Protecting your project from unauthorized access

Applies to
Microsoft Office Project 2003
Microsoft Office Project Server 2003

Most likely, you consider the security of your project information to be a top priority. Project helps provide the necessary password protection at the project level, as well as the proper user authentication if you use Project Server 2003.

Methods for virus protection are also supported in Project.

How can I help protect the information in my project?

How can I help protect project information in Project Server 2003?

What's involved in creating a Project Server account?

What is authentication and how does it work?

How does macro virus protection work?

What are digital signatures?

How can I help protect the information in my project?

Project provides password (password: A combination of characters that is used to authorize access to a project. In Project, passwords can have from 1 to 17 characters. Use strong passwords that combine upper- and lowercase letters, numbers, and symbols.) protection to help keep your project information from being accessed or changed by unauthorized people. You can assign a protection password that users must enter to open a project file, and a write-reservation password that users must enter to update or change the information in the project file.

Use strong passwords that combine uppercase and lowercase letters, numbers, and symbols. Weak passwords don't mix these elements. Strong password: Y6dh!et5. Weak password: House27. Passwords should be 8 or more characters in length. A pass phrase that uses 14 or more characters is better. For more information, see Help protect your personal information with strong passwords.

It is critical that you remember your password. If you forget your password, Microsoft cannot retrieve it. Store the passwords that you write down in a secure place away from the information that they help protect.

In addition to the security features of Project, you can use your operating system's security to help protect project information.

If the project file is accessible on a network, you may also want to implement share-level or file-level security to help protect it.

How can I help protect project information in Project Server 2003?

When you use Project Server (Project Server: A Project companion product that enables collaborative planning and status reporting among workgroup members, project managers, and other stakeholders by working with and exchanging project information on a Web site.) as your team collaboration system, it's important that the information you make available there is protected from unauthorized access.

A server administrator (administrator: Sets up and manages user accounts, assigns permissions, and helps users with network or server access issues. This person can also manage and customize various elements in Project Professional and in Project Server.) helps control the security of information in Project Server.

The administrator can:

What's involved in creating a Project Server account?

When creating a project, you can easily establish a Project Server account for yourself from Project.

Project Server accounts for your team members are created automatically when you publish their assignments to Project Server from Project. In Project Server, a person with administrator permissions can also create accounts for team members and stakeholders, such as other managers or executives.

Team member accounts are based on the resource (resources: The people, equipment, and material that are used to complete tasks in a project.) names used for them in the project file. To avoid creating more than one Project Server account for a resource, you may want to use your e-mail system's address book when adding team members to your list of resources.

For more information about creating team member accounts in Project Server, you can review the account setup information in Project Web Access 2003 Help.

What is authentication and how does it work?

Authentication is the process Project Server uses to identify specific users and to confirm their permission to access its data. When establishing Project Server accounts for users, the following authentication methods can be applied:

  • Microsoft Windows authentication    This authentication method provides the strongest security for project information. When users access the server, Project Server automatically authenticates them by using their Windows user accounts. The users do not see a logon page and do not have to enter a user ID or password.
  • Project Server authentication     When you use this authentication method, Project Server displays a logon page to the user, who must then enter an ID and a password.

A Project Server administrator determines whether team members must use Windows user accounts or Project Server authentication, or whether they can use either type of authentication. If both types of accounts are allowed, you can specify the authentication method you want to use in Project. You can also specify Windows user accounts for your resources in Project to help ensure maximum security for your project plans.

 Note   If the administrator changes the authentication option to a restricted method, team members whose authentication type doesn't match the new restricted method are set to inactive status. Inactive team members cannot access Project Server and receive e-mail notification of such until their authentication method is reset by the administrator.

How does macro virus protection work?

Because macros can contain viruses, be careful about running them. Take the following precautions: run up-to-date antivirus software on your computer; set your macro security level to high; clear the Trust all installed add-ins and templates check box; use digital signatures; maintain a list of trusted publishers.

The following information summarizes how macro virus protection works under each setting on the Security Level tab in the Security dialog box (on the Tools menu, point to Macro and click Security) with different conditions. Under all settings, if antivirus software that works with Project is installed and the file contains macros, the file is scanned for known viruses before it is opened.

