locked
Macro Security Level Changes RRS feed

  • Question

    1. I don't appreciate the update with no prior notice!
    2. I did not request that my macro security level be automatically changed to what Microsoft thinks it should be!
    3. I would appreciate a more accessible support system for functions which don't work - like disabling computers in "circle".
    4. This entire 'change' has added a great deal of work, and research, to be able to understand and address changes.
    5. How do I get some information on enabling and disabling OneCare functions?
    Thursday, January 17, 2008 5:58 PM

Answers

  •  cadwan wrote:
    1. I don't appreciate the update with no prior notice!
    2. I did not request that my macro security level be automatically changed to what Microsoft thinks it should be!
    3. I would appreciate a more accessible support system for functions which don't work - like disabling computers in "circle".
    4. This entire 'change' has added a great deal of work, and research, to be able to understand and address changes.
    5. How do I get some information on enabling and disabling OneCare functions?

     

    Regarding Macro Settings

     

    here's some info for you...

     

    What you are seeing is the “Super Tune Up” (Also known as Tune Up Settings Check) it automatically makes this change on the machine.  The Macro security setting is one of 24 settings that OneCare checks on a daily/weekly/monthly basis depending on the setting and will change it if found to be set to an insecure setting.
    There is no way to turn this off.
     
    Work Arounnd for this is to make a Digital Certificate for you to be able to use your documents with macro
     
     
    Digitally signing a macro

    You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

    Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

    There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

    • Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

      Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office

    • Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.
    • Selfcert.exe does not provide a certificate of trust with a traceable signature.
    Wednesday, February 13, 2008 3:46 PM

All replies

  • Actually, there was prior notice in the form of an email in late November to all subscribers indicating that OneCare 2.0 had been released and would be deployed to all users. As a subscription service, OneCare will automatically update. I do wish that they would change the actual update process, as I don't like the fact that it installs immediately upon download, but that's another story, I think.

    On point 2, there have been a few other posts on this topic. I have yet to find out the complete list of things that OneCare 2.0 monitors and changes to enhance security and agree that this should be configurable by us, with some limitations, when the action is not inherently a security risk.

     

    What problems are you having with disabling a computer in a Circle? On the Hub, click Manage OneCare Circle. Expand the entry for the PC you wish to remove and click the link to remove the PC. It will immediately be removed from the list and the copy of OneCare, if active, on the PC being removed will go to unsubscribed status and will need to be uninstalled.

     

    Thanks for the comment in point 4. Perhaps the OneCare team needs to look at providing more information on what the new features are.

     

    What functions in OneCare do you wish to enable or disable?

     

    -steve

     

    Thursday, January 17, 2008 7:47 PM
    Moderator
  •  cadwan wrote:
    1. I don't appreciate the update with no prior notice!
    2. I did not request that my macro security level be automatically changed to what Microsoft thinks it should be!
    3. I would appreciate a more accessible support system for functions which don't work - like disabling computers in "circle".
    4. This entire 'change' has added a great deal of work, and research, to be able to understand and address changes.
    5. How do I get some information on enabling and disabling OneCare functions?

     

    Regarding Macro Settings

     

    here's some info for you...

     

    What you are seeing is the “Super Tune Up” (Also known as Tune Up Settings Check) it automatically makes this change on the machine.  The Macro security setting is one of 24 settings that OneCare checks on a daily/weekly/monthly basis depending on the setting and will change it if found to be set to an insecure setting.
    There is no way to turn this off.
     
    Work Arounnd for this is to make a Digital Certificate for you to be able to use your documents with macro
     
     
    Digitally signing a macro

    You can use the program Selfcert.exe to sign macros or templates you create for your own personal use. Certificates created for use on your own computer are accepted only for the computer the certificate was created on.

    Selfcert.exe calls Makecert.exe; both programs are available with Office in the Office 2003 folder and are not available with the Microsoft Office 2003 Editions Resource Kit. However, signing a macro, template, or file with Selfcert.exe does not provide a high enough level of authentication to provide reliable tracking of the source of the file back to its developer. Therefore, if a file you sign with a signature created from Selfcert is distributed to other users, they will not be able to accept your certificate if they are running High security, because the certificate does not have a high enough security level to authenticate who you are. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office.

    There are limitations to the deployment of Selfcert.exe certificates applied to a macro when macro security is set to High:

    • Setting security to Low and then running the macro does not register the certificate in the trusted sources list.

      Security must be set to Medium or High before any certificates are posted to the trusted Trust Publishers list. In cases where security is set to High on all computers, a Selfcert.exe-signed macro can be deployed, but it does not have a secure enough certificate for use by other users who are running with the High security level. Only a certificate issued by a certificate authority can be used to provide a distributable certificate and signature to others and still pass through Medium and High security levels in Office

    • Selfcert.exe-issued certificates are not managed by a certificate authority and do not provide for certificate revocation checking.
    • Selfcert.exe does not provide a certificate of trust with a traceable signature.
    Wednesday, February 13, 2008 3:46 PM
  • danzig,

     

    Just a brief review of the above clearly indicates how useless this setting is in most SOHO environments. I have a background in programming and even I find the work required to SelfCert a certificate confusing and nearly useless with all the limitations. Expecting a small SOHO business to have this expertise and/or take the time to perform these operations is simply rediculous.

     

    When a developer creates a macro commercially it's reasonable to expect this level of security for a macro that will be widley dispersed within either a medium to large or group of small companies. Especially since they'd have the expertise and enconomy of scale to produce such a certificate cost effectively.

     

    However, in a SOHO environment, it's just not going to happen and the perfectly reasonable reaction will simply be to dump OneCare and move to another security suite that doesn't create this issue. Since SOHO is really the only business environment that OneCare is truly suited to serve, this leaves the entire decision to force this level of macro security in question.

     

    I fully backed the decision to require digital signing of executable code provided by commercial software vendors to improve application identification. However, unless the method of performing a self certification of a macro is simplified to allow the average person to perform it easily, I can't realistically believe this move has done anything but cause another large segment of users to move away from OneCare as a viable protection for thier PC.

     

    OneCareBear

    Wednesday, February 13, 2008 7:24 PM
    Moderator
  •  

    Definitely sad but true, I just hope there could something that the development team could do about this in future versions.

     

    Security Increase Microsoft Word Macros Security Daily Silent MS word security settings have been restored to recommened levels Optimize Word Security Settings Your current Microsoft Word security settings for macros are below the default setting. The macros security level is set to less than Medium in your Word application
    Security Increase Microsoft Excel Macros Security Daily Silent MS Excel security settings have been restored to recommended levels Optimize Word Security Settings Your current Microsoft Excel security settings for macros are below the default setting. The macros security level is set to less than Medium in your Excel application
    Security Increase Microsoft PowerPoint Macros Security Daily Silent MS Power Pont security settings have been restored to recommended levels Optimize Word Security Settings Your current Microsoft PowerPoint security settings for macros are below the default setting. The macros security level is set to less than Medium in your PowerPoint application

     

    Wednesday, February 13, 2008 8:01 PM