Plan trusted locations and trusted publishers settings for the 2007 Office system
Updated: December 10, 2009
Applies To: Office Resource Kit
This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2016-11-14
In this article:
Plan for trusted locations
Plan for trusted publishers
The trusted locations feature of the 2007 Microsoft Office system enables you to designate folders on the hard disks of users' computers or on a network share as trusted file sources. When a folder is designated as a trusted file source, any file that is saved in the folder is assumed to be a trusted file. When a trusted file is opened, all content in the file is enabled and active, and users are not notified about any potential risks that might be contained in the file, such as unsigned macros, ActiveX controls, or links to content on the Internet.
In addition to trusted locations, you can use the Trusted Publishers list to designate content publishers that you trust. A publisher is any developer, software company, or organization that has created and distributed an ActiveX control, add-in, or macro. A trusted publisher is any publisher that has been added to the Trusted Publishers list. When a file is opened, and the file contains content that is created by a trusted publisher, all of the content is enabled and active and users are not notified about any potential risks that might be contained in the file.
To plan for trusted locations and trusted publishers, use the best practices and recommended guidelines in the following sections.
Plan for trusted locations
The 2007 Office system provides several settings that enable you to control the behavior of trusted locations. By configuring these settings you can:
Disable all trusted locations.
Specify trusted locations globally or on a per-application basis.
Allow trusted locations to exist on remote shares.
Prevent users from creating trusted locations.
For detailed information about each trusted location setting, see Security policies and settings in the 2007 Office system.
Although you can configure trusted locations to suit a wide variety of scenarios, the most common scenarios for trusted locations include:
Disabling the trusted locations feature to prevent users from creating trusted locations and prevent applications from recognizing trusted locations.
Implementing the trusted locations feature with custom trusted locations.
Disabling trusted locations
To disable trusted locations, configure the trusted locations settings as recommended in the following table.
|Setting name||Recommended configuration||Description|
Disable all trusted locations
Select this option: Disabled
By default, trusted locations are enabled. Selecting this option disables all trusted locations, including trusted locations that were:
Enabling this option prevents users from configuring trusted locations settings in the Trust Center. This is not a global setting; you must select this option on a per-application basis for Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and Microsoft Office Word 2007.
If you disable trusted locations, be sure that you:
Notify users that they cannot use the trusted locations feature. If users have been opening files from trusted locations, and you disable trusted locations, users might start seeing warnings in the Message Bar and they might be required to respond to Message Bar warnings to enable active content, such as ActiveX controls and Visual Basic for Applications (VBA) macros.
Record the settings in your security planning documents and in your security operations documents.
Implementing trusted locations
To implement trusted locations, you must determine:
Which applications you want to configure trusted locations for.
Which folders you want to use for trusted locations.
What folder sharing and folder security settings you want to apply to your trusted locations.
Which restrictions you want to apply to trusted locations.
Determine which applications you want to configure trusted locations for
You can configure trusted locations for Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007. As you determine which applications you want to configure trusted locations for, keep the following in mind:
Trusted locations affect all active content in a file, including ActiveX controls, hyperlinks, links to data sources and media, and VBA macros.
Each application provides the same settings for configuring trusted locations. This means that you can independently customize trusted locations for each application.
You can disable trusted locations for one or more applications, and implement trusted locations for other applications.
Determine which folders you want to use for trusted locations
If the default trusted locations folders are not adequate for your organization, you can create your own folders and specify them as trusted locations. For more information about default trusted locations, see Evaluate default security settings and privacy options for the 2007 Office system.
As you determine which folders you want to specify as trusted locations, keep the following in mind:
You can specify trusted locations on a per-application basis or globally.
One or more applications can share a trusted location.
To prevent malicious users from adding files to the trusted location or modifying files that are saved in the trusted location, you must secure any folder that you designate as a trusted location.
We do not recommend that you specify network shares as trusted locations. By default, only trusted locations that are on users' hard disks are allowed. To enable trusted locations on network shares, you must enable the Allow Trusted Locations not on the computer setting.
We do not recommend that you specify the entire Documents or My Documents folder as a trusted location. Instead, create a subfolder within those folders and specify only that folder as a trusted location.