Very High-level security    

Only macros installed in trusted locations will be allowed to run. All other signed and unsigned macros are disabled. You can disable all macros entirely by setting your security level to Very High and disabling macros installed in trusted locations. To disable macros installed in trusted locations, on the Tools menu, point to Macro, click Security, click the Trusted Publishers tab, and then clear the Trust all installed add-ins and templates option.

 Note   This also disables all COM add-ins and Smart Tag .DLLs, as well as macros.

High-level security    

Unsigned macros are automatically disabled, and the file is opened. For signed macros, the source of the macro and the status of the signature determine how signed macros are handled, as follows:

Medium-level security    

You are prompted to enable or disable unsigned macros. For signed macros, the source of the macro and the status of the signature determine how signed macros are handled, as follows:

  • A trusted source. Signature is valid.    Macros are automatically enabled, and the file is opened.
  • An unknown author. Signature is valid.    A dialog box is displayed with information about the certificate. You are prompted to enable or disable macros. You can choose to trust the developer and certification authority.
  • Any author. Signature is invalid, possibly because of a virus.     You are warned of a possible virus. Macros are automatically disabled.
  • Any author. Signature validation is not possible because public key is missing or incompatible encryption methods were used.    You are warned that signature validation is not possible. You are prompted to enable or disable macros.
  • Any author. The signature was made after the certificate had expired or had been revoked.    You are warned that the signature has expired or been revoked. You are prompted to enable or disable macros.

Low-level security

When security is set to low, all macros are treated equally, regardless of origin or certificate status. With low security, you receive no prompt or signature validation, and macros are automatically enabled. Use this setting only if you are certain that all macros in your files are from trusted sources.

What are digital signatures?

Project uses Microsoft Authenticode technology to enable you to digitally sign (digitally sign: To provide an electronic, encryption-based, secure stamp of authentication on a macro or file. This signature confirms that the macro or file originated from the signer and has not been altered.) a macro by using a digital certificate. The certificate used to create this signature confirms that the macro originated from the signer, and the signature confirms that it has not been altered. When you set the macro security level, you can run only those macros that are digitally signed by a developer on your list of trusted sources.

You can obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., or from your internal security administrator or Information Technology (IT) professional. Or, you can create a digital signature yourself by using the Selfcert.exe tool. Because a digital certificate you create yourself isn't issued by a formal certification authority, macros signed by using such a certificate are referred to as self-signed projects.

Certificates you create yourself are considered unauthenticated and will generate a warning in the Security Warning dialog box if the security level is set to high or medium. Depending on how digital signatures are being used in your organization, you might be prevented from using such a certificate, and other users might not be able to run self-signed macros for security reasons.

To obtain a digital certificate from a commercial certification authority, such as VeriSign, Inc., you or your organization must submit an application to that authority.

Depending on your status as a developer, you should apply for a Class 2 or Class 3 digital certificate for software publishers:

  • A Class 2 digital certificate is designed for people who publish software as individuals. This class of digital certificate provides assurance as to the identity of the individual publisher.
  • A Class 3 digital certificate is designed for companies and other organizations that publish software. This class of digital certificate provides greater assurance about the identity of the publishing organization. Class 3 digital certificates are designed to represent the level of assurance provided today by retail channels for software. An applicant for a Class 3 digital certificate must also meet a minimum financial stability level based on ratings from Dun & Bradstreet.

When you receive your digital certificate, you are given instructions on how to install it on the computer you use to sign your Microsoft Office solutions.

Some organizations and corporations might have a security administrator or group act as their own certification authority and produce or distribute digital certificates by using tools, such as Microsoft Certificate Server. Microsoft Certificate Server can function as a stand-alone certification authority or as part of an existing certification authority hierarchy. Depending on how digital-signature features are used in your organization, you might be able to sign macros by using a digital certificate from your organization's internal certification authority. Or, you might need to have an administrator sign macros for you by using an approved certificate. For information about your organization's policy, contact your network administrator or IT department.

After you have installed your digital certificate, you can sign macros. When you digitally sign a macro, your digital signature says that you guarantee that the project is safe. Signed macros remain signed until the macro code is altered.

 Note   It is important that you understand that a digital signature generated by Project may not constitute a legally binding signature in all U.S. states, Canadian provinces, or other countries/regions. You should consult the law of the appropriate jurisdiction before relying on a digital signature as a binding legal signature. You should also understand that certification authorities cannot in all circumstances check the validity of a digital certificate on which a digital signature is based. Therefore, it is important that you verify that the digital certificate is valid before using it to sign a document.