Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system

Updated: February 12, 2009

Applies To: Office Resource Kit

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

The 2007 Microsoft Office system contains several settings that enable you to change the behavior of ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros. To plan for ActiveX controls, add-ins, and macros, use the best practices and recommended guidelines in the following sections:

  • Plan security settings for ActiveX controls

  • Plan security settings for add-ins

  • Plan security settings for macros

Plan security settings for ActiveX controls

The 2007 Office system provides several security settings that enable you to control the way ActiveX controls behave and the way users are notified about potentially unsafe ActiveX controls. These settings are typically used to:

  • Disable ActiveX controls in all documents.

  • Allow all ActiveX controls to initialize and run without notification.

  • Modify the way ActiveX controls are initialized based on the Safe for Initialization (SFI) and Unsafe for Initialization (UFI) parameters.

To plan security settings for ActiveX controls, use the best practices and recommended guidelines in the following sections. These guidelines are based on the Enterprise Client (EC) environment rather than the Specialized Security Limited Functionality (SSLF) environment. The EC environment represents an organization that has typical security needs. It is suitable for midsize and large organizations that seek to balance security and functionality. The SSLF environment represents a less typical organization, one in which security is paramount. It is suitable only for midsize and large organizations that have stringent security standards, for which security is more important than application functionality.

Disable ActiveX controls in all documents

If your security architecture is highly restrictive and you want to help minimize the potential risk from ActiveX controls, you can disable ActiveX controls. Disabling ActiveX controls prevents all ActiveX controls in a file from initializing (that is, loading) when a file is opened. In some cases, a disabled ActiveX control might appear in a file as a red x or some other symbol, but the control is disabled and no action will occur if a user clicks the symbol. Also, when you disable ActiveX controls, users are not notified that ActiveX controls are disabled.

To disable ActiveX controls, configure any one of the settings as recommended in the following table.

Setting name Recommended configuration Description

Disable all ActiveX

Not configured

By default, users are prompted to enable ActiveX controls. When you enable this setting, all ActiveX controls are disabled and are not initialized when a user opens a file containing ActiveX controls. Also, when you enable this setting, users are not notified that ActiveX controls are disabled. This setting can be configured in the Office Customization Tool (OCT) and with the 2007 Office system Administrative Templates (.adm files). This setting applies only to applications in the 2007 Office system. This setting does not disable ActiveX controls in files that are opened by earlier versions of Office.

Unsafe ActiveX initialization

Select this configuration: Do not prompt and disable all controls

By default, the Unsafe ActiveX initialization setting is Prompt user to use persisted data. When you select Do not prompt and disable all controls, all ActiveX controls are disabled and are not initialized when a user opens a file containing ActiveX controls. In addition, users are not notified that ActiveX controls are disabled. This setting exists only in the OCT. This setting applies only to applications in the 2007 Office system. This setting does not disable ActiveX controls in files that are opened by earlier versions of Office.

Note

ActiveX controls cannot be disabled in files that are saved in trusted locations. When a file is opened from a trusted location, all active content in the file is initialized and allowed to run without notification even if you disable ActiveX controls.

If you disable ActiveX controls, be sure that you:

  • Notify users that ActiveX controls are disabled and that no notifications will appear when they open files that contain disabled ActiveX controls.

  • Test the effect that disabling ActiveX controls might have on your organization. Because many Office solutions are built with ActiveX controls, disabling ActiveX controls can cause unexpected behavior and prevent applications from working properly.

  • Record the settings in your security planning documents and in your security operations documents.

Allow all ActiveX controls to initialize and run without notification

You can configure the 2007 Office system so that all ActiveX controls initialize and run without notification. This can be useful in some test and development environments, and in isolated environments where supplemental security mechanisms such as firewalls, virus detection programs, and intrusion detection programs help ensure that files do not contain malicious content.

Important

We do not recommend that you allow ActiveX controls to initialize and run without warning in a production environment. Allowing ActiveX controls to initialize and run without warning can substantially increase your risk of attack and potentially weaken your organization's security.

To allow ActiveX controls to initialize and run without notification, configure any one of the settings as recommended in the following table.

