Updated: 2009-02-12
You can configure settings for ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros by using the Office Customization Tool (OCT) and the Group Policy Object Editor.
Before you begin
Before you begin configuring settings, be sure you meet the planning requirements, administrative requirements, and tool requirements that are described in this section.
-
Planning requirements You must complete the following steps in the security planning process before you can effectively configure trusted locations and trusted publishers settings:
Choose a deployment tool for security settings and privacy options in the 2007 Office system
Evaluate default security settings and privacy options for the 2007 Office system
Plan trusted locations and trusted publishers settings for the 2007 Office system
-
Administrative requirements The following table lists the administrative credentials that are required to perform settings configuration actions.
To perform these actions You must be a member of these groups Run the OCT
Administrators group on the local computer
Configure local Group Policy settings with the Group Policy Object Editor
Administrators group on the local computer
Configure domain-based Group Policy settings with the Group Policy Object Editor
Domain Admins, Enterprise Admins, or Group Policy Creator Owners
-
Tool requirements It is assumed that you:
-
Understand how to use the OCT to customize the 2007 Microsoft Office system. For more information about the OCT, see Office Customization Tool in the 2007 Office system.
-
Have created a network installation point from which you can run the OCT.
-
Understand what Administrative Templates (that is, .adm files) are.
-
Have loaded the Office 2007 Administrative Templates into the Group Policy Object Editor.
-
Use the following sections to determine how to configure settings for:
Configure settings for ActiveX controls
The following procedures show how to use the OCT and the Group Policy Object Editor to disable ActiveX controls and change the way ActiveX controls are initialized. To learn more about ActiveX control settings, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system.
Disable ActiveX controls
You can use the following procedures to disable ActiveX controls. The settings described in these procedures apply only to applications in the 2007 Microsoft Office system; that is, ActiveX controls are not disabled in documents that are opened in earlier versions of Office. In addition, even though you disable ActiveX controls in a document, ActiveX controls still initialize and run without notification if a document is opened from a trusted location.
Disable ActiveX controls by using the OCT
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.
-
In the details pane, double-click Disable all ActiveX.
-
Click Enabled, select the Disable All ActiveX check box and click OK.
Note: |
---|
You can also disable ActiveX controls by setting the Unsafe ActiveX initialization setting in the OCT to Do not prompt and disable all controls. |
Disable ActiveX controls by using the Group Policy Object Editor
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
-
In the details pane, double-click Disable All ActiveX, click Enabled, select the Disable All ActiveX check box and click OK.
Change the way ActiveX controls are initialized
The following procedures show how to use the OCT and the Group Policy Object Editor to change the way ActiveX controls are initialized. ActiveX control initialization depends on several factors, including whether there is a VBA project present in a document and whether a control is marked safe for initialization (SFI) or unsafe for initialization (UFI).
Change the way ActiveX controls are initialized by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, in Unsafe ActiveX initialization, click one of the following:
Prompt user to use control defaults. This setting initializes ActiveX controls with default values and might require user input before ActiveX controls are initialized.
Prompt user to use persisted data. This setting initializes ActiveX controls with persisted values and might require user input before ActiveX controls are initialized.
Do not prompt. This setting initializes all controls and does not require user input.
Change the way ActiveX controls are initialized by using the Group Policy Object Editor
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
-
In the details pane, double-click ActiveX Control Initialization and click Enabled. In ActiveX Control Initialization, click the initialization setting that you want.
There are six possible initialization settings for ActiveX controls. Some settings might require user input before ActiveX controls are initialized.
-
Click OK.
Configure settings for add-ins
The following procedures show how to use the OCT and the Group Policy Object Editor to:
-
Disable add-ins.
-
Require that add-ins are signed by a trusted publisher.
-
Disable notifications for unsigned add-ins.
To learn more about security settings for add-ins, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
Disable add-ins
You can use the following procedures to disable add-ins. When you disable add-ins, users are not notified that add-ins are disabled. Also, add-ins can be disabled only on a per-application basis. There is no global setting that disables add-ins.
Disable add-ins by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.
-
In the Specify Security Settings dialog box, click Disable all application extensions and click OK.
Note: |
---|
You can also disable add-ins by setting the Disable all application add-ins setting to Enabled in the OCT. |
Disable add-ins by using the Group Policy Object Editor
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click Disable all application add-ins, click Enabled and click OK.
Require that add-ins are signed by a trusted publisher
You can use the following procedures to require that add-ins are signed by a trusted publisher. You can configure this setting only on a per-application basis. There is no global setting that requires add-ins to be signed by a trusted publisher.
