not run.

It is recommended that you not turn off VBA. Instead, you should use the security features of Office to limit the potential for malicious attacks to computer hardware or software.

In general, setting security options to the most restrictive settings helps defend against malicious attacks entering through scripts, add-ins, or other programs. If High security is enabled, it allows organizations to retain VBA as an installed feature.