Trust Center Part 4: Trusted Locations

Today we have the fourth guest post from Sam Radakovitz, Excel Program Manager.  Sam is writing about the Trust Centre, a new feature for Office 2007.

While we have talked at length about reducing the impact of security decisions on end customers, and of having Office 2007 make secure default decisions, it’s important to note that the implications of those decisions is usually to disable code or some part of a solution because we don’t have sufficient information to trust it.

In the past one way to enable a solution was to digitally sign the code and once the user trusted the Publisher’s certificate the code was always enabled.  This is still the premier and preferred ‘evidence’ for a customer to make a trust decision on, and customers should insist that ISVs publishing code to extend Office sign that code.  Even individual end customers have the option of self-signed certificates for use with code on their own machine, which one can create using the “Digital Certificates for VBA Projects” tool shipping under the Microsoft Office Tools toolset.

However, for ad-hoc team and department level solutions getting code signed with a certificate valid for all customer’s machines can be a challenge.  This challenge has led some customers to change their default settings, which only allows signed code from Trusted Publishers to run without notification, to Medium or even Low security.  Low security allows all macros to run, including those from email attachments etc. and puts the user at significant risk.

Office 2007 addresses this risk by providing additional flexibility for the ad-hoc sharing scenario using the notion of Trusted Locations. A trusted location is a folder or document location, from which Excel will trust documents and allow them to open and run code without notification to the user.  Excel has always had a limited set of folders from which they would trust a document and allow it load and run code.  Office 2007 allows the user or administrator to add new locations. The following screenshot shows the management UI for Trust Locations in the Office 2007 Trust Center.

(Click to enlarge)

It’s important to note that creating a trusted location is a significant trust decision and should not be made lightly.  Particular care should be taken when remote locations are added to the Trusted Locations list as code from any document in such a location will be trusted and run without challenge by the Office application.  (IT Administrators have the ability through custom install and policy to restrict what locations are trusted on customers’ machines and what type of locations customers can add etc.) It’s important that any location trusted by the user is well managed with restricted access to only those who are authorized to publish documents and code to a user’s machine.

This flexibility – allowing the trusting of all documents in an arbitrary folder – may on first glance seem a risk. But the ability for an ad-hoc set of customers to create a specific trusted location for a solution they use regularly should actually result in an improved security stance because, as mentioned above, the common alternative is to reduce their settings such that all such code (including email attachments etc.) can run, which is much more dangerous.

To further mitigate the risk of ‘rogue’ Trusted Locations, Office 2007 does not allow remote (off the user’s machine) locations by default, and can revoke them all easily.  Additionally, Office 2007 explicitly blocks certain risky folders, like the Outlook cache for attachments, the Temp folder and others where documents are sometimes temporarily stored and will never trust them.

Finally, Office 2007 allows such “solution” focused documents to be trusted for more than just VBA macro code. These documents can update data from remote sources automatically, initialize ActiveX controls etc. and truly run as a solution, once trusted as such, without blocking the user with prompts.