Warning: This site requires the use of scripts, which your browser does not currently allow. See how to enable scripts.

Using Office security features with your default folders

Power User Corner

By Colin Wilcox
& Siew Moi Khor

Feeling a bit more secure after the previous two columns? Don't relax just yet. This time, learn about default folders and how they interact with your security settings. This is the last of a three-part series on macro security in Word and other Office programs.

Applies to
Microsoft Office XP

If you've followed the first two columns in this series, you know how to use digital certificates and Microsoft Office security settings to decrease the risks involved with running macros. (If you haven't followed them, you can start with the first column.) In addition to those features, a third Office feature comes into play: the default folders in which Microsoft Word stores your templates and the files that you want to start automatically.

This column explains how Office security settings work for files located in those default folders and in other locations on your hard disk or network. It also provides some background information about why the Trust all installed add-ins and templates check box is selected by default, and about how you can run unsigned macros with a greater margin of safety in a test environment.

Rules for using macros and default folders

The default folders that Word automatically uses can reside on your hard disk, on a network location, or on a combination of the two. Here's how you find the folders:

On the Tools menu in Word, click Options.
Click the File Locations tab.
The list under File Locations contains the names and locations of your Startup folder and the folders in which Word stores your user and workgroup templates. If the list shows you truncated file paths (such as C:\...Microsoft Office\Office 10), click Modify, click the Look in drop-down box at the top, and then navigate to see where the folder resides.
Note the folder paths associated with the following entries:

User Templates
Workgroup Templates
Startup

Here are some keys rules for using macros located in those folders:

If a macro resides in one of the default folders listed above, and you select the Trust all installed add-ins and templates check box, Word will run that macro regardless of whether it is code signed.
If you're a system administrator, remember that users do not need administrative privileges to run macros in the default folders listed above. If you enable the Trust all installed add-ins and templates option, users can download a macro to one of those locations, and then run the macro.

Try it!

The steps in this section show you how macros work when they're located in a default folder and elsewhere on your hard disk. To follow these steps, you need digitally signed and unsigned test macros. You also need to remove the certificate used to sign the test macro from your list of trusted sources if it is on that list. If you don't have either type of macro, see the two previous Power User columns for the sample code needed to create them and the digital certificate needed to sign one.

To place the macros in test locations

Place a copy of your signed and unsigned macros in one of the folders listed earlier, as well as in a folder elsewhere on your hard disk.

To configure Word

Start Word. On the Tools menu, point to Macro, and then click Security.
On the Security Level tab, ensure that High is selected.
Click the Trusted Sources tab.
Select the Trust all installed add-ins and templates check box.
Select the certificate that you used to sign your test macro, and then click Remove. This allows you to see how Word behaves when you trust a macro for the first time.
Click OK to close the Security dialog box.
Close Word.

Open a macro in the default and non-default folders

The steps in this section show you how Word treats your unsigned macro when you open it from a default and non-default folder.

Start Microsoft Windows® Explorer and navigate to the default folder you selected in the previous section.
Double-click the document that contains your unsigned macro. Word starts, opens the document silently, and enables the macro.
Navigate to the non-default folder that contains your copy of the unsigned macro.
Double-click the document. Word opens the document silently, but disables the macro. But don't take our word for it: Press ALT+F8 and try running the macro.

Putting it all together

Let's sum up what we've seen here and in the past two columns. Increasing macro security in Word involves using a combination of:

Digital certificates
The settings in the Security dialog box
Some of your default working folders
Your own good sense

This combination of features, plus other tools such as firewalls and virus detection software, provides a defense in depth, meaning that your computer has several levels of security. Some of you may be thinking, "Hold on. In addition to certificates and all those possible security settings, I need to take these folders into account?" To make your life a bit easier, we created a couple of tables that list the possible combinations of digital certificates, security settings, and folder locations. The first table describes how Word behaves with an unsigned macro. The second table describes the behavior with signed macros.

Note These tables describe how Word behaves when you open a document that contains a macro, not how Word behaves when you try to run a macro. Why is that important? Because macros can run when a document loads. Also, Word may prompt you to trust macros in several templates (such as Normal.dot) before it starts other prompts such as the Security Warning dialog box.