Use the OCT to require add-ins to be signed by a trusted publisher
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.
-
In the Specify Security Settings dialog box, click Require that application extensions are signed by trusted publisher and click OK.
Use the Group Policy Object Editor to require add-ins to be signed by a trusted publisher
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click Require that application add-ins are signed by trusted publisher, click Enabled and click OK.
Disable notifications for unsigned add-ins
You can use the following procedures to disable notifications for unsigned add-ins. You can configure this setting only on a per-application basis. There is no global setting that disables unsigned add-ins and disables notifications for unsigned add-ins.
Disable notifications for unsigned add-ins by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.
-
In the Specify Security Settings dialog box, click Require that extensions are signed, and silently disable unsigned extensions and click OK.
Disable notifications for unsigned add-ins by using the Group Policy Object Editor
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click Disable trust bar notifications for unsigned application add-ins, click Enabled and click OK.
Note: |
---|
You must use the Disable trust bar notifications for unsigned application add-ins setting in conjunction with the Require that application add-ins are signed by trusted publisher setting. |
Configure settings for macros
The following procedures show how to use the OCT and the Group Policy Object Editor to configure:
-
Default security settings for macros.
-
Disable VBA.
-
Provide Automation clients programmatic access to VBA projects.
-
Automation security for macros.
-
Prevent encrypted macros from being scanned for viruses.
To learn more about security settings for macros, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system
Configure default security settings for macros
You can use the following procedures to configure default security settings for macros. You can configure this setting only on a per-application basis.
Configure default security settings for macros by using the OCT
-
In the left pane of the OCT, click Office security settings.
-
In the details pane, under Default security settings, double-click VBA macro warnings options for the application you want to configure.
-
In the Specify Security Settings dialog box, click the default security setting that you want and click OK.
Configure default security settings for macros by using the Group Policy Object Editor
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click VBA macro warning settings, click Enabled, and choose the default security setting that you want.
-
Click OK.
Note: |
---|
You can also change the default security setting for macros in Microsoft Office Outlook 2007. For more information, see the security documentation for Office Outlook 2007. |
Disable VBA
You can use the following procedures to disable VBA. You can configure this setting only on a global basis.
Disable VBA by using the OCT
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.
-
In the details pane, double-click Disable VBA for Office applications.
-
Click Enabled and click OK.
Disable VBA by using the Group Policy Object Editor
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
-
In the details pane, double-click Disable VBA in Office applications, click Enabled, and click OK.
Provide Automation clients programmatic access to VBA projects
You can use the following procedures to provide Automation clients programmatic access to VBA projects. You can configure this setting only on a per-application basis.
Provide Automation clients programmatic access to VBA projects by using the OCT
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, navigate to one of the following locations:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click Trust access to Visual Basic project.
-
Click Enabled and click OK.
Provide Automation clients programmatic access to VBA projects by using the Group Policy Object Editor
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click Trust access to Visual Basic project.
-
Click Enabled and click OK.
Configure Automation security for macros
You can use the following procedures to configure Automation security for macros. You can configure this setting only on a global basis.
Configure Automation security for macros by using the OCT
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.
-
In the details pane, double-click Automation security and click Enabled.
-
In Set the Automation security level, click the setting that you want and click OK.
Configure Automation security for macros by using the Group Policy Object Editor
-
In the Group Policy Object Editor tree, navigate to the following location:
User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings
-
In the details pane, double-click Automation security and click Enabled.
-
In Set the Automation security level, click the setting that you want and click OK.
Prevent encrypted macros from being scanned for viruses
You can use the following procedures to prevent encrypted macros from being scanned for viruses. You can configure this setting only on a per-application basis.
Prevent encrypted macros from being scanned for viruses by using the OCT
-
In the left pane of the OCT, under Features, click Modify user settings.
-
In the tree view of the OCT, navigate to one of the following locations:
Microsoft Office Excel 2007/Excel Options/Security/Trust Center
Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click one of the following based on the application that you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents
-
Click Enabled and click OK.
Prevent encrypted macros from being scanned for viruses by using the Group Policy Object Editor
-
Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:
User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center
User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center
-
In the details pane, double-click one of the following based on the application that you are configuring:
Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks
Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations
Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents
-
Click Enabled and click OK.
Download this book
This topic is included in the following downloadable book for easier reading and printing:
See the full list of available books at Downloadable content for the 2007 Office Resource Kit .