Setting name Recommended configuration Description

Unsafe ActiveX initialization

Select this configuration: Do not prompt

By default, the Unsafe ActiveX initialization setting is Prompt user to use persisted data. When you select Do not prompt, all ActiveX controls are enabled and are initialized with minimal restrictions (that is, persisted values) when a user opens a file containing ActiveX controls. Also, users are not notified that ActiveX controls are enabled and ActiveX controls that are SFI are not enabled in safe mode. This setting exists only in the OCT. This setting applies to the 2007 Office system and earlier versions of Office.

ActiveX Control Initialization

Select this configuration: 2

By default, this setting has a value of 6. When you change this to 2, SFI and UFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode, and users are not notified that ActiveX controls are enabled. This setting can be configured only with the 2007 Office system Administrative Templates (.adm files). This setting applies to the 2007 Office system and earlier versions of Office.

When you change the setting, SFI and UFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, the controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode, and users are not notified that ActiveX controls are enabled. This setting can be configured only with the 2007 Office system Administrative Templates (.adm files). This setting applies to the 2007 Office system and earlier versions of Office.

For a list of all configurations, see the 2007 Microsoft Office Security Guide (Threats and Countermeasures: Security Settings in the 2007 Office System) (https://go.microsoft.com/?linkId=7711534).

If you allow all ActiveX controls to initialize and run without notification, be sure that you:

  • Notify users that ActiveX controls are enabled and that no notifications will appear when they open files that contain ActiveX controls.

  • Record the settings in your security planning documents and in your security operations documents.

Modify the way ActiveX controls are initialized based on SFI and UFI parameters

The 2007 Office system provides several settings that enable you to control the way ActiveX controls are initialized based on SFI, UFI, and safe-mode parameters. SFI, UFI, and safe mode are parameters that developers can configure when they create ActiveX controls. ActiveX controls that are marked SFI use safe data sources to initialize. A safe data source is one that is trusted, known, and does not cause a security breach. Controls that are not marked SFI are considered to be UFI.

Safe mode is another security mechanism that developers can use to help ensure the safety of ActiveX controls. When a developer creates an ActiveX control that implements safe mode, the control can be initialized in two ways: in safe mode and in unsafe mode. When an ActiveX control is initialized in safe mode, certain restrictions that limit functionality are imposed on the control. Conversely, when an ActiveX control is initialized in unsafe mode, there are no restrictions on its functionality. For example, an ActiveX control that reads and writes files might only be allowed to read files if it is initialized in safe mode, and it might be able to read and write files when it is initialized in unsafe mode. Only ActiveX controls that are SFI can be initialized in safe mode. ActiveX controls that are UFI are always initialized in unsafe mode.

By default, ActiveX controls are initialized as follows in the 2007 Office system:

  • If a file contains a VBA project, users are prompted to enable or disable the ActiveX controls that are in the file. If users choose to enable the ActiveX controls, all SFI and UFI controls are initialized with minimal restrictions (that is, with persistent values). If persistent values are not available, the controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

  • If the file does not contain a VBA project, and the file contains only SFI controls, the SFI controls are initialized with minimal restrictions (that is, with persistent values). If persistent values are not available, the controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

  • If the file does not contain a VBA project, and the file contains both SFI and UFI controls, users are prompted to enable or disable the ActiveX controls that are in the file. If users choose to enable the ActiveX controls, SFI controls are initialized with minimal restrictions (that is, with persistent values), and UFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

If this default behavior is not adequate for your organization but you do not want to disable ActiveX controls, you can strengthen the way ActiveX controls are initialized by forcing UFI controls to be initialized with default values instead of minimal restrictions when a file contains a VBA project. To do this, configure either of the following settings as recommended in the following table.

Setting name Recommended configuration Initialization behavior when a VBA project is present Initialization behavior when no VBA project is present

Unsafe ActiveX initialization

Select this configuration: Prompt user to use control defaults

Prompts users to enable or disable controls. If a user enables controls, SFI controls are initialized with minimal restrictions (that is, with persisted values), and UFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode. This setting exists only in the OCT. This setting applies to the 2007 Office system and earlier versions of Office.

If the file contains only SFI controls, SFI controls are initialized with minimal restrictions (that is, with persisted values). If persisted values are not available, SFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode. Users are not prompted to enable controls.

If file contains UFI controls, users are prompted to enable or disable controls. If a user enables controls, SFI controls are initialized with minimal restrictions and UFI controls are initialized with default values by using the InitNew method. SFI controls are initialized in safe mode.

