XLplus and Macro Security
XLplus and all XLplus Add-Ons are delievered including a digital signature.
Digital Signatures allow protection against Macro Viruses. This protection can only be given, using MS Excel Version 2000 or higher.
In the following a brief overview about Macro Security and digital signatures is given.
In case you have more questions regarding macro security or its enterprise wide implementation, please contact us: digital-ecom GmbH.
Digital Signatures and Certificates:
A digital signature signs a VBA Macro - the signature confirms authorship of the macro (the signature is valid) or alarms a user (the signature is invalid).
You can think of a digital certificate as the electronic counterpart of an identification card, such as a driver´s license or passport. The process for validating a digital certificate is similar to the process used to issue a physical ID card. A certification authority validates information about software developers or data providers and then issues digital certificates to them. The digital certificate contains information about the person to whom the certificate was issued, as well as information about the certifying authority that issued it. Additionally, some certifying authorities may be certified by another hierarchy of one or more certifying authorities, and this information is also part of the certificate. When a digital certificate is used to sign programs, and documents, this ID information is stored with the signed item in a verifiable form so that it can be displayed to a user to establish a trust relationship.
Digital certificates use an asynchroneous cryptographic technology called public-key cryptography to sign documents or code and to verify the integrity of the certificate itself.
A user of digitally signed software can check if the certificate used for signing the software is valid. In case of a valid signature, the user can be sure that the software origins from the stated source and has not been changed since shipped.
A comprehensive overview about MS Office security is given by the following article: Microsoft Office 2003 Security White Paper.
Configuration of Macro Security:
In the following we will briefly show your options regarding Macro Security using MS Excel.
MS Excel 2000 - 2003:
You can find configuration options in menu: Tools - Macros - Security.
Note: Depending on your version of MS Excel, this Dialog might look different. The screenshot origins from MS Excel 2000.
Using MS Excel 2003, you can choose from the following options:
- Very High
This options allows execution of macros only, in case the following two criteria are met:
- The executable is stored in a specific trusted location on the local hard disk
- The "Trust all installed add-ins and templates" option in the application is set to checked.
MS Excel knows the following two trusted locations:
-
\Application Data\Microsoft\Excel\XLSTART
-
\Microsoft Office\Office11\XLSTART
- High
All unsigned Macros are automatically deactivated.
- Medium
The user can choose, whether to run Macros or not.
- Low
All Macro protection is deactivated and all Macros will be run without warnings. This setting is not recommended.
MS Excel 2007+:
Using MS Excel 2007+ similar settings are available. Within the TrustCenter - Macro Settings specify:
- Disable all macros without notification
- Disable all macros with notification
- Disable all macros except digitally signed macros
- Enable all macros
Tip: The TrustCenter can be found in: Excel Options - TrustCenter.
You can additionally specify to trust digitally signed Application Add-Ins, only.
You should add digital-ecom GmbH to your trusted publishers, too. This will prevent further security warnings like The digital signature is valid, but the signature is from a publisher whom you have not yet chosen to trust. See XLplus - First Start for details.
Note: Since our certificate has an expiration date as of 04.10.2011 security warnings might be shown after that date, again. These warnings might be shown regardless of the time stamp which was set on the macros certificate. See Timestamp below for details regarding time stamping code.
MS Office 2007+ still knows Trusted Locations. Documents (or applications) started from such a location are trusted and therewith enabled by default. XLplus will install itself into a subdirectory of your personal documents folder - this directory is untrusted (obviously). Anyhow, you can add the directory XLplus is installed in, to your trusted locations.
Note: Do no add your personal documents folder to the trusted locations - this will lower your security settings significantly!
A comprehensive description of all settings can be found here: Understanding Macro Security Levels in Office.
XLplus - First Start:
In case you start XLplus the first time, using security settings of type High or Medium, the following Dialog is shown:
MS Excel 2000 - 2003:
MS Excel 2007+:
You can inform about the digital certificate of XLplus. To do so select option Details or Show Signature Details.