Security behavior in Word with an unsigned macro

Is the folder listed in the File Location tab?	Security Level setting	Is the Trust all installed add-ins and templates check box selected?	Word will...
Yes	High	Yes	Open the document silently and enable the macro.
		No	Open the document and disable the macro silently. Note If the macro is set to run when you open the document, Word prompts you.
Yes	Medium	Yes	Open the document silently and enable the macro.
		No	Prompt you to enable or disable the macro. You can run the macro only for the current Word session.
Yes	Low	Yes or No	Open the document silently and enable the macro.
No	High	Yes	Open the document silently and disable the macro.
		No	Open the document silently and disable the macro.
No	Medium	Yes	Prompt you to enable or disable macros. You can run the macro only for the current Word session.
		No	Prompt you to enable or disable macros. You can run the macro only for the current Word session.
No	Low	Yes or No	Open the document silently and enable the macro.

Security behavior in Word with a signed macro and the publisher not in the list of trusted sources

Is the folder listed in the File Location tab?	Security Level setting	Is the Trust all installed add-ins and templates check box selected?	Word will...
Yes	High	Yes	Open the document silently and enable the macro.
		No	Start the Security Warning dialog box and give you the option of trusting the publisher.
Yes	Medium	Yes	Open the document silently and enable the macro.
		No	Start the Security Warning dialog box and give you the option of trusting the publisher or enabling the macro for the current Word session.
Yes	Low	Yes or No	Open the document silently and enable the macro.
No	High	Yes	Start the Security Warning dialog box and give you the option of trusting the publisher.
		No	Start the Security Warning dialog box and give you the option of trusting the publisher.
No	Medium	Yes	Start the Security Warning dialog box and give you the option of trusting the publisher or enabling the macro for the current Word session.
		No	Start the Security Warning dialog box and give you the option of trusting the publisher or enabling the macro for the current Word session.
No	Low	Yes or No	Open the document silently.

To enable, or not to enable?

The Trust all installed add-ins and templates check box is often misunderstood. By default it is enabled, but if you have very high security requirements, Microsoft recommends that you clear the check box. Doing so is part of a good defense-in-depth approach.

Here's another rule of thumb: If you do not need to run unsigned, personal macros, you should set your security level to High and clear the Trust all installed add-ins and templates check box. When you clear the check box, Word disables all unsigned macros automatically. If a macro is code signed with a certificate that is not listed in the Trusted Sources list, Word prompts you either to enable or to disable the macro and trust the publisher.

Note You can also apply these rules to Microsoft Excel.

If you need to run unsigned macros, see the steps in the next section. If you're new to security in Word and you haven't read the previous two Power User columns, here's how to raise your security level:

On the Tools menu in Word, point to Macro, and then click Security.
On the Security Level tab, click High.
Click the Trusted Sources tab, and then clear the Trust all installed add-ins and templates check box.

For more information about using the Trusted Sources list and the various security levels, see the second column in this series.

But I need to run unsigned macros!

Typically, you run an unsigned macro when you need to test it or when you need to accomplish tasks that are uniquely yours. You can use several strategies to run these macros at a high security level:

Use SelfCert.exe to sign the macro. You can run the macro with your security level at High and with the Trust all installed add-ins and templates check box cleared. For more information about using SelfCert.exe and signing macros, see the first column in this series.
If you want to distribute an unsigned macro to friends or coworkers and maintain a high level of security, the recipients can also use their copy of SelfCert.exe to sign the macro.
If you don't want to use SelfCert.exe, you can set your security level to Medium and keep the Trust all installed add-ins and templates check box cleared. At this security level, when you try to open a document that contains a macro, Word prompts you to either disable or enable the macro. Microsoft strongly recommends that you do this only in a testing environment.

More information

For information about security in Microsoft Windows, see What's New in Security for Windows XP Professional and Windows XP Home Edition on go.microsoft.com.

About the authors

Colin Wilcox and Siew Moi Khor write for the Office Help team. In addition to contributing to the Office Power User Corner column, Colin writes articles and tutorials for Microsoft Data Analyzer.

See all Power User columns
See all columns

Sign in to Office.com

Start working in the cloud

Microsoft account

Organizational account