Page 1 of 8

Trust, certificates, and security settings (in office)

About macros
You've heard about macros, but what are they?

A macro is a sequence of commands that can be run

automatically. It is very useful for running a repetitive set of
steps automatically. For example, a macro program can be
used to automate a series of routines such as spell
checking, and to check for capital letters after a full stop in
a long document. Office programs have macros in them
that you might never have noticed. Microsoft® Access, in
particular, uses a lot of macros.

Why do you need to worry about macros?

Unfortunately, anyone can write a macro that includes a

A macro can quickly run a sequence of steps and commands
that otherwise could be time consuming.
harmful sequence of commands. Harmful commands could
do something simple like add or remove text in a
document, or even remove data from your computer.
The good news is that you can set up your Office programs
to detect macros. Go on to the next lesson to find out more
about protecting your computer.

If you get an e-mail message with an attachment from a source that looks legitimate but you don't know, what
should you do?.
Mail the sender and ask if the attachment is safe. Correct, if the attachment is from a trustworthy source, the sender will reply
to you and let you know that they think it's OK to open it. Be warned, even trustworthy people can sometimes forward a
message or an attachment without realizing it is infected.
What is your most important defense against computer viruses?
Use antivirus software. That's right. There is no substitute for up-to-date antivirus software.
Which of these statements best describes a macro?

A sequence of commands that can be run automatically. Exactly. Many macros are useful time-saving devices.

Trust, certificates, and security settings

In the previous lesson you read about viruses and

macros. But to work efficiently, you may have to run
some macros on your computer, which means at some
point you'll have to decide whether or not you can trust
their authors.

Trust is a big issue with security. Who do you trust?

How do you know? Fortunately there are features in
your Office programs to help you make these decisions.

This lesson is about digital certificates and setting macro

security levels to help limit your computer's vulnerability
to malicious attacks.

You should only download to your computer files that you

trust.

Office security
 Page 2 of 8

Office security
There are two security features in Word, Excel, and
PowerPoint that are essential in helping protect you against
macro viruses:

• Macro detection using macro security levels.

• The Trust all installed add-ins and templates

feature.
These two features interact with each other and you need
to set up both to reduce your computer's vulnerability.

Before looking at these features in greater depth, you need

to know more about deciding who to trust. You can do this
by looking at the macro creator's "credentials" on a digital
certificate.
Macro detection and digital certificates enable you to download
macros from trusted sources.

Digital certificates and signatures

A digital certificate.

Digital certificates are issued by commercial certification authorities, such as VeriSign, Inc., who do background checks to verify
that the writers or producers of macros (known as publishers) are reputable. You'll find out in the practice session how to check
a certificate.

Although it's also possible to "self-certify," self certificates are not considered "trusted." However, they can be handy for internal
use.

For more information about creating digital certificates, see Microsoft Help for your Office product or the articles listed in the
Quick Reference Card.

Digital certificates have an expiration date, or can get revoked. You can set up revocation checking in Microsoft® Internet
Explorer 3.0 or later.

A digital certificate is used to sign macros, creating a digital signature on the macro. A digital certificate can be used many
times to create many digital signatures.

Note Although digital certificates can be used with documents and e-mail messages, as well as with macros, they are not
used in the same way. For more information about signing documents, see the Quick Reference Card.

Office security
 Page 3 of 8

What's trustworthy?

Security Warning dialog box.

By definition, there are no trusted sources—you have to agree to trust them before they can get added to your Trusted
Publishers list. When you first attempt to open any file that contains a macro or a digital signature, you'll see a Security
Warning dialog box (see the picture on the left).

When you select the Always trust macros from this publisher check box, that publisher is added to your trusted sources
for both macros and other files. But if you click Enable Macros, the macro will run just that particular time.

You only have to accept a certificate once and all files signed with that certificate will be accepted in the future. Therefore, it's
important to check whether certificates are current. Instructions on how to set up revocation checking are listed in the Quick
Reference Card.

Macro security levels

To set macro security levels in Word, Excel, and PowerPoint, click the Macro Security button on the Security tab of the
Options dialog box, and then click your desired security level.

You can set up Word, Excel, and PowerPoint to detect macros. These programs have a variety of security levels for macros so
that you can choose the level that you are at ease with.

Office security
 Page 4 of 8

Very High All macros will be disabled even if they have valid digital certificates. This setting also disables all Com add-ins
and Smart Tag .dlls, which you might need for Office programs to work as you expect.

High Unless you have a specific reason to do otherwise, High is probably the setting you should use. This is the default
setting. Although macros from your trusted sources will run, you'll be prompted about unknown but signed macros, and
unsigned macros will be disabled.

Medium Macros from trusted sources will run, but you'll be prompted about all unknown macros, including unsigned ones.

Low You should be very sure about using this setting. You will not receive any prompts or warnings. All macros will run.

The various programs can have different security levels set up. So make sure you check Word, Excel, and PowerPoint.

Further reduce your computer's vulnerability

Clear the check box for Trust all installed add-ins and templates to reduce your computer's vulnerability to malicious
macros.

At the beginning of this lesson we mentioned the feature called Trust all installed add-ins and templates. (An add-in is a
supplemental program that adds custom commands or custom features to Microsoft Office.) There is a check box for this
feature that is selected by default in the Trusted Publishers list in the Security dialog box.