You should see the Certificate similar to the above picture; now you can inspect all details of the certificate. In case the certificate shown differs from the given screenshot, check the following:
- Is the Certificate valid or are hints displayed, indicating that the Certificate is invalid, changed, faked or in any other way unusable?
- Does the Certificate show the warning "Windows does not have enough information, in order to verify this certificate"?
In case the Certificate is unusable, please download a new, correct, version of XLplus from our webpage and install this one.
After you checked validity of our Certificate you can start trusting our tools. Using Excel 2000 - 2003 select Always trust macros from this source, using Excel 2007+ use Trust all from publisher.
Certificatepath:
Certificates are structured in a hierachy. The Root of a Certificate is a trustworthy authority (Root Certificate Authority), in case of our Certificate the company TC TrustCenter Class 2 CA II is Certificate Authority. Amongst others, Trust Center belongs to Certificate Publishers recommended by Microsoft. Your Browser should contain a Root Certificate from Trust Center, already. Since Certificates can be issued for various needs, they often are structured hierachily. The structure of our Certificate is:
- TC TrustCenter Class 2 CA II
- TC TrustCenter Class 2 L1 CA XII
- digital-ecom GmbH
The Hierachy of a Certificate can be viewed:
Windows does not have enough information, in order to verify this certificate:
Sometimes, the following (or similar) warning is shown.
The Certificate, created by Trust Center, issued to digital-ecom GmbH, is a Certificate, which exists within a hierachy of Certificates.
Your Browser should already contain a Root Certificate of Trust Center and therefore generally trust all other Certificates of this Certificate Authority. You therefore can trust the Certificate of digital-ecom GmbH and use XLplus without limitations. Additionally, you can inform yourself about Details of the Certificate and check it for validity.
In order to have Windows automatically check the correctness of our Certificate, the complete chain of Certificate Authorities must be present.
Windows XP SP 2 and all newer versions of Windows will perform a check of missing root certificates automatically. Whenever an application requests checking a certificate, whose root certificate cannot be found in your certificate store, Windows will automatically look up certificates in Windows Update. If found, the required root certificate will be installed automatically for you.
In case Windows fails looking up the root certificate of Trust Center you might have disabled this automatic process.
You can find more details about this as well as Members of Windows Root Certificates in information provided by Microsoft. The current list of root certificates can be found in this PDF document.
If required, you can manually retrieve missing Certificates from Trust Center and import them into your Certificate store. Afterwards, your (Windows) Operating System knows the complete hierachy of Certificates and is enabled to automatically check them for correctness. You can download missing Certificates from the Trust Center webpage.
After you saved the Certificates locally on your Computer, you can import them using your Browser.
Ex.: When using the Internet Explorers select: Internet Options - Content - Certificates - Import and follow the directions given. Afterwards, all Certificates stated within the Certificatepath are available and the warning will no longer appear.
Time Stamp:
Digitally signing a macro improves security to your system but it becomes pretty useless in case a digital certificate has expired. Once the certificate expired your system starts throwing warning messages when ever you execute the signed code.
Code therefore can be signed by getting a time stamp as well. The time stamp simply informs, that at date and time of signing it the digital certificate was valid.
Doing so allows using old software in a secure way. Since the digital signature was valid once the code was signed and since the integrity of the signed code is still valid, you can be sure, it is the original and unaltered code you are going to use.
In case the code was altered after the signature had expired, no certified signing has been applied to it - the code has no digital signature.
In case the certificate expired but the code had not been changed, the signature is still regarded as valid and save to use.
| Note: |
Previous versions of XLplus (prior Ver. 2.50 or Ver. 3.X) were not time stamped.
Microsoft successfully managed hiding information about how to do that ... But thanks to Paul Irvine the miracle was revealed ... See Add Timestamped Certificate to Excel-VBA |