Sunday, February 25, 2007

Word 2007 Macro Security - Tightening the Noose

OK. This is long and involved – but it’s important. In short, it’s a Word macro security thing that’s going to bite most of us in the butt.

Specifically, Word 2007 has really tightened up macro security. Here are the salient points:

Word will not let you run macros in a template attached to a document unless you have met either of the following criteria:

The file containing the macro is stored in a trusted location (you can set up trusted locations in Word 2007 program options).


The macro has a digital signature from a trusted source.

Microsoft distributes a Digital Certificate for VBA Projects utility that lets you create a self-signed digital certificate for testing and deployment purposes. However, going with a self-signed digital certificate over an authenticated code signing certificate requires jumping through multiple hoops.

Specifically, a self-signed certificate is designed to only be trusted on the machine on which it was created (don't ask me. I'm not Microsoft.). If I then move my template with the signed VBA code to a different machine which may have macro security set to the Word 2007 equivalents of high, medium, or low, I get a message stating that the digital certificate is invalid and cannot be trusted. All is not lost, however, as I can still view and install the certificate on my machine and trust the certificate once I’ve installed it.

Here are the 9 steps (+4 sub-steps that are part of step 6) I followed to get from double-clicking on the template for the first time on a PC other than the one where I signed the VBA code:

1. I started with the following macro security settings:

2. I then double-clicked on the digitally signed template file and got the following message:

3. Clicking options takes me here:

Note: Pardon my redaction - I took my employer-related stuff out so I wouldn't have to redo the screenshots...

4. Clicking Show Signature Details takes me here:

5. Clicking View Certificate takes me here:

6. Clicking Install Certificate takes me here:




d. Clicking “Yes” yields the following:

7. I then clicked OK 3 times to dismiss the dialog boxes ‘til I got back to the dialog where I clicked “show signature details,” which now looks like this:

8. Now, in the old world, I could just say "Enable this content," and go on my merry way. Word doesn’t work that way now. Now, I have to select “Trust all documents from this publisher” and then shut down Word (otherwise it goes doesn’t completely enable the macros).

9. Now, when I double-click on the template file, I can get to the template functionality via the Add-In tab (Look for the Process MS menu in the Menu Commands Pane, and the AU, ED, and COMP buttons in the Custom Toolbars pane:

... and the functionality works… I checked. Ignore the XPATH in the menu pane of the ribbon – that’s from a completely different template/addin that I happen to be running on this machine.

I think you will agree that this we will be putting a lot on Word 2007 users if we make them go through this just so they can put the template anywhere they want.

The other option, is to instruct the users to put the template in a default trusted template area such as:

C:\Documents and Settings\Username\Application Data\Microsoft\Templates\

And always create new documents based on this template from the Office Menu > New > Templates command, or instruct users to attach their documents to the template in this location.

Either way, any solution (including trusting an authenticated code signing certificate) is going to be way more complex than our old set macro security to medium or low and choose “enable macros” when prompted…

Oh, and for the down and dirty details… I signed the VBA code on my work laptop running Office 2007 Beta 2 TR, and tested the security stuff on my personally owned desktop machine running the official RTM Word 2007 release.

Labels: ,

This page is powered by Blogger. Isn't yours?