Plan and configure Trusted Locations settings for Office 2013
Applies to: Office 365 ProPlus
Summary Explains how to use the Trusted Locations feature in Office 2013 to differentiate safe files from potentially harmful files.
Audience: IT Professionals
If you want to differentiate safe files from potentially harmful files, you can use the Trusted Locations feature in Office 2013. The Trusted Locations feature lets you designate trusted file sources on the hard disks of users' computers or on a network share. When a folder is designated as a trusted file source, any file that is saved in the folder is assumed to be a trusted file. When a trusted file is opened, all content in the file is enabled and active, and users aren’t notified about any potential risks that might be contained in the file. These can include, for example, unsigned add-ins and Microsoft Visual Basic for Applications (VBA) macros, links to content on the Internet, or database connections.
|
This article is part of the Guide to Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security. Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com. |
.jpg "Roadmap arrow for guide to Office security.")
In this article:
Plan Trusted Locations settings in Office 2013
Implement Trusted Locations in Office 2013
Disable Trusted Locations
Plan Trusted Locations settings in Office 2013
Office 2013 provides several settings that let you control the behavior of the Trusted Locations feature. By configuring these settings, you can do the following:
Specify Trusted Locations globally or on a per-application basis.
Allow a network share to be a trusted location.
Prevent users from designating Trusted Locations.
Disable the Trusted Locations feature.
The Trusted Locations feature is available in the following applications: Access 2013, Excel 2013, InfoPath 2013, PowerPoint 2013, Visio 2013, and Word 2013.
The following list describes the default configuration for the Trusted Locations feature:
Trusted Locations is enabled.
Users can’t designate network shares as Trusted Locations. But, users can change this setting in the Trust Center. See View my options and settings in the Trust Center for user instructions on trusted locations and other user options in the Trust Center.
Users can add folders to the Trusted Locations list.
Both user-defined and policy-defined Trusted Locations can be used to specify Trusted Locations.
In addition, several folders are designated as Trusted Locations in a default installation of Office 2013. The default folders for each application are listed in the following tables. (InfoPath 2013 and Visio 2013 have no default Trusted Locations.)
Access 2013 Trusted Locations
The following table lists the default trusted location for Access 2013.
Default Trusted Location for Access 2013
| Default trusted location | Folder description | Are subfolders trusted also? |
|---|---|---|
Program Files\Microsoft Office 15\Root\Office15\ACCWIZ |
Wizard databases |
No (Disallowed) |
Excel 2013 Trusted Locations
The following table lists the default Trusted Locations for Excel 2013.
Default Trusted Locations for Excel 2013
| Default Trusted Locations | Folder description | Are subfolders trusted also? |
|---|---|---|
Program Files\Microsoft Office 15\Root\Templates |
Application templates |
Yes (Allowed) |
Users\user_name\Appdata\Roaming\Microsoft\Templates |
User templates |
No (Disallowed) |
Program Files\Microsoft Office 15\Root\Office15\XLSTART |
Excel startup |
Yes (Allowed) |
Users\user_name\Appdata\Roaming\Microsoft\Excel\XLSTART |
User startup |
No (Disallowed) |
Program Files\Microsoft Office 15\Root\Office15\STARTUP |
Office startup |
Yes (Allowed) |
Program Files\Microsoft Office 15\Root\Office15\Library |
Add-ins |
Yes (Allowed) |
PowerPoint 2013 Trusted Locations
The following table lists the default Trusted Locations for PowerPoint 2013.
Default Trusted Locations for PowerPoint 2013
| Default Trusted Locations | Folder description | Are subfolders trusted also? |
|---|---|---|
Program Files\Microsoft Office 15\Root\Templates |
Application templates |
Yes (Allowed) |
Users\user_name\Appdata\Roaming\Microsoft\Templates |
User templates |
Yes (Allowed) |
Users\user_name\Appdata\Roaming\Microsoft\Addins |
Add-ins |
No (Disallowed) |
Program Files\Microsoft Office 15\Root\Document Themes 15 |
Application themes |
Yes (Allowed) |
Word 2013 Trusted Locations
The following table lists the default Trusted Locations for Word 2013.
Default Trusted Locations for Word 2013
| Default Trusted Locations | Folder description | Are subfolders trusted also? |
|---|---|---|
Program Files\Microsoft Office 15\Root\Templates |
Application templates |
Yes (Allowed) |
Users\user_name\Appdata\Roaming\Microsoft\Templates |
User templates |
No (Disallowed) |
Users\user_name\Appdata\Roaming\Microsoft\Word\Startup |
User startup |
No (Disallowed) |
Note
For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2013 Administrative Templates, see Configure security by using OCT or Group Policy for Office 2013.
Implement Trusted Locations in Office 2013
To implement Trusted Locations, you must determine the following:
The applications for which you want to configure Trusted Locations.