The macro security levels described in the previous section interact with this feature. For example, even if your macro security
level is set to Very High, when the Trust all installed add-ins and templates check box is selected all installed add-ins will
be trusted. Macros in files in some start up and templates folders will also be trusted. (All other macros will be picked up by the
security settings.)

What does this mean to you? To reduce your computer's vulnerability to malicious macros, you should clear the check box
for Trust all installed add-ins and templates. Otherwise, macros and add-ins in the folders mentioned above will be run
without you being asked.

Clearing the check box for Trust all installed add-ins and templates doesn't mean that you'll have constant security
warnings about Microsoft-issued macros. That's because on the first warning you can choose to accept Microsoft as a trusted
publisher.

For a complete summary of the various settings, see the Quick Reference Card.

Office security
 Page 5 of 8

Practice

Practice instructions appear in a separate window alongside Word.

It's time to check your macro security levels. This practice session uses Word, but you can use the same steps to check macros
in PowerPoint and Excel.

You'll be able to look at a digital certificate, and you'll try out the other security settings.

Important The practice session contains a digitally signed macro so that you can see a digital certificate. (If you ran the
macro it would delete one word in the document.) After you click Practice in Word, depending on your present security
settings, you may see a security warning that tells you the practice file contains macros. To do the practice, click Enable
Macros (you may have to select the Always trust macros from this publisher check box first). If you click Disable
Macros, Word will open, but neither the practice steps nor the practice document will open. If your macro security level is set
to Very High, the macro will automatically be disabled. To do the practice, you can set your macro security level to High, then
change it back to Very High when you've finished.

About the practice session

When you click Practice in Word at the bottom of this page, a practice document will download to your computer and open in
Word, and a separate window with practice instructions will appear alongside (see picture).

Tips

• If the practice instructions aren't visible, or disappear when you click in Word, click the Word Help taskbar button and
then click the Auto Tile button on the upper-left corner of the instructions.

• If the practice instructions cover up Word, click the Auto Tile button on the upper-left corner of the instructions.
Before you begin
Make sure to close Word if it is already running.

Start the practice

Click the Practice in Word button now.

Test yourself

Which of these macro security levels should you use as your default setting?

High. Excellent. This setting allows only signed macros from trusted sources to run. It disables any unsigned macros.

Office security
 Page 6 of 8

What is a trusted publisher?

Someone that you decided is trustworthy after examining their digital certificate credentials. Well done. You can choose whom
to trust after examining the available facts.

For optimum security you should clear the Trust all add–ins and templates check box. True. That's correct. You
should clear the check box and set your macro security level to high to help protect your computer.

Password protection

A strong password can help protect your documents.

Passwords are your first line of defense in protecting your computer and your documents from malicious attacks. Strong
passwords make it more difficult for anyone else to gain access to your files. You can password-protect individual Office
documents to prevent others from seeing or editing them.

This lesson is all about the password options available to you in Microsoft Word, Microsoft Excel, and Microsoft PowerPoint. It
also includes some basic guidelines on creating and using strong passwords.

Password-protect a document

On the Tools menu, click Options, and then click the Security tab to select security settings.

Office security
 Page 7 of 8

Just as you can lock people out of your computer by using a password, you can "lock" a document. You can password-protect
your document if you don't want other people to see it, or if you don't want others to edit it.

Password protection for documents is available in various Office programs. In Word, Excel, and PowerPoint the method is
exactly the same.

On the Tools menu, choose the Options command, then click the Security tab. Here you can select from several options,
including file encryption and file sharing, to help protect your document.

The Password to open option is designed to help safeguard your documents. The Password to modify option is not a
security feature. It is intended to help you prevent accidental changes to your documents.

Information about additional features on the Security tab, such as Privacy options, is included in the Quick Reference Card
at the end of the course.

Refer to each program's security Help topics for more information on how to secure your documents in other Office programs.

Password options

There are two basic password-protection options: Password to open and Password to modify.

To help prevent unauthorized users from seeing your document, you can require a Password to open the file.

When you set a Password to open a document, encryption is used to protect the contents of the file. You can even choose
the type of encryption used on the document. Think of encryption as a type of lock and the password as the key.

In the practice session, you'll see how to choose the type of encryption used on a document. The Quick Reference Card also
contains a link to more information about encryption.

You can also choose to let other people read your document (known as a read-only document), but require a Password to
modify it.

Requiring a password to modify a file does not encrypt the file contents. This setting stops people without the password from
saving their changes in your original document, but it does not stop them from making changes and saving the document in a
new file with a different name.

Note You can set both types of passwords on a single document, requiring a password to open it and a password to modify
it.

What's not secure

Office security
 Page 8 of 8

Others might have access to your documents—the files are not as secure as you think.

Some of the settings that appear on the Security tab, including some that sound like security features, do not actually secure
documents.

For example, Read-only recommended (available in Word and Excel) does not secure a document. It is only a guideline for
readers—someone could still edit the document.

The Document Protection task pane and Protect Document features (available in Word) do not secure your documents
against malicious interference either. They protect the format and content of your document when you collaborate with co–
workers. These features are ideal when working on a document with a group of trusted colleagues.

Office security