In addition, you must use the guidelines in the following sections if you want to:
Use environment variables to specify trusted locations.
Specify Web folders (that is, http:// paths) as trusted locations.
Using environment variables to specify trusted locations
You can use environment variables to specify trusted locations, but you must change the value type that is used to store trusted locations in the registry for environment variables to work properly. If you use an environment variable to specify a trusted location, and you do not make the necessary registry modification, the trusted location appears in the Trust Center, but it is unavailable and it appears as a relative path containing the environment variables. After you change the value type in the registry, the trusted location will appear in the Trust Center as an absolute path and it will be available.
You cannot use environment variables when you specify trusted locations by using Group Policy. You can use environment variables to specify trusted locations only by using the Office Customization Tool (OCT).
To use environment variables to specify trusted locations, do the following:
Use the Registry Editor to locate the trusted location that is represented by an environment variable.
Trusted locations that are configured by using the OCT are stored in the following location:
Where application_name can be Access, Excel, PowerPoint, Visio, or Word.
Trusted locations are stored in registry entries named Path, and they are stored as String Value (REG_SZ) value types. Be sure to locate each Path entry that uses environment variables to specify a trusted location.
Change the Path value type.
Applications in the 2007 Office system cannot recognize environment variables that are stored as String Value (REG_SZ) value types. For applications to recognize environment variables, you must change the value type of the Path entry so it is an Expandable String Value (REG_EXPAND_SZ) value type. To do this, perform the following steps:
Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Write down or copy the value of the Path entry. This should be a relative path that contains one or more environment variables.
Delete the Path entry.
Create a new Path entry of type Expandable String Value (REG_EXPAND_SZ).
Modify the new Path entry so that it has the same value that you wrote down or copied in the first step.
Be sure to make this change for each Path entry that uses environment variables to specify a trusted location.
Specifying Web folders as trusted locations
You can specify Web folders (that is, http:// paths) as trusted locations, however, only those Web folders that support Web Distributed Authoring and Versioning (WebDAV) or FrontPage Server Extensions Remote Procedure Call (FPRPC) protocols will be recognized as trusted locations. Use the following guidelines if you are not sure whether a Web folder supports the WebDAV or FPRPC protocols:
If an application is opened by Internet Explorer, check the most recently used files list. If the most recently used files list indicates that the file is located on a remote server, rather than in the Temporary Internet Files folder, it is likely that the Web folder supports WebDAV in some form. For example, if you click a document while browsing in Internet Explorer, and the document opens in Office Word 2007, the most recently used files list should show that the document is located on the remote server and not in the local Temporary Internet Files folder.
Try to use the Open dialog box to browse to the Web folder. If the path supports WebDAV, you should be able to browse to the Web folder or you should get prompted for credentials. If the Web folder does not support WebDAV, navigation fails and the dialog box closes.
Sites that are created with Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 can be designated as trusted locations.
Determine folder sharing and folder security settings
All folders that you specify as trusted locations must be shared and must be secured. Use the following guidelines to determine which sharing settings and security settings you need to apply to each trusted location:
Share each folder that you designate as a trusted location so that users can access the files that are saved in the trusted location.
Configure sharing permissions so that only authorized users have access to the shared folder. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Read permissions to those users who do not need to modify trusted files, and grant Full Control permissions to those users who need to modify trusted files.
Apply folder security permissions so that only authorized users can read or modify the files in trusted locations. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Full Control permissions to only those users who need to modify files; and grant more restrictive permissions to those users who need only to read files.
Determine restrictions for trusted locations
There are several settings that you can use to restrict or control the behavior of trusted locations. Use the recommendations in the following table to determine how to configure these settings.
|Setting name||Recommended configuration||Description|
Allow mix of policy and user locations
Select this option: Disabled
By default, a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations. Selecting this option disables all trusted locations that are not created by Group Policy and prevents users from creating new trusted locations through the graphical user interface in the Trust Center. This is a global setting that applies to all applications for which you configure trusted locations.