The folders that you want to designate as Trusted Locations.
The folder sharing and folder security settings that you want to apply to your Trusted Locations.
The restrictions that you want to apply to Trusted Locations.
Determine the applications that you want to configure Trusted Locations for
Use the following guidelines to help determine the applications for which you want to configure Trusted Locations:
Trusted Locations affect all content in a file. This includes add-ins, ActiveX controls, hyperlinks, links to data sources and media, and VBA macros. Moreover, files that are opened from Trusted Locations skip file validation checks, File Block checks, and don’t open in Protected View.
Each application provides the same settings for configuring Trusted Locations. This means that you can independently customize Trusted Locations for each application.
You can disable Trusted Locations for one or more applications, and implement Trusted Locations for other applications.
Determine the folders to designate as Trusted Locations
Use the following guidelines to help determine the folders that you want to designate as Trusted Locations:
You can specify Trusted Locations on a per-application basis or globally.
One or more applications can share a trusted location.
To prevent malicious users from adding files to a trusted location or from modifying files that are saved in a trusted location, you must apply operating system security settings to any folder that you designate as a trusted location.
By default, only Trusted Locations that are on users' hard disks are allowed. To enable Trusted Locations on network shares, you must enable the Allow Trusted Locations on my network (not recommended) setting.
We don’t recommend that you specify root folders, such as drive C, or the whole Documents or My Documents folder as Trusted Locations. Instead, create a subfolder within those folders and specify only that folder as a trusted location.
In addition, you must use the guidelines in the following sections if you want to:
Use environment variables to specify Trusted Locations.
Specify web folders (that is, http://paths) as Trusted Locations.
Use environment variables to specify Trusted Locations
You can use environment variables by using Group Policy and the OCT to specify Trusted Locations. But, for environment variables to work correctly when you use them within the OCT, you must change the value type that is used to store Trusted Locations in the registry. If you use an environment variable to specify a trusted location, and you don’t make the necessary registry modification, the trusted location appears in the Trust Center, but it’s unavailable and it’s listed as a relative path that contains the environment variables. After you change the value type in the registry, the trusted location appears in the Trust Center as an absolute path and is available.
Note
You can complete tasks in all Office 2013 suites by using a mouse, keyboard shortcuts, or touch. For information about how to use keyboard shortcuts and touch with Office products and services, see Keyboard shortcuts and Office Touch Guide.
To use environment variables to specify Trusted Locations
Use Registry Editor to locate the trusted location that is represented by an environment variable.
To open Registry Editor, click Start, click Run, type regedit, and then click OK.
Or, if you are using Windows 8 or Windows 8.1, swipe from the right to reveal the charms, choose the Search charm, and type regedit.
Trusted Locations that are configured by using the OCT are stored in the following location:
HKEY_CURRENT_USER/Software/Microsoft/Office/15.0/application_name/Security/Trusted Locations
Where application_name can be Access, Excel, PowerPoint, Visio, or Word.
Trusted Locations are stored in registry entries named Path, and they are stored as String Value (REG_SZ) value types. Be sure to locate each Path entry that uses environment variables to specify a trusted location.
Change the Path value type.
Applications in the Office 2013 can’t recognize environment variables that are stored as String Value (REG_SZ) value types. For applications to recognize environment variables, you must change the value type of the Path entry so that it is an Expandable String Value (REG_EXPAND_SZ) value type. To do this, follow these steps:
Write down or copy the value of the Path entry. This should be a relative path that contains one or more environment variables.
Delete the Path entry.
Create a Path entry of type Expandable String Value (REG_EXPAND_SZ).
Change the new Path entry so that it has the same value that you wrote down or copied in the first step.
Be sure to make this change for each Path entry that uses environment variables to specify a trusted location.
Specify web folders as Trusted Locations
You can specify web folders (that is, http://paths) as Trusted Locations. But, only those web folders that support Web Distributed Authoring and Versioning (WebDAV) or FrontPage Server Extensions Remote Procedure Call (FPRPC) protocols are recognized as Trusted Locations. Use the following guidelines if you aren’t sure whether a web folder supports the WebDAV or FPRPC protocols:
If you open an application in Internet Explorer, check the most recently used files list. If the most recently used files list indicates that the file is located on a remote server, instead of in the Temporary Internet Files folder, it is likely that the web folder supports WebDAV in some form. For example, if you open a document while browsing Internet Explorer, and it opens in Word 2013, the most recently used files list should show that the document is located on the remote server and not in the local Temporary Internet Files folder.
Try to use the Open dialog box to browse to the web folder. If the path supports WebDAV, you probably can browse to the web folder or you are prompted for credentials. If the web folder doesn’t support WebDAV, navigation fails and the dialog box closes.
Note
Sites that are created with SharePoint Server 2013 can be designated as Trusted Locations.
