How to implement digitally signed-macros

By Rick Vanover, Special to ZDNet Asia
Wednesday, July 21, 2004 11:30 AM

The destructive potential of macros has forced IT professionals to extend their security focus to commonly distributed documents. To protect against this threat without curtailing distribution and use of macros, many organizations implement digital signatures, which allow verification that macros and other electronic content come from a trusted source.

Digital signatures on macros tell users who placed the signature in the document. The signature can be verified with a certificate root authority or using an internal mechanism within your organization. You can implement digital signatures with your macros by:

Using SelfCert.exe, the native Microsoft signing tool.
Using a PKI implementation.
Purchasing a package to give you a digital signature that is verified by a root certificate authority.

In this article, we will focus on Microsoft Excel, but other macro-enabled Office applications behave in a similar manner.

SelfCert.exe tool

Microsoft Office distributions include the SelfCert.exe tool as part of the default installation. This tool is distributed as a personal-use mechanism for creating digital signatures. It does not actually verify the identity of the author of the signature; instead, it writes a signature that it explicitly notes as not authentic. It is important to discuss this tool first, as fraudulent digital signatures may use it.

By default, the SelfCert tool is installed in C:\Program Files\Microsoft Office\Office\Selfcert.exe. Running the tool is fairly straightforward, and some basic safeguards are in place to ensure that certificate authorities are not spoofed. For example, you can't use Verisign, Inc., in the Name field of the SelfCert tool, although you can use similar variants of that name. (In other words, Verisign is rejected; Veri Sign is not.) SelfCert-created signatures don't have an actual certificate, but only a header. When you look at a certificate created with SelfCert, you'll see that it's "empty." Figure A shows an example.

Figure A

If a macro project contains a digital signature, users need to be able to distinguish a SelfCert-created certificate from a certificate authority-issued one. With Office installations using High or Medium security settings, running a macro will bring up the familiar security message to enable or disable macros. But as Figure B shows, SelfCert-created signatures appear with a warning.

Figure B

It's important to click the Details tab to get more information, because looking at the name of the macro issuer is not enough to determine whether a signature is valid. The Details tab will give the official information on any digital signature.

0

0 votes

Save to My Library

Talkback 0 comments

There are currently no comments for this post.

Reply to story

Specials
News and Interviews
Whiteboard

UOB banks on economic downturn
Singapore bank's IT chief Susan Hwee explains how financial crisis offers new opportunities to reengineer
Play video
Domino's Pizza keeps customers eating
CEO Don Meij discusses strategy to grow customer base
Play video

Amazon CTO: Cloud's advantage
Werner Vogels' discusses business benefits of cloud
Play video
Salesforce CEO chatters about new social media platform
Facebook-type app hits the enterprise
Play video

Cost Effective, Secure and HA Server Infrastructure for SMBs
Alan Wan from Dell illustrates how small and medium businesses can build a high availability IT infrastructure without requiring heavy investments on skills and resources.
Play video
Enterprise 2.0
Vince Casarez, vice president of product management at Oracle, explains how Web 2.0 technologies, such as tags, wikis, and mash-ups, can be applied within an organization.
Play video