Q&A: Helping Protect Office Documents from Viruses Without Losing Valuable Functionality

Microsoft® Office XP includes security features that help protect documents against malicious macro viruses. This column discusses how you can tailor many of these security settings to meet the needs of your organization.

Q: To what degree do Office XP security settings help protect documents from viruses?

A: Office XP offers three levels of macro security - High, Medium, and Low. By default, all Office XP applications are installed with the macro security level set to High, which means that if a user opens an Office document that contains suspicious macros, Office disables the macros before opening the file. (A suspicious macro is any macro or other executable code that has not been digitally signed by a certified source.) If the security level is set to Medium, users are warned when a document contains suspicious code, but they can choose to open the file and run the macros anyway. If the security setting is set to Low, no security check is performed.

Q: Can users change default security settings?

A: Yes, the user interface in Office XP applications allows users to change the default macro security level from High to Medium or Low. Even if you use the Custom Maintenance Wizard or Office Profile Wizard to distribute new default settings, users can always modify them later. To help make sure that security levels remain set to High throughout your organization, you must use system policies to lock the macro security levels for each application. You can also use system policies to hide user interface elements related to security.

Q: How do I set system policies for macro security?

A: By using the System Policy Editor and Office XP policy template files, which are available in the Office Resource Kit. To help provide security, set the policies for the local computer; this option helps prevent a new user from lowering security settings and compromising security for everyone else who uses the computer. Under Default Computer | Microsoft Office XP | Security Settings in the System Policy Editor, you set a separate Macro Security Level policy for each application. For each application except Microsoft Outlook® 2002, you can also set system policies that help control installed add-ins and templates and access to Microsoft Visual Basic® projects. For more information about working with system policies, see Using System Policies.

Q: What is the list of trusted sources, and what does it have to do with macro security?

A: When a macro, add-in, ActiveX® control, or other executable code is digitally signed by the author, the digital signature can be certified by an accepted authority such as VeriSign®, which issues the author a unique certificate. The certificate identifies the author as a legitimate source. Office XP applications recognize when a certificate is attached to a document or to code within the document. The first time users run a macro or ActiveX control from a new source, they accept the certificate by selecting the Always trust macros from this source check box. This setting adds the certificate to the list of trusted sources for Office XP and records it in the Windows registry. Thereafter, all macros from this source run automatically.

 Note    The macro security level must be set to High or Medium to add certificates to the trusted sources list.

Q: My organization wants to maintain a high level of security, and I don't want users to determine which sources to trust. How do I manage the list of trusted sources?

A: If you use a transform to customize Office, you can clear and lock the list of trusted sources on the Specify Office Security Settings page of the Custom Installation Wizard. These settings block macros and other executable code from old sources and helps prevent users from adding new sources to the list. You can include Microsoft certificates on the list of trusted sources. You can also leave the list empty - in which case users can run no macros from external sources, including some add-ins and templates that come with Microsoft Excel 2002 and Microsoft Word 2002. If you have already installed Office, you can use the Custom Maintenance Wizard to distribute these settings to users and achieve the same results.

Q: Can I add other sources to the list of trusted sources?

A: You cannot create a list of trusted sources directly in the transform; however, you can use the Profile Wizard to capture a preconfigured list in an OPS file and then add the OPS file to the transform.

Q: How do I capture a custom list of trusted sources?

A: First, install Office XP on a test computer with the macro security level set to High or Medium. Then open each document that contains macros created by a source you want to trust, and accept the certificates. You can also run signed ActiveX controls and add those certificates to the trusted sources list. When you run the Profile Wizard, the list of trusted sources (along with all other user-defined settings on the test computer) is recorded in the OPS file. If you have already installed Office, you can run the Profile Wizard separately and distribute the OPS file - including the trusted sources list - to users.

Q: Which applications are covered by the list of trusted sources?

A: The trusted source list for Office XP covers all Office applications. For example, when you accept a certificate in Word 2002, that source is trusted in all Office XP applications - even those that have not yet been installed on the computer. However, Internet Explorer maintains a separate list of trusted sources and is not covered by the Office trusted sources list. For more information, see Internet Explorer 5 Security in the online version of Windows 2000 Server Help.

Q: My organization uses custom templates and add-ins that are created internally. How do I include myself in the trusted sources list?

A: When you create your own macros, they always run on the local computer. If the macro security level in your organization is set to High, however, those macros will not run on any other computer, even if you use Selfcert.exe to certify them locally. Before you distribute internally created macros, you must digitally sign and certify them with a trusted authority, and then add your certificate to the trusted sources list.

Q: My organization still has custom tools from a previous version of Office. If I set stringent security settings, can I still use legacy macros and custom templates?

A: On the Specify Office Security Settings page of the Custom Installation Wizard you can determine whether users will be able to run templates and add-ins already installed on their computers. If you choose not to trust previously installed templates and add-ins, you must digitally sign and certify any legacy macros that you want to keep, and then add the new certificate to your list of trusted sources.

Q: Can I avoid macro viruses altogether by installing Office without Visual Basic for Applications?

A: In response to customer requests, Microsoft has designed Office XP so that it can be installed without Visual Basic for Applications (VBA), which can be appropriated by malicious macro viruses. In the Custom Installation Wizard, VBA appears in the feature tree on the Set Feature Installation States page. To deploy Office without VBA, you set the installation state to Not Available or Not Available, Hidden, Locked.

Q: How much protection do I get by installing Office without VBA?

A: No VBA macros will run. However, installing Office without VBA does not cover all the potential entry points for viruses. For example, an executable (EXE) file attached to an e-mail message might contain a virus - and it will run regardless of whether VBA is installed on the computer. Viruses can also be transmitted in Internet Explorer through a script or ActiveX control on a Web site.

 Note    Outlook 2002 includes additional security options related to mail servers, network servers, and external mail providers. For more information about configuring Outlook to help protect e-mail messaging, see Outlook 2002 Security Model.

Q: What are the disadvantages of installing Office without VBA?

A: If you install Office without VBA, then you also lose all the features that rely on VBA. These features include Office Tools on the Web; many wizards, templates, and add-ins; and all macros. Any customizations that point to macros, such as buttons or menu commands, no longer work. If a document contains macros or ActiveX controls, users must open it read-only and save changes in a new document. Furthermore, you cannot install Access 2002 at all without also installing VBA.

Q: How can I install VBA and still help provide a high level of security in Office applications?

A: By managing the list of trusted sources and using system policies to help make sure that macro security levels for all Office applications remain locked on to High. Security levels that you specify in a transform function only as defaults - users can modify them. System policies, by contrast, enforce your settings and help prevent users from running macros from any source that you have not chosen to trust.

 Note    Windows 2000 helps provide robust security through Group Policy and access control lists. For more information, see the IT Introduction to Windows 2000 Security Web site.

The Office Resource Kit Q&A column addresses frequently asked questions received by Microsoft Product Support Services about deploying and maintaining Office XP in an organization.

Applies to:
Deployment Center 2003