Determine folder sharing and folder security settings for trusted location folders
All folders that you specify as Trusted Locations must be secured. Use the following guidelines to determine which sharing settings and security settings that you have to apply to each trusted location:
If a folder is shared, configure sharing permissions so that only authorized users have access to the shared folder. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Read permission to those users who don’t have to change trusted files, and grant Full Control permission to those users who have to change trusted files.
Apply folder security permissions so that only authorized users can read or change the files in Trusted Locations. Make sure to use the principle of least privilege and to grant permissions that are appropriate to a user. That is, grant Full Control permissions to only those users who have to change files. Then, grant more-restrictive permissions to those users who need only to read files.
Determine restrictions for Trusted Locations
Office 2013 provides several settings that enable you to restrict or control the behavior of Trusted Locations. Use the following guidelines to determine how to configure these settings.
Group Policy Setting name: Allow mix of policy and user locations
Description: This setting controls whether Trusted Locations can be defined by users, the OCT, and Group Policy, or if they must be defined by Group Policy alone. By default, users can designate any location as a trusted location and a computer can have any combination of user-created, OCT-created, and Group Policy-created Trusted Locations.
Impact: If this setting is disabled, all Trusted Locations that aren’t created by Group Policy are disabled and users can’t create new Trusted Locations in the Trust Center. Disabling this setting will cause some disruption for users who have defined their own Trusted Locations in the Trust Center. Applications treat such locations as they treat any other untrusted locations, which means that users see Message Bar warnings about content such as ActiveX controls and VBA macros when they open files, and they have to choose whether to enable controls and macros or leave them disabled This is a global setting that applies to all applications for which you configure Trusted Locations.
Guidelines: Organizations that have a highly restrictive security environment typically disable this setting. Organizations that manage their desktop configurations through Group Policy typically disable this setting.
Group Policy Setting name: Allow Trusted Locations on the network
Description: This setting controls whether Trusted Locations on the network can be used. By default, Trusted Locations that are network shares are disabled. But users can still select the Allow Trusted Locations on my network (not recommended) check box in the Trust Center, which will enable users to designate network shares as Trusted Locations. This isn’t a global setting. You must configure this setting on a per-application basis for Access 2013, Excel 2013, PowerPoint 2013, Visio 2013, and Word 2013.
Impact: Disabling this setting disables all Trusted Locations that are network shares and prevents users from selecting the Allow Trusted Locations on my network (not recommended) check box in the Trust Center. Disabling this setting will cause some disruption for users who have defined their own Trusted Locations in the Trust Center. If you disable this setting, and a user attempts to designate a network share as a trusted location, a warning informs the user that the current security settings don’t allow them to create Trusted Locations that are remote paths or network paths. If an administrator designates a network share as a trusted location through Group Policy or by using the OCT, and this setting is disabled, the trusted location is disabled. Applications treat such locations like any other untrusted locations, which means that users see Message Bar warnings about content such as ActiveX controls and VBA macros when they open files. They have to choose whether to enable controls and macros or leave them disabled.
Guidelines: Organizations that have a highly restrictive security environment typically disable this setting.
Note
You can also use the Remove all Trusted Locations written by the OCT during installation setting to delete all Trusted Locations that were created by configuring the OCT.
Disable Trusted Locations in Office 2013
Office 2013 provides a setting that enables you to disable the Trusted Locations feature. This setting must be configured on a per-application basis for Access 2013, Excel 2013, PowerPoint 2013, Visio 2013, and Word 2013. Use the following guidelines to determine whether you should use this setting.
Group Policy Setting name: Disable all Trusted Locations
Description: This setting lets you disable the Trusted Locations feature on a per-application basis. By default, the Trusted Locations feature is enabled and users can create Trusted Locations.
Impact: Enabling this setting disables all Trusted Locations. This includes Trusted Locations that are as follows:
Created by default during Setup.
Created by using the OCT.
Created by users through the Trust Center.
Created by using Group Policy.
Enabling this setting also prevents users from configuring Trusted Locations settings in the Trust Center. If you enable this setting, make sure that you notify users that they can’t use the Trusted Locations feature. If users have been opening files from Trusted Locations, and you enable this setting, users might start seeing warnings in the Message Bar and they might be required to respond to Message Bar warnings to enable content, such as ActiveX controls, add-ins, and VBA macros.
Guidelines: Organizations that have a highly restrictive security environment typically enable this setting.
Note
For the latest information about policy settings, refer to the Excel 2013 workbook Office2013GroupPolicyAndOCTSettings_Reference.xlsx that is included in the Office 2013 Administrative Template files. For more information, see the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool TechNet article.
See also
Guide to Office 2013 security
Overview of security in Office 2013
Configure security by using OCT or Group Policy for Office 2013
Understand security threats and countermeasures for Office 2013
Plan and configure Trusted Publishers settings for Office 2013
Configure security by using OCT or Group Policy for Office 2013