Administrating security features of Microsoft® Office 2003 can be difficult due to the myriad of possible security issues businesses encounter every day. Understanding the built-in security features of Office can help make identifying the necessary configuration changes for a specific business security requirement easier to accomplish. The following content presents information about the macro security model of Visual Basic® for Applications for Office and the Microsoft Office antivirus application programming interface (API).

Understanding macro security

Macro security depends on Microsoft Authenticode® technology. Authenticode uses a digital signature as a means of identifying a data file and executable code attached to an Office item — such as a document, workbook, presentation, or e-mail message — so it can be traced back to the originator of the work. The validation of this signature requires the legitimate authentication of the author who signed the macro, and the authentication of the certificate of trust created for the author and included with the signature. Attaching a signature to a file, executable, Microsoft ActiveX® control, dynamic-link library (DLL), or other data file requires obtaining a certificate from a certificate authority.

Use of the term macro also implies any executable that can be attached and embedded into a document, worksheet, e-mail message, and so forth, for Microsoft Office Word 2003, Microsoft Office Excel 2003, or Microsoft Office PowerPoint® 2003, or Microsoft Office Project 2003. For Microsoft Office Outlook® 2003, Microsoft Office Publisher 2003, and Microsoft Office FrontPage® 2003, the term macro is explicitly used for macros used by Visual Basic for Applications. Macro security does not apply to ActiveX controls (OCX files) since the method of installing an ActiveX control to a user's computer requires the installation of the control to pass authentication during an installation, not each time the control is run. After installation, the ActiveX control is considered safe to run since it has passed authentication. In Microsoft Office Visio 2003®, the term macro includes VBA macros, Visio add-ons, and COM add-ins.

Office 2003 applications inherit some of the security settings of Microsoft Internet Explorer. Office applications can optionally instruct the core Internet Explorer components to use different security settings when they make calls to open a URL, if required.

Macro security levels are configurable in each product which implements macro development for use. The possible level settings are Very High, High, Medium, and Low. For a detailed overview of these settings, see Understanding Macro Security Levels in Office. Note, not all Office applications support the Very High security level. Some applications also do not support the Trust all installed add-ins and templates on the Trusted Publishers tab (Tools | Options | Security | Macro Security).

Macro security levels are configurable in each product which implements macro development or use. The possible level settings are High, Medium, and Low. For a detailed overview of these settings, see Understanding Macro Security Levels in Office.

Understanding the Office antivirus API

The Office antivirus API is a library of function calls for use by developers who create virus-checking software. Virus-checking software developed exclusively for use with Office uses this specially designed API function library to scan all known Office file types for possible virus signatures. This scanning occurs regardless of the security-settings of any of the Office applications. If a document is opened that contains a macro or executable, the antivirus software scans the document for known viruses and determines if the macro contains any virus-like characteristics. If the virus software detects a virus, the document is not allowed to load into the work area of the application, and a warning is displayed.

In previous releases of Office, there was occasional confusion over the two types of antivirus–checking software available to users. Virus-checking software created using the Office antivirus API can only evaluate files used by Office applications. If you have purchased virus-scanning software, you should examine the product documentation that came with the software to make sure which type of virus checking the program performs. If you have installed the software and are unsure whether or not it uses the Office antivirus API, open the Security dialog (Tools menu | Macro | Security option) and check the bottom left corner. If it is compatible, it will display a message stating the virus-checking software is installed and working.

Office, by default, does not include a specific virus-checking software program compatible with the Office antivirus API. Users or administrators must purchase this software from a third-party vendor. Only after the antivirus software is installed will a message appear in the Security dialog.