Chapter 25: Code Development and Built-in Office Security Settings


Download CD Content

Macro security settings are essentially the same across Microsoft Office 2003 applications. It is recommended that you review how these security settings affect associated features in an application and how they can affect custom-built macros or programs created with the Microsoft Visual Basic development system, since disabling a macro may limit functionality in each application to a degree that is unacceptable to users.

Understanding Built-In Office Security Features

Administrating security features of Microsoft Office 2003 can be difficult due to the myriad of possible security issues businesses encounter every day. Understanding the built-in security features of Office can help make identifying the necessary configuration changes for a specific business security requirement easier to accomplish. The following content presents information about the macro security model of Visual Basic for Applications for Office and the Microsoft Office antivirus application programming interface (API).

Understanding macro security

Macro security depends on Microsoft Authenticode technology. Authenticode uses a digital signature as a means of identifying a data file and executable code attached to an Office item—such as a document, workbook, presentation, or e-mail message—so it can be traced back to the originator of the work. The validation of this signature requires the legitimate authentication of the author who signed the macro, and the authentication of the certificate of trust created for the author and included with the signature. Attaching a signature to a file, executable, Microsoft ActiveX control, dynamic-link library (DLL), or other data file requires obtaining a certificate from a certificate authority.

Use of the term macro also implies any executable that can be attached and embedded into a document, worksheet, e-mail message, and so forth, for Microsoft Office Word 2003, Microsoft Office Excel 2003, or Microsoft Office PowerPoint 2003. For Microsoft Office Outlook 2003, Microsoft Office Publisher 2003, and Microsoft Office FrontPage 2003, the term macro is explicitly used for macros used by Visual Basic for Applications. Macro security does not apply to ActiveX controls (OCX files) since the method of installing an ActiveX control to a user’s computer requires the installation of the control to pass authentication during an installation, not each time the control is run. After installation, the ActiveX control is considered safe to run since it has passed authentication.

Office 2003 applications inherit some of the security settings of Microsoft Internet Explorer. Office applications can optionally instruct the core Internet Explorer components to use different security settings when they make calls to open a URL, if required.

Macro security levels are configurable in each product which implements macro development or use. The possible level settings are High, Medium, and Low. For a detailed overview of these settings, see “Understanding Macro Security Levels in Office” later in this chapter.

Understanding the Office antivirus API

The Office antivirus API is a library of function calls for use by developers who create virus-checking software. Virus-checking software developed exclusively for use with Office uses this specially designed API function library to scan all known Office file types for possible virus signatures. This scanning occurs regardless of the security settings of any of the Office applications. If a document is opened that contains a macro or executable, the antivirus software scans the document for known viruses and determines if the macro contains any virus-like characteristics. If the virus software detects a virus, the document is not allowed to load into the work area of the application, and a warning is displayed.

In previous releases of Office, there was occasional confusion over the two types of antivirus-checking software available to users. Virus-checking software created using the Office antivirus API can only evaluate files used by Office applications. If you have purchased virus-scanning software, you should examine the product documentation that came with the software to make sure which type of virus checking the program performs. If you have installed the software and are unsure whether or not it uses the Office antivirus API, open the Security dialog (Tools menu | Macro | Security option) and check the bottom left corner. If it is compatible, it will display a message stating the virus-checking software is installed and working.

Office, by default, does not include a specific virus-checking software program compatible with the Office antivirus API. Users or administrators must purchase this software from a third-party vendor. Only after the antivirus software is installed will a message appear in the Security dialog.




Microsoft Office 2003 Resource Kit 2003
Microsoft Office 2003 Editions Resource Kit (Pro-Resource Kit)
ISBN: 0735618801
EAN: 2147483647
Year: 2004
Pages: 196

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net