Office Customization Tool

Office security settings

Customizes security settings for Office applications.

 Note   Security settings specified in a Setup customization (.msp) file become the default settings on users' computers; however, users can change them after installation. To help lock down and to enforce security settings, you must use Group Policy. For more information, refer to the recommendations in the "2007 Microsoft Office Security Compliance Management Toolkit" (http://r.office.microsoft.com/r/rlidOCTCHMOfficeSecurityGuide?clid=en-us).

The Trusted Publishers list identifies trusted sources for digitally signed macros, add-ins, Microsoft ActiveX controls, and other executable code used by Office applications. Click Add next to the Add the following digital certificates to the Trusted Publishers list box to add a digital certificate (CER file) to the Trusted Publishers list.

Office applications share a certificate-based trusted sources list with Microsoft Internet Explorer. For more information, see "Plan Trusted Publishers settings for Office 2010" in the Office 2010 Resource Kit.

The Trusted Locations list identifies locations from which any file can be opened without being checked by the Trust Center security feature. To add a new location, click Add next to Add the following paths to the Trusted Locations list, type the following information, and then click OK:

1. Expand the Application menu, and then select the Office application that uses this location.
2. In the Path box, type the path of the trusted location. Enter a fully qualified path with drive letter or UNC path. The path can include environment variables.
3. Select Subfolders of this location are also trusted to include subfolders as trusted locations.
4. In the Description box, type text that describes the purpose of the location.

To remove a trusted location from this list, select it, and then click Remove.

 Note   When you specify one or more trusted locations here, the Trusted Locations list previously defined on the user’s computer is cleared and replaced by this list.

Select Remove all Trusted Locations written by OCT during installation to clear the Trusted Locations list on the users' computers. You can select this check box even if there are no trusted locations defined in this dialog box, if you want to clear the Trusted Locations list on the users' computers.

In the Default Security Settings list, set default security levels for add-ins, templates, and Office applications. For each Office application, you can set some of the following options:

• Allowed trusted locations options
  1. Allow trusted locations that are NOT on user's computer
  2. Allow Trusted Locations on the Users machine only (application default)
  3. Disable all trusted locations, only files signed by trusted publishers will be trusted
• Application add-ins warnings options
  1. Disable all Application Extensions
  2. Require that Application Extensions are signed by a trusted publisher
  3. Require that Extensions are signed, and silently disable unsigned Extensions
  4. Enable all installed Application Add-ins (application default)
• VBA macro warnings options
  1. Disable all VBA macros
  2. Disable Trust Bar warning for unsigned VBA macros (unsigned code will be disabled)
  3. Disable all VBA macros with notification (application default)
  4. No security checks for VBA macros (not recommended, code in all documents can run)
• Microsoft Office Project – Add-ins and Templates
  1. Trust all installed add-ins and templates
  2. Do not trust installed add-ins and templates
• Microsoft Office Project – Security level
  1. Very High - Only macros installed in trusted sources will be allowed to run. All other signed and unsigned macros are disabled.
  2. High - Only signed macros from trusted sources are allowed to run; unsigned macros are disabled.
  3. Medium - The user can choose whether or not to run potentially unsafe macros.
  4. Low (not recommended) - Users are not protected from potentially unsafe macros.

Unsafe ActiveX Initialization - Determine whether unsigned, and therefore potentially unsafe, ActiveX controls can initialize by using persisted data, that is, data that is saved from one instance of the control to the next. The possible values are:

<do not configure> - Setup does not modify the setting specified on the user's computer. New applications are installed with the default setting, which is Prompt user to use persisted data.

Prompt user to use control defaults - The user is warned before an application initiates ActiveX controls that might be unsafe. If the user trusts the source of the document, the control is initialized using its default settings.

Prompt user to use persisted data - The user is warned before an application initiates ActiveX controls that might be unsafe. If the user trusts the source of the document, the control is initialized using persisted data.

Do not prompt - All unsigned ActiveX controls run without prompting the user. This setting provides the least protection and is not recommended.

Do not prompt and disable all controls - All unsigned ActiveX controls are not run and the user is not warned.