Macro Security Levels in Office 2003

Macro security is used to help control the activation of executable code embedded within a template, document, workbook, presentation, Project plan, and in most cases objects connected to these storage files through an OLE link or Dynamic Data Exchange (DDE) connection. Depending on the setting of macro security, the following startup options for files loaded into Microsoft® Office 2003 applications are available:

  • Run signed executables automatically when trusted (achieved through High and Medium macro security levels)
  • Block all executables, except those in a trusted location (Very High macro security level and Trust all installed add-ins and templates turned on)
  • Block all executables (Very High macro security and Trust all installed add-ins and templates turned off)
  • Block unsigned executables because they are not trusted (High macro security level)
  • Prompt to enable and run an executable because it is currently not trusted (High macro security level)
  • Run executables only after user approval (Medium macro security level)
  • Run all executables without any security precautions (Low macro security level)

Each of these security levels can be set by administrators and distributed to some or all users in an organization by using the Custom Installation Wizard, Custom Maintenance Wizard, Office Profile Wizard, or the Group Policy snap-in (requires the use of the Active Directory® directory service).

Setting macro security levels in Office applications

Macro security for Microsoft Office Word 2003, Microsoft Office Excel 2003, Microsoft Office Outlook® 2003, Microsoft Office Publisher 2003, Microsoft Office Access 2003, Microsoft Office PowerPoint® 2003, Microsoft Office Project 2003, and Microsoft Office Visio® 2003 can be set to High, Medium, or Low through the Security dialog box of the user interface. A new macro security level Very High is available for Microsoft Office Word 2003, Office Excel 2003, Office Outlook® 2003, Office Publisher 2003, and Office PowerPoint® 2003, but not for Office Access 2003. This dialog box can be found by clicking on the Tools menu, pointing to Macro, and then clicking Security.

It is highly recommended that you select High and only select Medium if absolutely necessary. Setting the security level to Low allows a macro, Microsoft Visual Basic® for Applications (VBA) program, or other executable file or program to run without the knowledge or approval of the user. Setting macro security level to Very High is only recommended in cases where a user is expected to run a known set of macros and will never need to run macros from another source.

When you set security levels to Very High, High, Medium, or Low, the following conditions apply:

  • Very High security

VBA macros can run only if the Trust all installed add-ins and templates option is checked and the macros (signed or unsigned) are stored in a specific trusted folder on the user's hard disk. If all these conditions are not met, VBA macros cannot run under Very High security.

  • High security

Executables must be signed by an acknowledged trusted source (certificate of trust) in order to run. Otherwise, all executables associated with, or embedded in, documents are automatically disabled without warning the user when the documents are opened. All Office applications are installed with macro security set to High by default.

  • Medium security

Users are prompted to enable or disable executables in documents when the documents are opened. This level requires the acceptance of a certificate of trust for each executable, which is accepted by adding the certificate to a segment of the registry. Later requests by a macro to run from a trusted source which is accepted and available from the registry are automatically accepted (the executable runs without prompting the user).

  • Low security

Executables are run without restrictions. This security level does not protect against malicious programs, does not allow for acceptance of certificates of trust, is considered generally insecure and, therefore, is not recommended.

Administrators can set the macro security level by using the Specify Office Security Settings page of either the Custom Installation Wizard or the Custom Maintenance Wizard. These settings will be applied when Office is either installed or a maintenance update is applied.

Users can set the macro security level within Word, Access, Excel, Outlook, or PowerPoint by clicking on Tools, pointing to Macro, and then clicking Security. They can also gain access to the security features of each application by clicking Tools, clicking Options, and then clicking the Security tab.

 Note    New to this release of Office is a component that checks all XML files with references to XSLs (XML transforms) for possible script. If script is found, it is disabled if the macro security is set to High. If the macro security level is set to Medium, the user is prompted as to whether to run the script. If macro security is set to Low, the script is run without any prompting.

Digitally signing a macro

You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

  • Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office

  • Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.
  • Selfcert.exe does not provide a certificate of trust with a traceable signature.
Applies to:
Deployment Center 2003