ActiveX Controls Initialization

Select this configuration: 4

Same as behavior for Unsafe ActiveX initialization setting.

Same as behavior for Unsafe ActiveX initialization setting.

You can configure ActiveX control settings to accommodate many more security scenarios. For more information about ActiveX control settings in the 2007 Office system, including descriptions of all settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security policies and settings in the 2007 Office system. For more information about configuring ActiveX control settings, see Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office system.

Plan security settings for add-ins

The 2007 Office system provides several settings that enable you to change the way add-ins behave. Add-ins, also known as application extensions, are supplemental programs or components that extend the functionality of applications. Add-ins must be installed and registered, and can include:

  • Component Object Model (COM) add-ins.

  • Smart tags.

  • Automation add-ins.

  • RealTimeData (RTD) servers.

  • Application add-ins (for example, .wll, .xll, and .xlam files).

  • XML expansion packs.

  • XML style sheets.

By default, installed and registered add-ins are allowed to run without notification. However, you can use the security settings for add-ins to change this behavior. Specifically, you can:

  • Disable add-ins on a per-application basis.

  • Require that add-ins are signed by a trusted publisher.

  • Disable notifications for unsigned add-ins.

Disable add-ins on a per-application basis

If your security architecture is highly restrictive and you want to help minimize the potential risk from add-ins, you can disable add-ins. When you disable add-ins, you prevent add-ins from running, and users are not notified that add-ins are disabled.

You cannot globally disable add-ins. You can disable add-ins only on a per-application basis for the following applications:

  • Microsoft Office Access 2007

  • Microsoft Office Excel 2007

  • Microsoft Office PowerPoint 2007

  • Microsoft Office Publisher 2007

  • Microsoft Office Visio 2007

  • Microsoft Office Word 2007

To disable add-ins, configure either of the settings as recommended in the following table.

Setting name Recommended configuration Description

Disable all application add-ins

Not configured

By default, add-ins are enabled. When you select this option, add-ins are disabled and users are not notified that add-ins are disabled. This setting can be configured in the OCT and with the 2007 Office system Administrative Templates (.adm files). You must configure this setting on a per-application basis.

Application add-ins warnings options

Select this configuration: Disable all application extensions

By default, the Application add-ins warnings options setting is Enable all installed application add-ins. When you select Disable all application extensions, all add-ins are disabled and users are not notified that add-ins are disabled. This setting exists only in the OCT. You must configure this setting on a per-application basis.

If you disable add-ins, be sure that you:

  • Notify users that add-ins are disabled.

  • Record the settings in your security planning documents and in your security operations documents.

Require that add-ins are signed by a trusted publisher

If you do not want to disable add-ins, but you still want to increase the security of add-ins, you can require that add-ins are signed by a trusted publisher. When you do this, the following behavior occurs:

  • Trusted add-ins run without notification. A trusted add-in is an add-in that is saved in a trusted location or an add-in that is signed by a publisher that is on the Trusted Publishers list.

  • Unsigned add-ins are disabled, but users are prompted to enable or disable the add-ins.

  • Add-ins that are signed by a publisher that is not on the Trusted Publishers list are disabled, but users are prompted to enable or disable the add-ins.

You cannot globally configure a setting that requires add-ins to be signed by a trusted publisher. You must configure this setting on a per-application basis, and you can configure it for only the following applications:

  • Office Access 2007

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Office Visio 2007

  • Office Word 2007

To require that add-ins are signed by a trusted publisher, configure either of the settings as recommended in the following table.

Setting name Recommended configuration Description

Require that application add-ins are signed by trusted publisher

Not configured

By default, add-ins are enabled. When you select this option, add-ins that are signed by a publisher that is on the Trusted Publishers list will run without notification. Unsigned add-ins, and add-ins that are signed by a publisher that is not on the Trusted Publishers list will be disabled, but users will be prompted to enable or disable the add-ins. This setting can be configured in the OCT and with the 2007 Office system Administrative Templates (.adm files). You must configure this setting on a per-application basis.

Application add-ins warnings options

Select this configuration: Require that application extensions are signed by a trusted publisher

By default, the Application add-ins warnings options setting is Enable all installed application add-ins. When you select Require that application extensions are signed by a trusted publisher, add-ins that are signed by a publisher that is on the Trusted Publishers list will run without notification. Unsigned add-ins, and add-ins that are signed by a publisher that is not on the Trusted Publishers list will be disabled, but users will be prompted to enable or disable the add-ins. This setting exists only in the OCT. You must configure this setting on a per-application basis.

Be sure to record these settings in your security planning documents and in your security operations documents.

Disable notifications for unsigned add-ins

Even if you require that add-ins be signed by a trusted publisher, users can still enable unsigned add-ins through the Message Bar. If you do not want users to enable unsigned add-ins, you can disable notifications for unsigned add-ins. You can do this only on a per-application basis, and you can configure it for only the following applications:

  • Office Access 2007

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Office Visio 2007

  • Office Word 2007

To do this, configure either of the settings as recommended in the following table.

Setting name Recommended configuration Description

Disable trust bar notification for unsigned application add-ins

Not configured

By default, add-ins are enabled. When you select this option, signed add-ins that are not trusted are disabled, but users are prompted to enable or disable the add-ins. Unsigned add-ins are also disabled, but users are not notified and they are not prompted to enable or disable the unsigned add-ins. This setting must be used in conjunction with the Require that application add-ins are signed by trusted publisher setting. This setting can be configured in the OCT and with the 2007 Office system Administrative Templates (.adm files). You must configure this setting on a per-application basis.

Application add-ins warnings options

Require that extensions are signed, and silently disable unsigned extensions

By default, the Application add-ins warnings options setting is Enable all installed application add-ins. When you select Require that extensions are signed, and silently disable unsigned extensions, signed add-ins that are not trusted are disabled, but users are prompted to enable or disable the add-ins. Unsigned add-ins are also disabled, but users are not notified and they are not prompted to enable or disable the unsigned add-ins. This setting exists only in the OCT. You must configure this setting on a per-application basis.

If you disable notifications for unsigned add-ins, be sure that you:

  • Notify users that unsigned add-ins are silently disabled.

  • Record the settings in your security planning documents and in your security operations documents.

For more information about add-in settings in the 2007 Office system, including descriptions of settings and a comparison of OCT, Group Policy, and Trust Center settings, see Security policies and settings in the 2007 Office system. For more information about configuring add-in settings, see Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office system.

Plan security settings for macros

The 2007 Office system provides several security settings that enable you to control the way macros and VBA behave. You can us these settings to:

  • Change the default security settings for macros. This includes disabling macros, enabling all macros, and changing the way that users are notified about macros.

  • Change the way that VBA behaves. This includes disabling VBA and allowing Automation clients to have programmatic access to VBA projects.

  • Change the way that macros behave in applications that are started programmatically through Automation.

  • Prevent encrypted macros from being scanned for viruses.

To plan security settings for macros, use the best practices and recommended guidelines in the following sections.

Change the default security settings for macros

The 2007 Office system provides several settings that enable you to change the default behavior of macros. By default, trusted macros are allowed to run without notification. This includes macros in documents that are saved in a trusted location, and macros that meet the following criteria:

  • The macro is signed by the developer with a digital signature.

  • The digital signature is valid.

  • This digital signature is current (not expired).

  • The certificate associated with the digital signature was issued by a reputable certification authority (CA).

  • The developer who signed the macro is a trusted publisher.

Macros that are not trusted are not allowed to run until a user clicks the Message Bar and chooses to enable the macro. (Some applications do not have a Message Bar; in these cases, notifications appear in dialog boxes.)

Note

The default security setting for macros is different in Microsoft Office Outlook 2007. For more information, see the Office Outlook 2007 security documentation.

If the default security settings for macros do not meet the needs of your organization, you can do either of the following:

  • Disable untrusted macros without notification.

  • Disable notifications for unsigned macros, but allow notifications for signed macros.

Disable untrusted macros without notification

When you disable untrusted macros without notification, untrusted macros are not loaded and users are not notified that untrusted macros are disabled. Trusted macros are allowed to run without notification. This setting is useful if your organization has a restricted security model and you do not want users to run untrusted macros.

