$theTitle=wp_title(" - ", false); if($theTitle != "") { ?>
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like
Today I noticed that a recently added Application to the Citrix Test environment added a Macro to the Office Startup directory.
When a user launches Word he will get a popup because the Template (.dot file) was not signed:
It would have been a lot easier if Application Vendors sign their stuff because in that case I could have just added the certificate using Group Policy (yesterday’s post describes how to do this).
Application Vendors usually tell you that you should lower the Macro security in Office (or Word in this case) to Low to get rid of this message. But I think there’s a better solution: we will sign the .dot file ourselves!
If you have a CA server or a publicly trusted certificate that you can use, the procedure is very simple. But today I will describe a solution using a Self Signed certificate.
First we will create the certificate: go to the Office Tools folder in your Start Menu and choose Digital Certificate for VBA Projects.
Give the certificate a name such as the name of your company and press OK:
Now Open the .dot file in Word and go to the Visual Basic Editor (Alt-F11), locate the .dot file in the Project Explorer and select it.
Select Digital Signature from the Tools menu and click Choose:
Now select the Certificate you created earlier:
Press OK on the Next Dialog:
And of course don’t forget to SAVE the .dot file.
Now we are going to Export the certificate to a file using the mmc certificates plugin. Start mmc.exe and add the Certificates plugin for the Current User.
Right Click the Certificate and choose All Tasks | Export and save the Certificate to a file.
The last step is to deploy the certificate using a Group Policy to both the Trusted Root Certification Authorities and the Trusted Publishers Store:
And now the user is no longer bugged with a popup while you can still maintain the Medium or even High Macro Security Level in Office. So I think this is a better solution, even if you don’t have you own CA server or (expensive) Public Certificate.
For a more detailed explanation of deploying Certificates using a Group Policy read yesterday’s post.
3 Responses for "Self Signing Word Macro’s"
Good post. However maybe the “self-signing” part in the title is a little confusing, since it made me think of the macros signing themselves (instead of the organization itself signing the macros) and wanted to scream “security hole!” 🙂
@cdman: I had a little trouble choosing a good title 😀
[…] really put pressure on your vendors and have them sign their macro’s. Or as an alternative, self sign them.Secondly: Implement A Virus Scanner that uses the Office AntiVirus API to scan documents and […]
Leave a reply