Windows and Office security guide for Office developers
Office add-in security and certificates has always been somewhat of a daunting task. In today’s article we’ll first investigate code-signing certificates and why they are used. We’ll then take a closer look at the Office Trust Center function and settings.
Code signing certificates
When you want to prove that something is legitimate, you sign it with your name. To inspire user confidence in your software, you can sign it with your digital signature.
What are code signing?
Code signing is a technique of signing executable files using a digital certificate which verifies the author’s identity and provides a guarantee to the user that the code was not changed since it was signed by the developer.
Why does code need to be signed?
In the days before the internet (remember those?) software was distributed on physical media, such as floppy disks and CD-ROMs. Users knew where the software came from since the company name was printed on the box the floppy disks or CD’s came in and thus they knew the software came from the company whose name and logo was on the box.
Fast forward a few years and with the internet, physical installation media has almost become a thing of the past. Millions of different software applications are available for download from developers across the globe. Although, users are now spoiled for choice when it comes to different types of software, so too did the risk of downloading malicious software, that can damage your data and computer, increase.
A code signing certificate is a digital certificate that a developer needs to apply for at a reputable certification authority such as Symantec, Thawte, Comodo and many other certification authorities. The developer needs to send documentation to the certification authority to prove their identity and that they are actually who they say they are. This information usually contains a proof of company address as well as company incorporation documentation, so the user knows they are installing software from a real company.
Consider the following image of the GitHub for Windows ClickOnce installer:
Note that when running the GitHub ClickOnce installer, it immediately shows the above mentioned image which displays the name of the application of the installer as Github, which tells the user that the software they’re installing is verified to be from GitHub and it has not been tampered with. This is because the developers of the GitHub for Windows application used a certificate to sign the ClickOne installer.
On the other hand, if the ClickOnce installer was not signed with a code-signing certificate issued by an accredited certification authority, the following security warning will be displayed before the installation starts.
The user still has the option to install the application, although the installer warns them that the software came from an unknown publisher and might be unsafe to install.
The Office Trust Center
Since Office 2007, the Office Trust Center has been the central location for the user to manage privacy and security settings. The Office Trust Center combines all user settings into one location instead of having them distributed across different menu options inside the Office application.
We’ll focus on Excel’s Trust Center, which is located under the Outlook File >Options menu. Note that all the MS Office applications have a Trust Center menu, and depending on the application, different security settings.
In order to access the Trust Center Settings, the user needs to click on the Trust Center Settingsā¦ button. From the Excel Trust Center form, users can set multitude of Security settings, which are divided into twelve categories or menus:
- Trusted Publishers
- Trusted Locations
- Trusted Documents
- Trusted App Catalogs
- Add-ins
- ActiveX Settings
- Protected View
- Message Bar
- External Content
- File Block Settings
- Privacy Options
Trusted publishers
In order for a developer to be a trusted publisher for Office, they should meet the following criteria:
- The code should be signed with a digital signature;
- The signature should be valid and up to date i.e. not expired; and
- The certificate associated with the signature must be issued by a recognized certification authority (CA).
Trusted locations
Trusted locations allows users to specify a location where files are stored and it does not need to be checked by the Trust Center settings. For example, if you have an Excel file with a macro that is automatically disabled by the Trust Center, you should move the file to one of the folders in the list of trusted locations.
When the file is opened from the trusted locations, the Office Trust Center will not automatically disable the macro. Keep in mind to only do this if you know the document and macro came from a trustworthy source.
Trusted documents
When an untrusted document is opened that contains macros or ActiveX content, the Office Trust Center automatically disables the content and prompts the user whether they would like to enable the content (this depends on the ActiveX Settings we’ll discuss later in the article).
However, when a trusted document that contains macros or ActiveX content is opened, the user will not be prompted and the content would be allowed to run.
Trusted app catalogs
Trusted App Catalogs is a new Trust Center setting, which was introduced in Office 2013 and is used to specify URLs from which a user is allowed to install Office Apps. The user can also specify whether they want to disallow any apps to start or only disallow apps from the Office Store to start.
Add-ins
The Add-ins Trust Center menu offer three options:
- Require Application Add-ins to be signed by Trusted Publishers;
- Disable notification for unsigned add-ins; and
- Disable all Application Add-ins.
If the “Require Application Add-ins to be signed by Trusted Publishers” option is enabled, then any add-in that has not been digitally signed by the publisher will not be allowed to run.
By enabling the “Disable notification for unsigned add-ins” option, any unsigned add-in will not automatically run and the user will also not see a notification prompting whether they would like to run the add-in.
Lastly, the “Disable all Application Add-ins” option will disable all add-ins without any further user prompts.
ActiveX settings for all Office applications
ActiveX are components that create applications that can work over the Internet inside Web browsers. These components can contain program logic that can have unrestricted access to your computer, which is a potential security risk.
Office documents can also contain ActiveX controls and therefore it is generally a good idea to disable ActiveX controls or set Office to prompt the user before enabling these controls, as these types of controls can allow malicious code to be executed.
Macro settings
Microsoft Office documents can contain macros that are essentially small programs written in VBA that run inside MS Office applications. Historically macros did fall victim to malware and other malicious types of applications and Microsoft Office disables macros by default.
However, legitimate macros can still be very powerful and useful tools to help increase your MS Office productivity. Thus, the Office Trust Center allows you to either disable all macros, enable all macros or disable macros that were not digitally signed.
Protected View
When opening MS Office files downloaded from the internet or potentially unsafe locations such as the Temporary Internet Files folder, the Office Trust Center automatically opens the file in Protected View.
Protected View allows the user to see the file’s contents while reducing the risk of any malicious content causing harm to the user’s computer.
Message Bar
When the message bar is enabled, Office will show a yellow bar just below the main Ribbon menu, informing the user of any security alerts. The user can choose whether to enable this notification or not.
External content
Office automatically blocks external content such as hyperlinks or images as well as data connections. The user can choose to either automatically enable the external content, disable it or be prompted whether to allow the content to be loaded.
File Block settings
When opening files created in earlier versions of Ms Office e.g. Excel 95 workbook, Office will automatically open the file in Protected View and the default editing functionality will be disabled. This is because previous formats of MS Office have vulnerabilities which can be exploited by devious individuals to gain access to your computer.
However, you are able to configure this setting and allow older format files to be opened and saved by specifying it in the File Block Settings of the Trust Center.
Privacy options
The final list of settings is the Privacy Options, which allow a user to set whether Office is allowed to connect to the internet, download a file to determine system problems and send Microsoft information about the performance of Office applications.
These options do not pose mayor security risks and it is up to the individual user to decide whether they would like to share more personal information with Microsoft or not.
Thank you for reading. Until next time, keep coding!
One Comment
Hi,
great post, thanks
Would really like to see some more post on excel development from you guys.
Vineeth