Allow Trusted Locations not on the computer
Select this option: Disabled
By default, trusted locations that are network shares are disabled, but users can still select the Allow Trusted Locations on my network check box in the Trust Center graphical user interface. Selecting this option disables trusted locations that are network shares and prevents users from selecting the Allow Trusted Locations on my network check box in the Trust Center graphical user interface. If you specify Disabled, and a user attempts to designate a network share as a trusted location, a warning informs the user that the current security settings do not allow the creation of trusted locations with remote paths or network paths. If an administrator designates a network share as a trusted location through Group Policy or by using the OCT, and this setting is Disabled, the trusted location is disabled and will not be recognized by an application. This is not a global setting; you must configure this setting on a per-application basis for Office Access 2007, Office Excel 2007, Office PowerPoint 2007, Office Visio 2007, and Office Word 2007.
You can also use the Remove all trusted locations written by the OCT during installation setting to delete all trusted locations that have been created by configuring the OCT. For more information about this setting, see Security policies and settings in the 2007 Office system.
Plan for trusted publishers
The 2007 Office system stores certificates for trusted publishers in the Internet Explorer trusted publisher store. Previous versions of Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. The 2007 Office system still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store. So, if you created a list of trusted publishers in a previous version of Office, and you upgrade to the 2007 Office system, your trusted publisher list will still be recognized. However, any trusted publisher certificates that you add to the list will be stored in the Internet Explorer trusted publisher store. This behavior is the same for all applications that use the trusted publishers list, including:
Office Access 2007
Office Excel 2007
Microsoft Office InfoPath 2007
Microsoft Office Outlook 2007
Office PowerPoint 2007
Microsoft Office Publisher 2007
Office Visio 2007
Office Word 2007
You cannot use the Office 2007 Administrative Templates to add certificates to the trusted publishers list; however, you can use the OCT. To do this, you must have the digital certificate (.cer file) from the trusted publisher. If you cannot obtain a certificate directly from the publisher, you can export a certificate from a file that the publisher has signed, such as a dynamic-link library (.dll) file or an executable (.exe) file. The following procedure shows you how to do this.
Export a certificate from a .dll file
Right-click the .dll file that the publisher has signed, and then click Properties.
Click the Digital Signatures tab.
In Signature list, click the certificate, and then click Details.
In the Digital Signature Details dialog box, click View Certificate.
Click the Details tab, and then click Copy to File.
In the Certificate Explore Wizard welcome page, click Next.
On the Export File Format page, click DER encoded binary X.509 (.CER), and then click Next.
On the File to Export page, type a path and name for the .cer file, click Next, and then click Finish.
Alternately, you can use this procedure to determine which certificates you need and then create them from within Microsoft Office Word 2007.
Determine which certificates are needed
On a test computer or a client computer that is running the standard configuration for your organization (including any add-ins that users need), enable the Require Application Add-Ins to be signed by Trusted Publisher option:
- Click the Microsoft Office Button, click Word Options, click Trust Center, click Trust Center Settings, click Add-ins, click Require Application Add-ins to be signed by Trusted Publisher, and then click OK.
Exit and restart Word. If add-ins are installed, the Security Warning bar displays the following message: Application add-ins have been disabled.
Temporarily disable SmartTags:
Click the Microsoft Office Button, click Word Options, and then click OK. The Security Warning bar displays the following message: Some active content has been disabled.
SmartTags will be enabled again after you close and then restart Word.
On the Security Warning bar, click Options.
On the Security Alerts – Multiple Issues window, install each certificate to the Trusted Publishers list by performing the following steps for each add-in that shows a valid digital signature:
If you did not disable SmartTags in the previous step, you will see a different window from which you will not be able to install certificates.
Click Show Signature Details.
In the Digital Signature Details window, click View Certificate.
In the Certificate window, click Install Certificate.
In the Certificate Import Wizard, click Next, click Place all certificates in the following store, click Browse, click Trusted Publishers, click OK, click Next, and then click Finish.
Prepare the certificate files for distribution:
In the Trusted Publishers box (click the Microsoft Office Button, click Word Options, click Trust Center, click Trust Center Settings, and then click Trusted Publishers), view the certificates that you installed.
For each certificate, double-click the certificate and then perform the following steps:
In the Certificate window, on the Details tab, click Copy to File.
In the Certificate Export Wizard, click Next, and then click Next again to accept the default file format, enter a file name, select a location to store the file, and then click Finish.
Download this book
This article is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit.