Updated: 2009-02-12
You can configure trusted locations and trusted publishers settings by using the Office Customization Tool (OCT) and the Group Policy Object Editor.
Before you begin
Before you begin configuring settings, be sure you meet the planning requirements, administrative requirements, and tool requirements that are described in this section.
-
Planning requirements You must complete the following steps in the security planning process before you can effectively configure trusted locations and trusted publishers settings:
Choose a deployment tool for security settings and privacy options in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
Plan trusted locations and trusted publishers settings for the 2007 Office system
-
Administrative requirements The following table lists the administrative credentials that are required to perform settings configuration actions.
To perform these actions You must be a member of these groups Run the OCT
Administrators group on the local computer
Configure local Group Policy settings with the Group Policy Object Editor
Administrators group on the local computer
Configure domain-based Group Policy settings with the Group Policy Object Editor
Domain Admins, Enterprise Admins, or Group Policy Creator Owners
-
Tool requirements It is assumed that you:
-
Understand how to use the OCT to customize the 2007 Microsoft Office system. For more information about the OCT, see Office Customization Tool in the 2007 Office system.
-
Have created a network installation point from which you can run the OCT.
-
Understand what Administrative Templates (that is, .adm files) are.
-
Have loaded the Office 2007 Administrative Templates into the Group Policy Object Editor.
-
Configure trusted locations by using the OCT
The following procedures show how to use the OCT to disable trusted locations, specify shared folders as trusted locations, restrict trusted locations, and delete all trusted locations that have been created by using the OCT. To learn the location of other trusted locations settings in the OCT, see Security policies and settings in the 2007 Office system.
Disable trusted locations by using the OCT
You can disable trusted locations only on a per-application basis; there is no single setting that enables you to globally disable trusted locations. To globally disable trusted locations, you must disable trusted locations for each of the following applications: Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and Microsoft Office Word 2007.
Disable trusted locations settings by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click Allowed trusted locations options for the application you want to configure.
-
In the Specify Security Settings dialog box, click Disable all trusted locations, only files signed by trusted publishers will be trusted and click OK.
Specify trusted locations by using the OCT
You can specify trusted locations only on a per-application basis by using the OCT. There is no single OCT setting that enables you to specify a global trusted location that applies to all applications. To specify a global trusted location that applies to all applications, you must specify the trusted location separately for each application or use Group Policy settings.
Specify trusted locations on a per-application basis by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Add the following paths to the Trusted Locations list, click Add.
-
In the Specify Security Settings dialog box, do the following:
In Application, click the application to which you want the trusted location to apply.
In Path, type the path to the folder that you want to trust.
Select the Subfolders of this location are also trusted check box if you want all subfolders within the trusted folder to also be trusted.
In Description, type a description of the trusted location.
-
Click OK.
If you specify a network share as a trusted location, you must enable the Allow Trusted Locations not on the computer setting. In addition, you can use environment variables to represent trusted locations; however, you must modify the registry so that the environment variables are recognized. Also, you can specify Web folders (that is, http:// paths) as trusted locations, but not all Web folders are recognized as trusted locations. For more information about using environment variables to specify trusted locations and specifying Web folders as trusted locations, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
Restrict trusted locations by using the OCT
You can restrict trusted locations by using the OCT to configure the following settings.
Allow only policy-based trusted locations
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, open Microsoft Office 2007 system, open Security Settings and click Trust Center.
-
In the details pane, double-click Allow mix of policy and user locations.
-
Click Disabled and click OK.
Do not allow network shares to be trusted locations
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click Allowed trusted locations options for the application you want to configure.
-
In the Specify Security Settings dialog box, click Allow Trusted Locations on the users machine only (application default) and click OK.
Delete all trusted locations created by using the OCT
Use the following procedure to delete all trusted locations that have been created by using the OCT.
Delete all trusted location created by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Add the following paths to the Trusted Locations list, select the Remove all trusted locations written by the OCT during installation check box.
You can deploy trusted locations by using the Setup program or by using the Windows Installer program. For more information, see Run Setup for the 2007 Office system on users' computers and Change users' configurations after installing the 2007 Office system.
Configure trusted locations by using Group Policy
The following procedures show how to use the Group Policy Object Editor to disable trusted locations, specify shared folders as trusted locations, and restrict trusted locations. To learn the location of other trusted locations settings in the Group Policy Object Editor, see Security policies and settings in the 2007 Office system.
Disable trusted locations by using Group Policy
You can disable trusted locations only on a per-application basis. There is no single setting that enables you to globally disable trusted locations. To globally disable trusted locations, you must disable trusted locations for each of the following applications: Microsoft Office Access 2007, Microsoft Office Excel 2007, Microsoft Office PowerPoint 2007, Microsoft Office Visio 2007, and Microsoft Office Word 2007.
Disable trusted locations settings by using Group Policy
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
-
In the details pane, double-click Disable all trusted locations, click Enabled and click OK.
Specify trusted locations by using Group Policy
You can specify trusted locations globally or on a per-application basis by using Group Policy. Use the following procedure to specify a global trusted location.
Specify global trusted locations by using Group Policy
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings/Trust Center
-
In the details pane, double-click a trusted location that has not been configured, such as Trusted Location #1, Trusted Location #2, and so on.
-
In the Trusted Location Properties dialog box, click Enabled and do the following:
In Path, type the path to the folder that you want to trust.
In Date, type today's date.
In Description, type a description of the trusted location.
Select the Allow subfolders check box if you want all subfolders within the trusted folder to also be trusted.
-
Click OK.
Use the following procedure to specify trusted locations on a per-application basis.
Specify trusted locations on a per-application basis by using Group Policy
-
Depending on which application you want to configure, navigate to one of the following locations in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
-
In the details pane, double-click a trusted location that has not been configured, such as Trusted Location #1, Trusted Location #2, and so on.
-
In the Trusted Location Properties dialog box, click Enabled and do the following:
In Path, type the path to the folder that you want to trust.
In Date, type today's date.
In Description, type a description of the trusted location.
Select the Allow subfolders check box if you want all subfolders within the trusted folder to also be trusted.
-
Click OK.
If you specify a network share as a trusted location, you must enable the Allow Trusted Locations not on the computer setting. In addition, you cannot use environment variables to represent trusted locations in Group Policy. You can specify Web folders (that is, http:// paths) as trusted locations, but not all Web folders are recognized as trusted locations. For more information about using environment variables to specify trusted locations and specifying Web folders as trusted locations, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
Restrict trusted locations by using Group Policy
You can restrict trusted locations by using the Group Policy Object Editor to configure the following settings.
Allow only policy-based trusted locations
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings/Trust Center
-
In the details pane, double-click Allow mix of policy and user locations, click Disabled and click OK.
Do not allow network shares to be trusted locations
-
In the Group Policy Object Editor tree, navigate to one of the following locations, depending on which application you want to configure:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center/Trusted Locations
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center/Trusted Locations
-
In the details pane, double-click Allow Trusted Locations not on the computer, click Disabled and click OK.
Configure trusted publishers settings by using the OCT
The following procedure shows how to use the OCT to add trusted publishers to the trusted publishers list. You cannot use the Office 2007 Administrative Templates to add trusted publishers to the trusted publishers list. To add a trusted publisher to the trusted publishers list, you must have the digital certificate (.cer file) that the publisher used to sign their ActiveX control, add-in, or macro. For more information about how you can obtain a publisher's digital certificate, see Plan trusted locations and trusted publishers settings for the 2007 Office system.
Add digital certificates to the trusted publishers list by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Add the following digital certificates to the Trusted Publishers list, click Add.
-
In the Add Digital Certificates dialog box, click the digital certificate that you want to add and click Add.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit .