This chapter discusses how to use the security tools that VBA provides for distributing and implementing macros and VBA code. VBA security falls into three parts: securing your applications against rogue VBA code; establishing that your VBA code isn't itself rogue so that it can be run; and securing your code against theft, alteration, or snooping.
In this chapter you will learn to do the following:
Understand how VBA implements security
Sign a macro project with a digital signature
Get a digital certificate
Choose the appropriate security level
Designate trusted publishers
Lock your code
Macros, dialog boxes, and user forms that you write are computer programs, albeit usually rather small ones. But because macros, like any other computer program, can access the user's hard drive and manipulate other sensitive areas of the computer, they can do damage.
Office 2010, Server 2008, and the operating systems Vista and Windows 7 include a variety of security features designed to protect the user from malicious code—macro, virus, Trojan horse, or whatever. But some security features are specific to Office documents and the macros, dialog boxes, and user forms they can contain.
Note that an evil macro can do its damage automatically. It's not necessary for the user to deliberately launch it from the Macros dialog box or from within the VBA Editor. Some specially named procedures automatically launch themselves. For example, if you name one of your procedures Document_Open Sub, all the code within that Sub executes spontaneously when the user opens its host document:
Private SubDocument_Open()
This can be handy, of course. Perhaps you'll want to write some code in this procedure that automatically sets up your preferred zoom level or completes some other housekeeping task that you always perform when opening a document. But the fact that the user doesn't need to specifically choose to run this macro means that a virus can be put into this procedure.
Malicious code can enter a user's computer in three vehicles: macros, ActiveX controls, and add-ins. Microsoft provides users with various approaches to VBA security, including the following:
Certain types of Office documents that simply cannot contain any embedded macros at all. That's the difference between, for example, saving a file using the Word .docx option, which cannot contain macros, and the .docm file type, which can.
Documents that are loaded from a trusted area on the hard drive.
Trust center settings the user can specify, such as completely preventing the execution of any ActiveX controls, macros, or add-ins without even notifying or querying the user. Alternatively, the user can be prompted for permission before potentially dangerous code is allowed to be loaded.
A list of user-modifiable "trusted publishers"—companies whose documents are considered safe.
The ability to digitally sign your own documents or templates, thereby making you a "trusted publisher."
Office 2007 introduced the concept of two types of documents. For the first time, the user can save documents that simply cannot contain any macros or other potentially malicious code. By default, any new Word document is of the .docx type, not the .docm (macro-enabled) type. In other words, a document must be deliberately created as a macro-enabled document. And because it also must have a .docm filename extension, everybody else (including Word when opening the document) knows that it contains possibly dangerous code. Administrators can use Group Policy to enforce rules concerning which file types are permitted. But the default .docx file type is free of potentially risky executables (code that can execute).
Other Office applications also have pairs of macro-disabled, macro-enabled file types. Excel has .xlsx and .xlsm files, and PowerPoint has .pptx and .pptm files.
New in Office 2010 are tools that common users, administrators, and IT professionals can employ to further secure Office applications from attack:
An Office ActiveX kill bit that allows administrators to forbid certain ActiveX controls from executing.
File blocking that can be implemented via Group Policy settings or individually via the 2010 Office Trust Center. The types of files that an application can access can be more specifically controlled.
A Trusted Documents feature that allows users to specify individual documents as reliable, thereby obviating whatever macro settings the user has enforced in the Trust Center.
A scanning feature that searches for format exploits before a file can be opened by an Office 2010 application.
A sandbox Protected View. A sandbox isolates an executing program so it can't damage other programs, introduce viruses into the operating system, or store nasty surprises on the hard drive.
Various under-the-hood improvements to password security and strengthened encryption to protect the privacy of user information.
Doubtless additional hardening tactics that Microsoft is not mentioning. After all, why tell the bad people everything that's being done to prevent their incursions?
For additional details about security improvements, see the section later in this chapter titled "New Security in Office 2010."
Real Security in an Insecure World
All the virus-detection software, firewalls, digital signatures, and other security efforts in the world won't protect you or your colleagues if somebody on your network opens email attachments, downloads dodgy executables, or otherwise invites trouble into your environment.
Even if everybody is aware of the dangers and follows the best security practices, viruses and other troubles can still get in. After all, antivirus applications are always playing catch-up. A new virus is released, and then the antivirus forces identify it and send out a new update.
On the plus side, currently it's pretty rare to find macros employed as a vehicle for spreading viruses. And, of course, if you're writing the VBA code yourself—as a reader of this book—you can certainly trust the source of your macros. It's you!
Because threats are constant, and because it's ultimately impossible to guarantee that you will never get a virus (in spite of taking great pains to prevent them), you should ensure that you are taking additional precautions to at least mitigate damage.
Malicious software falls into two broad categories:
Code that attempts to do damage to you by, for example, erasing files or slowing your computer down so much that it becomes painful to use. The goal here is to create a mess you have to clean up.
Code that attempts to find out your secrets to do damage to you by, for example, stealing your identity to ruin your credit or to drain your bank account. The issue here is violation of your privacy, a different kind of mess you have to clean up.
If you're concerned about privacy, you should encrypt any documents containing sensitive information. Fortunately, with Office 2007 the formerly weak Office encryption scheme was replaced with a highly secure one. Additionally, Office 2010 has further toughened the built-in encryption schemes as well as adding a new integrity checking technology for encrypted files. PowerPoint, Word, and Excel all permit you to encrypt files and then decrypt them by providing a password. Click the Office button, click the Prepare option in the left pane, and then click Encrypt Document.
If you're worried about a virus attack, be sure to back up your documents (you should do this anyway, in case of a drive crash, fire, theft, and so on). These days, with terabyte external drives selling for around $100, it's practical to store your entire computer system—documents, programs, inbox email, everything—as an image on an external drive. That way, you wouldn't even have to reinstall applications in the event of a serious problem. You can use third-party backup systems. Or use Windows's built-in system by choosing Start
To secure an application against rogue VBA code, you can use the Office Trust Center to choose the level of security that you want the application to use when running VBA code. Click the File tab, then choose Options. Click the Trust Center button in the left pane, and click the Trust Center Settings button.
You can also specify which sources to trust and how much to trust them. A trusted source might be someone who works for the same company as you or someone who has a digital certificate from a third party you trust, such as the VeriSign certification authority. Because you (in this example) trust VeriSign, you therefore trust the third party to whom VeriSign has issued a digital certificate. Office 2010 adds a trusted time-stamping feature to the digital signature technology.
To establish that your own code is fine for the applications to trust, you sign a document or template project that contains customizations or macro project items (code modules, class modules, or user forms) with a digital signature generated by a digital certificate that uniquely identifies you or your company. This chapter shows you this technique first because it sets the stage for specifying the level of security to use.
To secure your code, you can lock a macro project with a password so that nobody can open the code. Doing so serves both to prevent anyone from tinkering with your code and either stopping it from working or rendering it harmful and to protect your intellectual property: If nobody can see your code, they can't steal your ideas. The section "Locking Your Code" shows you how to do this.
VBA provides a security mechanism for securing macro projects with digital signatures. The digital signatures provide a means of establishing the provenance of the projects, which should help you decide whether to trust the code. If you trust the source of the code to produce benevolent code, you can open the project and run the code. If you suspect the source or the information of being malignant, you can either avoid opening the project or open the project with the code disabled.
The same goes for other people: If others are concerned about macros, you may need to sign your projects so that other people know where they come from and who created them. Once you've signed the projects, the code is available to any application that has specified you as a trusted source for macro projects. (This assumes users have chosen one of the Disable options in the Macro Settings dialog box. You'll see how to set the security level later in the section "Specifying a Suitable Security Setting.")
The following sections discuss what digital certificates are, what they mean in practical terms, how you obtain them, and how you use them to create digital signatures.
A digital certificate is a piece of code that uniquely identifies its holder. You use your digital certificate to create a digital signature for a project. This project can be a document project, a template project, or an add-in. The project doesn't have to contain macros, procedures, user forms, classes, or VBA code for you to sign it, although these contents are the usual reason for signing a project.
A digital signature applies to a whole macro project, typically a document project or a template project. You can't apply a digital signature to just part of a project—say, just to one module of code or to one user form. Each macro project item in that macro project—each module, user form, class, and reference—is covered by the digital certificate.
There are several types of digital certificates: those you create yourself as described earlier, those you get from your company or organization, and those you get from a commercial certification authority, or certificate authority (CA).
A digital certificate you create yourself is of little use to people beyond you and those who trust you, whereas a certificate from a commercial certification authority should be good enough for general use in the world. A certificate issued by your company falls in the middle range of trustworthiness: In many cases, the company will have obtained the certificate from the commercial certification authority, which means the commercial certification authority has established to its satisfaction that the company is trustworthy. Whom the company chooses to trust with the certificate is another matter and introduces another complicating link into the chain of trust. However, server software such as Windows 2003 Server include independent certification-authority services that do not require a certificate from a commercial certification authority, so you should be careful which certificates you trust. See the section "Whose Certificate Is It, and What Does It Mean?" later in this chapter for a discussion of how to discern a certificate's provenance and meaning.
The quickest and easiest way of getting a digital certificate is to create one yourself. This kind of certification only works on the computer on which the certificate was created.
To understand how digital certificates work, you'll probably want to create several of your own and practice with them on sample files. By designating some of your digital certificates as trusted publishers and leaving others untrusted, you can get a clear idea of how digital certificates work without having to use suspect code on your system.
To open the Create Digital Certificate dialog box (see Figure 19.1), choose Start
Type the name for the certificate in the text box, and then click the OK button. The SelfCert application creates the certificate and installs it automatically.
Your second option is to get a digital certificate from a digital certificate server that your company has. The details of this procedure vary from company to company. The certificates the company provides via its digital certificate server are generated in the same fashion as the digital certificates distributed by the commercial certification authorities discussed in the next section. However, a company distributes the certificates from a pool that it has allocated, without needing to apply to the certification authority for each certificate as it's needed, or creates the certificates of its own accord without getting them from a certification authority.
Your third choice is to get a digital certificate from a commercial certification authority such as these:
VeriSign (
www.verisign.com)Thawte, Inc. (
www.thawte.com, a VeriSign company)GeoTrust (
www.geotrust.com, another VeriSign company)DigiCert (
www.digicert.com)Comodo (
www.comodo.com)
VeriSign's computers handle four trillion lookups per day, but the company plans to spend $300 million over the next decade to increase that capacity to four quadrillion.
Several types of certificate are available, depending on what you want to do. If you're creating and distributing software, you'll probably want to consider one of the certificates targeted at developers.
The procedure for proving your identity varies depending on the CA and the type of certificate you want. Generally speaking, the greater the degree of trust that the certificate is intended to inspire, the more proof you'll need to supply. For example, you can get a basic certificate on the strength of nothing more than a verifiable email address, but this type of certificate is unlikely to make people trust you. Other certificate types require you to appear in person before a registration authority with full documentation (such as a passport, driver's license, or other identity documents). Such certificates inspire more trust.
Once you have a digital certificate, you need to install it so that Windows and the applications that will use it know where it's located.
To install a digital certificate, follow these steps (you must be logged on as Administrator to view the Certificates dialog box):
Click the Start button. A Search programs and files (Start Search in Vista) field opens just above the Start button.
In the Search Programs and Files field, type
certmgr.msc.When
certmgr.mscappears in the Programs list, click it. You'll likely be asked if you want to give yourself permission to take this step. Go ahead and grant the permission by clicking the Continue button.You now see the Certificates dialog box shown in Figure 19.2.
As you can see in Figure 19.2, I, Richard, granted code signing certification to myself, also Richard, as described earlier in this chapter in the section "Creating a Digital Certificate of Your Own."
Click the Trusted Publishers folder in the left pane of the Certificates dialog box.
Choose Action
Click the Next button in the wizard to locate the file you want to import.
Click Next to display the Certificate Store page of the wizard, shown in Figure 19.4.
Choose how to store the certificate:
To have Windows store each certificate automatically in the default certificate store for the certificate's type, select the Automatically Select the Certificate Store Based on the Type of Certificate option button.
To control where Windows stores the certificates, select the Place All Certificates in the Following Store option button. To specify the store, click the Browse button to display the Select Certificate Store dialog box, shown in Figure 19.5. Choose the certificate store (for example, Personal) and click the OK button. To specify a particular location within a certificate store, select the Show Physical Stores check box, and then click the plus (+) sign next to the store in question to display its subfolders. Select the folder you want, and then click the OK button.
Click the Next button to finish setting up the import procedure. The Completing the Certificate Import Wizard dialog box is displayed to confirm the choices you've made.
Review your choices, and then click the Finish button. The Certificate Import Wizard imports the certificate and then confirms that the operation was successful.
If you decide to import the certificate into the root certificate store rather than one of the other stores, Windows displays a Security Warning dialog box (see Figure 19.6) to make sure you understand that placing the certificate in the root store will make Windows automatically trust any certificate issued by the CA. Double-check the certificate, as it probably belongs in another store.
Now that you've imported the certificate, it appears in the Certificates dialog box on the appropriate page.
You may need to export a certificate for backup so that you can keep it safely on removable media away from your computer or so that you can install it on another computer. For security, you should not store the digital certificate on your hard drive after you install it, because storing it there is a security risk.
Figure 19.6. Windows displays a Security Warning dialog box when you're about to import a certificate into the root certificate store.
To export a certificate, select it in the Certificates dialog box and click the Export button. Windows starts the Certificate Export Wizard, which walks you through the process of exporting the certificate. If you choose to export the private key with the certificate, be sure to protect it with a password.
To remove a digital certificate from Windows's digital certificate store, follow these steps:
Display the Certificates dialog box (follow steps 1, 2, and 3 in the section earlier in this chapter on installing a certificate).
Click the folder in the left pane that contains the digital certificate in question, and then select the certificate you want to remove.
Click the red X icon, or choose Action
Once you've completed a macro project and have it ready for distribution, you sign it with a digital signature so that applications that use a high level of security can use it.
Figure 19.7. Two of the warnings the Certificate Manager displays when you're about to remove a digital certificate.
To sign a macro project digitally, follow these steps:
In the VBA Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Figure 19.8. Use the Digital Signature dialog box to specify the digital signature for a macro project.
If the Digital Signature dialog box lists the certificate you want in the Sign As area, simply click the OK button to use that certificate.
Click the Choose button. If you have more than one certificate, you'll see a Select Certificate dialog box. (If you have only one certificate, you'll see the Windows Security dialog box where you can confirm your choice, as shown in Figure 19.9. You should then skip to step 7.)
Click the certificate you want to use for the macro project.
Click the OK button to apply the selected certificate and close the Select Certificate dialog box.
Click the OK button to close the Digital Signature dialog box.
Click the Save button on the Standard toolbar, press Ctrl+S, or choose File
To remove a digital signature from a macro project, follow these steps:
In the VBA Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Click the Remove button. Both the Certificate Name readout in the area labeled The VBA Project Is Currently Signed As and the Certificate Name in the Sign As area of the Digital Signature dialog box will display [No Certificate] to indicate that the project currently has no digital certificate assigned to it.
Click the OK button to close the Digital Signature dialog box.
You can always reapply the digital signature to the project whenever you wish, as described earlier in this chapter.
When you receive a digitally signed project, you'll want to find out who has signed it and what type of digital certificate they used. To view the details of a digital certificate, follow these steps:
In the VBA Editor, navigate to the document or template project that contains the macro project.
Select the project in the Project Explorer.
Choose Tools
Click the Details button to display the Certificate dialog box (see Figure 19.10).
If you want to view the details of one of your own certificates, click the Choose button in the Digital Signature dialog box, choose the certificate in the Select Certificate dialog box, and then click the View Certificate button to display the Certificate dialog box.
