microsoft.com Home | |||
http://www.microsoft.com/office/ork |
Protecting Against Macro VirusesSigning Macros Digitally to Verify the SourceMacro viruses are programs written in the macro languages of applications. These viruses can do serious harm to programs and data. Without proper precautions, macro viruses can be transmitted to a computer and stored in the Normal template or a global template when an infected document is opened in an Office application. In Office 97, Microsoft Word, Excel, and PowerPoint can protect against macro viruses by warning that the document being opened contains macros. You can then choose to disable the macros or keep them enabled when you open the document. Office 2000 expands on macro virus protection by allowing macros in documents to be digitally signed. A digital signature is binary data that is calculated by applying an algorithm to the original data (in this case, the macro code) and a numeric private key. The private key has a corresponding public key. When a second algorithm is applied to the digital signature and the public key, the algorithm determines whether the data was signed by a user with access to the private key. Therefore, the digital signature can be used to prove that the data is really from the user or source that the digital signature claims to be from. Using certificates to sign macrosA certificate is a set of data that completely identifies an entity and is issued by a certificate authority only after that authority has verified the entity’s identity. The data set includes the public key tendered to the entity. The entity obtains a certificate that also includes the private key, so the certificate can be used to sign data. A certificate that contains only a public key is called a public certificate. A certificate that contains public and private keys is called a private certificate or personal certificate. Certificates are automatically installed as needed and stored in the registry by the operating system. VeriSign is an example of a certificate authority. You can also produce your own certificates by using Windows NT® Certificate Services or by using the Selfcert.exe program. This program is installed with the Office Tools/Digital Signatures feature in Office Setup. Note Certificates created with Selfcert.exe are not verified by any authority, and any user with access to Selfcert.exe can create them. Therefore, it is recommended that users not trust self-signed certificates unless they know for sure that the certificate is valid. (You can determine who signed a certificate by viewing its properties.) Not all certificates can be used for all security needs. Types of certificates include the following: Identity Proves user identity when the user is authenticated on a server computer. E-mail Digitally signs e-mail content to prove that it was produced by a specific user; encrypts the content so that it cannot be read or tampered with on a network. Code-signing Digitally signs code to prove that it was produced by a specific publisher; prevents code tampering. When you sign Office macros, you must use a code-signing certificate. A public version of the certificate is stored with the digital signature in signed files. Personal certificates, which can be used to sign and encrypt the macros because they contain private keys, are also stored on the client computer. Managing certificates with Internet ExplorerYou can manage the certificates installed on a computer by using Microsoft Internet Explorer. To manage certificates by using Internet Explorer 4.x
To manage certificates by using Internet Explorer 5
Using certificate timestampsCertificates are given expiration dates after which the certificates are no longer valid. Expiration dates are chosen so that the amount of time between the issue date and expiration date of a certificate is too small for anyone to make the required computations to produce a private key from a public key and thereby falsify digital signatures. If a macro is signed with a certificate after the certificate has expired, the signature is not considered valid. Certificate authorities provide a certified timestamp that can be applied as part of a digital signature when a document is signed. The timestamp proves when the document was signed and can be compared to the expiration date of the certificate to verify that the document was signed before the certificate expired. You can specify the URL of a timestamp authority for Office to use in the following registry key: HKEY_CURRENT_USER\Software\Microsoft\VBA\Security Within this subkey, you specify values for the following entries:
Signing macros by using the Visual Basic EditorYou sign Office 2000 macros in the Visual Basic Editor before saving the macro. To sign a macro in the Visual Basic Editor
|
|
Topic Contents | Previous | Next | Top Friday, March 5, 1999 © 1999 Microsoft Corporation. All rights reserved. Terms of use. | ||
License
|