To disable untrusted macros without notification, configure either of the settings that are described in the following table. These settings must be configured on a per-application basis, and can be configured for only the following applications:

  • Office Access 2007

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Office Visio 2007

  • Office Word 2007

Setting name Recommended configuration Description

VBA macro warning settings

Select this option: Enabled

Select this configuration: No warnings for all macros but disable all macros

By default, users are notified about the presence of untrusted macros in a file, and users can enable or disable the untrusted macros. When you select Disable all VBA macros and No warnings for all macros but disable all macros, untrusted macros are disabled, users are not notified that untrusted macros are disabled, and users cannot enable untrusted macros. Trusted macros are allowed to run without notification. This setting can be configured only with the 2007 Office system Administrative Templates (.adm files).

Disable notifications for unsigned macros

When you disable notifications for unsigned macros, unsigned macros are silently disabled, but users are notified about signed macros and they can enable or disable signed macros. Trusted macros are allowed to run without notification. This setting is useful if your environment requires protection from unsigned macros.

To disable notifications for unsigned macros, configure either of the settings that are described in the following table. These settings must be configured on a per-application basis, and can be configured for only the following applications:

  • Office Access 2007

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Office Visio 2007

  • Office Word 2007

Setting name Recommended configuration Description

VBA macro warning settings

Select this option: Enabled

Select this configuration: Trust Bar warning for digitally signed macros only (unsigned macros will be disabled)

By default, users are notified about untrusted macros in a file and users can enable or disable the untrusted macros. When you select Trust Bar warning for digitally signed macros only (unsigned macros will be disabled), the following occurs:

  • Unsigned macros are silently disabled.

  • Users are notified about the presence of signed macros.

  • Users can enable or disable signed macros.

  • Trusted macros are allowed to run without notification.

This setting can be configured only with the 2007 Office system Administrative Templates (.adm files).

When you select Disable Trust Bar warning for unsigned VBA macros (unsigned code will be disabled), the following occurs:

  • Unsigned macros are silently disabled.

  • Users are notified about the presence of signed macros.

  • Users can enable or disable signed macros.

  • Trusted macros are allowed to run without notification.

This setting can be configured only in the OCT.

Control the way VBA behaves

The 2007 Office system provides two settings that enable you to control the way VBA behaves. By default, VBA is enabled, if it is installed, and Automation clients do not have programmatic access to VBA projects. You can change this behavior in the following ways:

  • You can provide Automation clients programmatic access to VBA projects.

  • You can disable VBA.

In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several settings that enable you to control the way VBA behaves in Office Visio 2007. For more information, see Security policies and settings in the 2007 Office system.

Provide Automation clients programmatic access to VBA projects

When you provide Automation clients programmatic access to VBA projects, Automation clients have the ability to use the VBA object model.

To provide Automation clients programmatic access to VBA projects, configure the setting that is described in the following table. This setting must be configured on a per-application basis, and can be configured for the following applications:

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Word 2007

Setting name Recommended configuration Description

Trust access to Visual Basic project

Select this option: Disabled

By default, Automation clients do not have programmatic access to VBA projects. When you select this option, Automation clients can programmatically access the VBA object model. This setting can be configured in the OCT and with the 2007 Office system Administrative Templates (.adm files).

Important

If you provide Automation clients programmatic access to VBA projects, you can increase your risk of attack from unauthorized programs that build self-replicating code.

Disable VBA

When you disable VBA, macros and other programmatic content will not run. This is useful if you have a restricted security model and you do not want users to run macros, or if your organization is under a security attack and you want to temporarily prevent macros from running.

To disable VBA, configure the setting that is described in the following table. This is a global setting that applies to the following applications:

  • Office Excel 2007

  • Office Outlook 2007

  • Office PowerPoint 2007

  • Office Publisher 2007

  • Microsoft Office SharePoint Designer 2007

  • Office Word 2007

Setting name Recommended configuration Description

Disable VBA for Office applications

Not configured

By default, VBA is enabled if it is installed. When you select this option, VBA will not function and users will not be able to run macros and other programmatic content. This setting can be configured in the OCT and with the 2007 Office system Administrative Templates (.adm files).

Disabling VBA prevents macros and other content from running. For more information about the consequences of disabling VBA, see the following article in the Microsoft Knowledge Base: Considerations for disabling VBA in Office (https://go.microsoft.com/fwlink/?LinkId=85867\&clcid=0x409).

If you disable VBA, be sure that you:

  • Notify users that VBA is disabled.

  • Record the settings in your security planning documents and in your security operations documents.