You can also view a certificate by double-clicking its entry in the Certificates dialog box.
The Certificate dialog box has three pages:
The General page displays basic information about the certificate: for what purpose the certificate is intended, to whom it's issued, by whom it's issued, and the period for which it's valid.
The Details page of the Certificate dialog box, shown in Figure 19.11, contains specifics on the certificate. Click one of the fields in the list box to display its value in the text box below.
The Certification Path page of the Certificate dialog box shows the path by which the certificate has been issued from the issuing authority to the current holder. To check one of the links in the chain, select it in the Certification Path list box and click the View Certificate button (if it's available). You'll see the Certificate dialog box for the certificate in question. You can then follow the certification path for that certificate if you choose or click the OK button to dismiss the second (or subsequent) Certificate dialog box and return to the previous one.
Figure 19.11. The Details page of the Certificate dialog box contains a host of details about the certificate.
When you finish exploring the certificate, click the OK button to close the Certificate dialog box.
To use VBA macros safely, you or a user of your code must use the Office Trust Center to choose a suitable level of security—high enough to avoid the threats posed by malicious or incompetent code but low enough that it doesn't prevent you from running useful, safe code.
As macro languages have grown in power and sophistication over the years, so has the threat they pose when misused. Using relatively simple VBA commands, you can create files, delete files, manipulate existing data, and control other applications.
Even code developed with the best of intentions can damage a computer when run under unsuitable circumstances—for example, a procedure might delete valuable data or delete critical files, making the computer crash. Such unintentional damage happens frequently enough, but what tends to make the headlines is damage caused intentionally by malicious code in macro viruses and other malicious software (or malware).
A macro virus is simply a computer virus written in a macro language such as VBA.
Protecting your computer (and computers connected to it) against macro viruses requires three main steps:
Install and run antivirus software, such as Avira AntiVir (
www.avira.com) or Spyware Doctor (www.pctools.com), on your computer. Update the antivirus software frequently and regularly with the latest virus definitions. (Most antivirus software offers automatic updating.)Configure suitable security settings in the applications you use, especially in those applications that host VBA or other programming languages or scripting languages. For example, configure VBA security settings as described in the next section.
Be careful when opening any file that might contain code or an email attachment. Most modern applications warn you when there might be a problem with a file. Many macro viruses attempt to outwit such warnings by social engineering—conning the user—rather than by sophisticated programming. For example, a macro virus may transmit itself as an email attachment to all the addresses in a friend's email application. The message and attachment suggest that the contents of the attachment are interesting or amusing—for example, jokes or compromising pictures. Because the file comes from a friend, someone known and trusted, and because the contents seem compelling, many users will open the file and ignore any security warnings. The action of simply opening the file can cause the code within the file to execute. Similarly, simply opening a Word
.docmfile can execute a macro.
First, set a suitable level of security for your purposes. To open the Options dialog box in Access, Word, Excel, or PowerPoint, click the File tab, then choose Options. Click the Trust Center button in the left pane. Then Click the Trust Center Settings button, and click Macro Settings (see Figure 19.12). The various settings are self-explanatory. However, if you are working in documents that you've created yourself and saved as the .docm type, having written your own macros, you can temporarily choose the Enable All Macros option. At least while you're practicing with the examples in this book, you can trust your own documents. However, if you are opening macro-enabled document files (.docm or the other files from PowerPoint or Excel with an m appended to the filename extension), you should specify a less risky setting in your Trust Center macro settings.
However, there's an easier way that some will prefer. You can alternatively (and more safely) employ one of the disable options shown in Figure 19.12, but while doing development work with VBA (such as experimenting with the code in this book), just ensure that you save your .docm documents in one of the trusted locations. You can see the list of trusted locations by clicking the Trusted Locations button shown in the left pane in Figure 19.12.
Notice three security features listed in the left pane in Figure 19.12 that are new in Office 2010:
Trusted Documents
Protected View
File Block Settings
Open the Trusted Documents page in the Trust Center dialog box and you'll see the options illustrated in Figure 19.13:
Figure 19.13. On this page of the Trust Center dialog box, choose whether you want to trust individual documents on a case-by-case basis.
When you trust an individual document, you're telling Office that it can stop notifying you or otherwise blocking executable content (such as macros or ActiveX controls) in this document. Thus you can override on a case-by-case basis the macro settings (see Figure 19.12) that you've specified.
Figure 19.14 shows the new Protected View option. This is similar to starting Windows in Safe Mode. In Protected View, executables are disabled. This sort of protection is sometimes referred to as a sandbox. The protected document is in effect quarantined, so it theoretically can't do any harm to your computer or its contents. Theoretically because as we all know, no security is perfect. Note that in its description of Protected View in Figure 19.14, Microsoft carefully states that this mode will "help minimize harm": no claim of invulnerability. All the Protected View options are turned on by default, so files you get from the Internet and Outlook attachments, for example, are automatically tossed into the sandbox when opened.
The File Block Settings page, shown in Figure 19.15, gives you the ability to block individual file types from opening or open them in Protected View. Here you can also specify which types of files can be saved. Notice at the bottom of this page that you specify what choosing the Open option means:
Do not open selected file types means documents are totally blocked.
Open selected file types in Protected View means you can open documents in the sandbox for reading only.
Open selected file types in Protected View and allow editing means you can open documents in the sandbox for editing.
If you want to delve more deeply into Office 2010 security features, take a look at this web page and the links therein:
http://technet.microsoft.com/en-us/library/cc179050(office.14).aspx
VBA provides two ways of designating trusted publishers: by trusting publishers identified in templates and add-ins already installed on the computer and by permitting you to add new trusted publishers that are embedded in documents you open.
To find out whom the computer trusts already, open the Trust Center by clicking the File tab; then choose Options. Click the Trust Center button in the left pane, and click the Trust Center Settings button. Click the Trusted Publishers option in the left pane. Figure 19.16 shows the Trusted Publishers page of the Security dialog box for Excel 2003.
To add a trusted publisher, open a document or template that contains VBA code from the source you want to add. The application will detect the untrusted code and will display a Security Alert dialog box (see Figure 19.17 and Figure 19.18).
Figure 19.17. When you open a file (or load an add-in) that contains code from a source that isn't currently specified as trusted, the application displays the Microsoft Word Security Notice dialog box.
If the file contains a valid digital signature but it's not in your list of trusted publishers, you see the dialog box displayed in Figure 19.18.
If you want to add a publisher to your list of trusted publishers, click the option button at the bottom of Figure 19.18. To temporarily permit this particular document's risky contents, click the Enable This Content option button.
Figure 19.18. When you open a file (or load an add-in) that contains code from a source with a valid digital signature, you have the option of adding this publisher to your list of trusted publishers.
The Security Alert dialog box shown in Figure 19.18 tells you several things:
The name and location of the file containing the untrusted code.
The name of the person or company that signed the code.
Whether the digital signature on the certificate is trustworthy. (In the figure, it isn't.)
From the Security Alert dialog box, you have several options:
You can click the Show Signature Details link to display the Certificate dialog box and then inspect the certificate as discussed earlier in the chapter. You'll probably want to take this step first with a file you're not sure about. Examining the certificate may help you decide on one of the next two choices.
If the Enable This Content option button is available, you can click it to open the file with the procedures and customizations enabled.
You can click the close button on the Security Alert dialog box to close the dialog box without opening the file. Doing so is useful both when you don't want to deal with the question and when you want to set a different level of security before opening the file. For example, if you have the high level of macro security set and you encounter the Security Alert dialog box, you might want to duck the decision so that you can set a lower level of security in the Trust Center (enable macros, for example) instead. That setting will allow you to enable the procedures in the document or template temporarily without adding their creator to your list of trusted publishers.
Once you've specified a publisher as trusted, any of the VBA-enabled applications will open files containing procedures from that source.
To remove a previously trusted source from your list of trusted publishers, follow these steps:
Click the Start button. A Search Programs And Files (Start Search in Vista) field opens just above the Start button.
