5-Minute Security Advisor - Signing Office Objects
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Updated : June 7, 2002
Visual Basic for Applications (VBA) macros provide a powerful tool for customizing Microsoft Office applications. You can write macros to automate common tasks, tie together several applications, or integrate Office applications with custom data sources. Because VBA is so powerful and flexible, it's necessary to apply good security practices to prevent malicious VBA macros from infecting your documents or damaging your data. Office XP makes it easy to require digital signatures on macros that you load into Word, Excel, or Access; you can also sign individual documents so that others can verify that they are authentic and that they haven't been tampered with since they were signed. These measures complement the other security features in Office XP, including the ability to encrypt documents and to require passwords before document or worksheet objects can be modified.
Understanding object signing
Microsoft's Authenticode technology, which has been around since Internet Explorer 3.0, provides a way for developers to digitally sign components that are executed on your computer. Because an Authenticode signature asserts that the code isn't malicious and that it comes from a known, verifiable source, the security benefits are evident. Authenticode-signed ActiveX controls are now the norm.
The overall process of getting an object signed is simple: You use your preferred development tools to create the ActiveX control, macro, or executable, then sign it with an Authenticode-capable certificate. When an end user attempts to load or run the object, the application doing the loading (IE, let's say, or perhaps Excel) checks what security level is active and whether that level requires that the object be signed. If a valid signature is required, the user's computer checks the signature by regenerating it and comparing the new value with the old one—if they match, and if the signing certificate is still valid, the object can be loaded and run.
Office 2000 and XP offer code-signing policies, based on Authenticode technology, for VBA macros. (Office XP also applies these security levels to smart tags.) You can set macro-capable Office applications to three different security levels:
High security is the default level in Office XP. When high security is set, only signed macros from sources that appear on the trusted source list will be run. Unsigned macros, and signed macros from sources that aren't trusted, are automatically disabled.
Medium security, the default level in Office 2000, prompts you whenever you load a document that contains macros. The prompt dialog (see Figure 1) warns you that the document you're loading has macros and asks whether you want to enable or disable them.
Figure 1: Office warns you when you load a document with macros
Low security, which is not recommended for anyone at any time, doesn't prompt or warn you in any way. If the document contains macros, they'll be loaded and executed immediately.
If you're using Windows 2000 as your server operating system, you can set Active Directory group policies that automatically apply and enforce the desired macro security level.
Action Set your Office applications' security level to High, right now! Launch Word, PowerPoint, and Excel; in each application, use Tools | Options to open the Options dialog. Select the Security tab, then click the Macro Security button. When the Security dialog (Figure 2) appears, select the High radio button and click OK.
Figure 2: the Office Security dialog lets you set macro security for an application
Creating a signing certificate
If you want to digitally sign macros, you must first choose where you want the signing certificate to come from. You can either generate your own certificate or obtain one from a certificate authority (CA). Each approach has its pros and cons:
Self-issued (or, more properly, self-signed) certificates are easy to issue; Office includes a tool called SelfCert.exe, which you can use to easily create your own self-signed certificate. Macros and VBA projects that you sign with such a certificate can be loaded and run on your own machine. However, if you take an object signed by a SelfCert-generated certificate to another machine, Office's High security setting will refuse to load it, because the signer doesn't appear on the trusted sources list for that machine. That means that self-signing is useful mostly to sign macros that you create yourself and that you'll only run on one machine.
A CA within your organization or a third-party CA like Thawte or Verisign can issue a certificate for code signing. Using a CA-issued certificate lets you use signed objects on multiple machines, as long as the issuing CA is listed as a trusted source on those machines. Office XP allows you to set a list of trusted sources at installation time, and (by using either Windows NT system policies or Windows 2000 group policies) administrators can prevent users from changing the list of sources.
The mechanics of obtaining a CA-based certificate vary according to the type of CA you're using and whether it's internal or external to your organization. Generating your own self-signed certificate with SelfCert.exe, though, is easy. SelfCert is installed by default when you install Office XP, although you must use the Add/Remove Programs Control Panel applet to install it if you're using Office 2000. In either case, you'll find it in \Program Files\Microsoft Office\Office\SelfCert.exe; you must run the program from the command line. The only action that SelfCert requires is that you type in the name you want associated with the certificate (see Figure 3). After you click OK, Windows generates the certificate and places it in the local machine's certificate store, where you can view it with the Microsoft Management Console (MMC) Certificates snap-in or in the Certificates dialog in IE.
Figure 3: SelfCert only requires you to type in the name you want associated with a certificate
Action: Install and run SelfCert to create a new self-signed certificate to use when you are testing your code signing. To verify that the certificate was created and installed, check for it in IE: use the Tools | Options command to open the IE -2136348790options -2136348790dialog, switch to the Content tab, and click the Certificates button. You will see the new certificate listed, and the "Certificate intended purposes" field will show that the certificate is usable for code signing. See Figure 4 for an example.
Figure 4: check for your new self-signed certificate in Internet Explorer
Signing macros and documents
Signing VBA macros is simple. The basic process is outlined in KB article 307731. You must first obtain a certificate from somewhere. The certificate must be usable for code signing, so if you're requesting a certificate from a third-party CA make sure you tell them which kind of certificate you want. After you install your certificate, follow these steps:
Open the Office application that contains the macros you want to sign, then open the document that contains the macros.
Use the Tools | Macro submenu to open the Visual Basic Editor. In the Project Explorer, find the project you want to sign.
Choose the Tools | Digital Signature command. You'll see the Digital Signature dialog (Figure 5). Click the Choose button to pick the certificate you want to use, then click the OK button.
Test that the macro is properly signed by setting your macro security level to High, quitting the application, and re-opening the signed file. If it loads correctly, it's properly signed.
Figure 5: the Digital Signature dialog lets you pick the certificate you want to use to sign the macro project
Setting trusted sources
The Office trusted sources list controls which sources' signatures are "good enough" to mark a macro as trusted. No sources appear in this list by default. Don't confuse this list with IE's list of trusted software publishers; the Office trusted sources list applies only to Office macros and COM add-ins. You can set an initial trusted source list when you install Office by using the Custom Installation Wizard (there are separate versions for Office 2000 and Office XP). Administrators can specify trusted sources through system or group policies, and (unless the administrator has turned it off) end users can specify their own trusted sources. To do so, you use the Trusted Sources tab of the Macro Security dialog (see Figure Figure 6).
Figure 6: the Trusted Sources tab lets you specify which signers you trust
Action to keep from receiving macro security warnings when you use the templates, add-ins, and macros originally shipped with Office, make sure the "Trust all installed add-ins and templates" checkbox on the Trusted Sources tab is selected.