In addition to these security settings in the 2007 Office system, Office Visio 2007 provides several settings that enable you to change the way VBA behaves Office Visio 2007. For more information, see Security policies and settings in the 2007 Office system.

Change the way macros behave in applications that are started programmatically through Automation

The 2007 Office system provides a single setting that enables you to control the way macros behave when they are run in an application that is started programmatically through Automation. Automation is a programming tool that allows developers to access the functionality of one application from another application. For example, a developer could create a project management application that uses the e-mail features and scheduling features of Office Outlook 2007. By default, when an application uses Automation to start an application in the 2007 Office system, macros are enabled and allowed to run without any security checks. You can change this behavior in two ways:

  • You can disable macros in the application that is started programmatically. When you do this, users are not notified that macros are disabled and users are not prompted to enable or disable macros. This setting is useful if your organization has a restricted security model and you do not allow users to run macros.

  • You can run macros according to the security settings that are configured in the application that is started programmatically. When you do this, macro behavior is dictated by the security settings that are configured in the application that is started programmatically. For example, if you require that all macros be digitally signed in Office Excel 2007, and an application uses Automation to start Office Excel 2007, macros will not run unless they are digitally signed. This setting is useful if you want your organization's security settings for macros to extend to applications that are started through Automation.

To change the default behavior of macros in applications that are started programmatically through Automation, use either of the settings that are recommended in the following table. You can configure these settings in the OCT and with the 2007 Office system Administrative Templates (.adm files). These settings are global and apply to the following applications:

  • Office Excel 2007

  • Office PowerPoint 2007

  • Office Word 2007

Setting name Recommended configuration Description

Automation security

Select this option: Enabled

Select this configuration: Use application macro security level

By default, the Automation security setting is Macros enabled. When you select Use application macro security level, macros run according to the security settings of the application that is started programmatically through Automation.

When you select Disable macros by default, macros are disabled in 2007 Office system applications that are started through Automation. Users are not notified that macros are disabled and users are not prompted to enable macros.

If you change Automation security settings, be sure that you:

  • Thoroughly test all of your applications to be sure that your change does not cause unpredictable behavior or limit functionality in an application. Some applications use Automation to silently start applications in the 2007 Office system.

  • Record the configuration settings in your security planning documents and in your security operations documents.

In addition to these security settings in the 2007 Office system, Office Publisher 2007 provides a setting that enables you to configure Automation security for macros in Office Publisher 2007. For more information, see Security policies and settings in the 2007 Office system.

Prevent encrypted macros from being scanned for viruses

The 2007 Office system provides several settings that enable you to prevent encrypted macros from being scanned for viruses. This is useful if your virus-scanning program does not support the Microsoft Antivirus application programming interface (API).

By default, macros are encrypted when you encrypt and save a file in the Office Open XML Formats file format. If your virus-scanning program does not support the Microsoft Antivirus API, your virus-scanning program cannot scan encrypted macros. As a result, encrypted macros will be disabled. To prevent your antivirus program from scanning encrypted macros, configure the settings as recommended in the following table.

Setting name Recommended configuration Description

Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

Select this option: Disabled

By default, encrypted macros are scanned by your virus-scanning program when you open an encrypted workbook that contains macros. When you enable this option, encrypted macros are not scanned by your virus-scanning program, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office Excel 2007. You can configure this setting in the OCT and with the 2007 Office system Administrative Templates (.adm files).

Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

Select this option: Enabled

By default, encrypted macros are scanned by your virus-scanning program when you open an encrypted presentation that contains macros. When you select this option, encrypted macros are not scanned by your virus-scanning program, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office PowerPoint 2007. You can configure this setting in the OCT and with the 2007 Office system Administrative Templates (.adm files).

Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

Select this option: Enabled

By default, encrypted macros are scanned by your virus-scanning program when you open an encrypted document that contains macros. When you select this option, encrypted macros are not scanned by your virus-scanning program, which means that encrypted macros will run according to the macro security settings that you have configured. This setting applies only to Office Word 2007. You can configure this setting in the OCT and with the 2007 Office system Administrative Templates (.adm files).

If you change the default settings for scanning encrypted macros, be sure that you:

  • Record the settings in your security planning documents.

  • Record the settings in your security operations documents.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for the 2007 Office Resource Kit.