In the Start Search field, type
certmgr.msc.When
certmgr.mscappears in the Programs list, click it. You'll likely be asked if you want to give yourself permission to take this step. Go ahead and grant the permission by clicking the Continue button.Click the Trusted Publishers folder in the left pane of the Certificates dialog box.
Click the Certificates folder to display the trusted publishers.
In the list box, click the trusted source that you want to remove to select it.
Click the red X button (or choose Action
To prevent anyone from viewing the contents of a macro project, you can lock it with a password. You'll usually want to do this before distributing a project to your colleagues. If your workplace is particularly volatile, you might even want to lock projects under development on your own desktop as well. The argument against locking a project on which you're still actively working is that the lock adds a step to accessing the modules and forms in the project—but if you need the security, it's well worth the small amount of effort involved.
Follow these steps to lock a document or template project:
Press Alt+F11 to display the VBA Editor.
In the Project Explorer, right-click the project that you want to lock, and choose Project Properties from the context menu to display the Project Properties dialog box. Alternatively, select the project in the Project Explorer and choose Tools
Click the Protection tab to display the Protection page (see Figure 19.19).
Select the Lock project for viewing check box in the Lock Project group box.
In the Password to view project properties group box, type a password in the Password text box and the same password in the Confirm Password text box. Setting a password is compulsory: You can't lock a project without specifying a password. Without a password, how could you unlock it?
Click the OK button to apply the locking to the project. The VBA Editor closes the Project Properties dialog box but leaves the contents of the project open for you to view and work with.
Switch back to the application, save your work, and close the application.
Once you've done that, the project is locked and can't be viewed or edited without the password. When you choose to edit a procedure in the project from the application or try to expand the project in the Project Explorer in the VBA Editor, the Project Password dialog box appears, as shown in Figure 19.20 (unless you have macros disabled in the Trust Center settings).
Figure 19.20. When you open a locked project, you need to enter the password for the project in this Project Password dialog box.
Type the password in the Password text box and click the OK button to display the contents of the project. (If you enter the wrong password, the application or the VBA Editor displays the Project Locked message box followed by the Project Password dialog box for you to try again.)
To unlock a project, open it in the VBA Editor (supplying the password), display the VBA Project Properties dialog box (by right-clicking the project's name in the Project Explorer, then choosing the Project Properties option from the context menu), clear the Lock Project For Viewing check box on the Protection page, and click the OK button. Save the file that contains the project.
- Understand how VBA implements security
Microsoft takes a multipronged approach to protecting users from malicious VBA code embedded in documents and capable of launching itself when the user simply opens the document.
- Master It
Name two ways that users are protected from malicious VBA code.
- Sign a macro project with a digital signature
You can add a digital signature to your projects by creating your own certification, getting it from your company, or getting it from certification authorities such as VeriSign.
- Master It
Describe the limitations of certifying a VBA macro project for yourself without obtaining a certificate from your company or a commercial certification authority.
- Get a digital certificate
Commercial certification authorities provide the greatest level of security, but their certification is also more difficult to achieve than self-certification or obtaining certification from your company.
- Master It
Name some of the ways you may be required to prove your identity when obtaining a digital signature from a commercial certification authority.
- Choose the appropriate security level
Choosing the right security level to use VBA macros safely, you or a user of your code must achieve a balance. The security level must be set high enough to avoid malicious or incompetent code but low enough that it doesn't prevent the execution of useful, safe code.
- Master It
To set a suitable level of security for your purposes, open the Trust Center in Access, Word, Excel, or PowerPoint. You'll see four settings. Which one of the following five settings is not available?
Disable All Macros Without Notification
Disable All Macros With Notification
Disable All Macros Except Digitally Signed Macros
Enable All Macros With Notification
Enable All Macros
- Designate trusted publishers
You can add publishers to the list of trusted publishers.
- Master It
How do you add a publisher to the list of trusted publishers?
- Lock your code
You can protect your source code in the VBA Editor from others. You add a password to a project (the items in boldface in the Project Explorer) and others can't open your VBA procedures for reading or modifying.
- Master It
What is the one drawback to locking your code?