Granting Trust to Office Solutions
Granting trust to Office solutions means modifying the security policy of each end user to trust the solution assembly, application manifest, deployment manifest, and document. You can grant full trust to the appropriate files by using one or more of the following options:
ClickOnce Authenticode certificates, which are used to identify the publisher. Trust can be granted to solutions based on the publisher's certificate.
ClickOnce trust prompts, which are used when the certificate identifies the publisher but the publisher's certificate has not been trusted.
Inclusion list, which stores the trust decision that is made by end users after they respond to a trust prompt.
Applies to: The information in this topic applies to document-level projects and application-level projects for Microsoft Office 2010 and the 2007 Microsoft Office system. For more information, see Features Available by Office Application and Project Type.
Authenticode Certificates
All application and deployment manifests for Office solutions must be signed with a certificate that identifies the publisher. Certificates provide a basis for making trust decisions.
Visual Studio 2008 Service Pack 1 (SP1) adds a way to deploy without signing the manifests, but this feature is not supported by Office solutions. All manifests must be signed with a certificate.
A temporary certificate is created for you and granted trust at build time so the solution will run while you debug it.
If you sign the solution with a known and trusted certificate, the solution will automatically be installed without prompting the end user to make a trust decision. For more information about how to obtain a certificate for signing, see ClickOnce and Authenticode. After a certificate is obtained, the certificate must be explicitly trusted by adding it to the Trusted Publishers list. For more information, see How to: Add a Trusted Publisher to a Client Computer for ClickOnce Applications.
If a developer signs the solution with a temporary certificate, an administrator can re-sign the customization with a known and trusted certificate by using the Manifest Generation and Editing Tool (mage.exe), which is one of the Microsoft .NET Framework tools. For more information about signing solutions, see How to: Sign Office Solutions and How to: Sign Application and Deployment Manifests.
Trust Prompts
ClickOnce prompts the end user to make the trust decision if there is no organization-wide policy that trusts the solution's certificate. If the end user grants trust to the solution, an inclusion list entry is created that contains a URL and a public key to store this trust decision. When a trusted customization is run later, the end user is not prompted again.
Administrators can disable the ClickOnce trust prompt or require that the prompt occur only for solutions that are signed with an Authenticode certificate. For more information about how to change these settings for the MyComputer, LocalIntranet, Internet, TrustedSites, and UntrustedSites zones, see How to: Configure the ClickOnce Trust Prompt Behavior.
Inclusion List
Office solutions use the registry to store a list of explicitly trusted solutions; this list is named the inclusion list. You can add entries to the inclusion list in two ways:
You can create an installer that calls the Add(AddInSecurityEntry) method of the UserInclusionList class.
If a solution is not explicitly trusted or untrusted, the user will see a prompt to make a trust decision. If trust is granted, the solution is added to the inclusion list.
Administrators can disable the inclusion list so that the end user cannot make trust decisions. To change these settings for the MyComputer, LocalIntranet, Internet, TrustedSites, and UntrustedSites zones, see How to: Configure Inclusion List Security.
For more information, see Trusting Office Solutions by Using Inclusion Lists and How to: Add or Remove Inclusion List Entries.
See Also
Tasks
Troubleshooting Office Solution Security
Concepts
Specific Security Considerations for Office Solutions