Plan security settings for VBA macros for Office 2010
Applies to: Office 2010
Topic Last Modified: 2011-08-05
If you want to control the way Visual Basic for Applications (VBA) and VBA macros behave, you can modify Microsoft Office 2010 VBA and VBA macros settings for the following applications: Microsoft Access 2010, Microsoft Excel 2010, Microsoft PowerPoint 2010, Microsoft Publisher 2010, Microsoft Visio 2010, and Microsoft Word 2010.
In this article:
About planning VBA macro settings
Change the security warning settings for VBA macros
Disable VBA
Change how VBA macros behave in applications that are started programmatically
Change how encrypted VBA macros are scanned for viruses
Related VBA macro settings
About planning VBA and VBA macro settings
Office 2010 provides several settings that enable you to control the behavior of VBA and VBA macros. By configuring these settings, you can do the following:
Change the security warning settings for VBA macros. This includes disabling VBA macros, enabling all VBA macros, and changing the way that users are notified about VBA macros.
Disable VBA.
Change how VBA macros behave in applications that are started programmatically through Automation.
Change how antivirus software scans encrypted VBA macros.
For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see Configure security for Office 2010.
By default, VBA is enabled and trusted VBA macros are allowed to run. This includes VBA macros in documents that are saved in a trusted location, VBA macros in trusted documents, and VBA macros that meet the following criteria:
The macro is signed by the developer with a digital signature.
The digital signature is valid.
This digital signature is current (not expired).
The certificate associated with the digital signature was issued by a reputable certification authority (CA).
The developer who signed the macro is a trusted publisher.
Note
The default security setting for macros is different in Microsoft Outlook 2010. For more information, see the Outlook 2010 security documentation.
VBA macros that are not trusted are not allowed to run until a user clicks the Message Bar and selects to enable the VBA macro.
Change the security warning settings for VBA macros
Office 2010 provides a setting that enables you to change the security warning settings and the behavior of VBA macros. Use the following guidelines to determine how to configure this setting if you want to change how users are notified about untrusted VBA macros or change the default behavior of VBA macros.
Setting name: VBA Macro Notification Settings
Description: This setting controls how applications warn users about Visual Basic for Applications (VBA) macros. You configure this setting on a per-application basis for Access 2010, Excel 2010, PowerPoint 2010, Publisher 2010, Visio 2010, and Word 2010. You can select one of four possible options for this setting:
Disable all with notification The application displays the Trust Bar for all macros, whether signed or unsigned. This is the default setting.
Disable all except digitally signed macros The application displays the Trust Bar for digitally signed macros. This allows users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified or given the ability to enable the unsigned macros.
Disable all without notification The application disables all macros, whether signed or unsigned, and does not notify users.
Enable all macros (not recommended) All macros are enabled, whether signed or unsigned. This option can significantly reduce security by letting dangerous code to run undetected.
Impact: If you enable this setting and select the Disable all except digitally signed macros option, documents and templates that contain unsigned macros lose all functionality supplied by those macros. To prevent this loss of functionality, users can put files that contain macros in a trusted location.Important
If Disable all except digitally signed macros is selected, users cannot open unsigned Access 2010 databases.
If you select Disable all without notification, documents and templates that contain unsigned and signed macros lose all functionality supplied by those macros. This is true even if a macro is signed and the publisher is listed in the Trusted Publisher list.
Guidelines: Organizations that have a highly restrictive security environment typically enable this setting and select the Disable all except digitally signed macros option. Organizations that do not let users run macros typically enable this setting and select Disable all without notification.
Disable VBA
Office 2010 provides a setting that enables you to disable VBA. By default, VBA is enabled. Use the following guidelines to determine how to configure this setting if you want to disable VBA.
Setting name: Disable VBA for Office applications
Description: This setting disables VBA in Excel 2010, Microsoft Outlook 2010, PowerPoint 2010, Publisher 2010, Microsoft SharePoint Designer 2010, and Word 2010, and prevents any VBA code from running in these applications. You cannot configure this setting on a per-application basis. It is a global setting. Enabling this setting does not install or remove any VBA-related code from a user’s computer.
Impact: If you enable this setting, VBA code does not run. If your organization has business-critical requirements for using documents that have VBA code, do not enable this setting.
Guidelines: Organizations that have a highly restrictive security environment typically enable this setting.
Change how VBA macros behave in applications that are started programmatically
Office 2010 provides a setting that enables you to change the way VBA macros behave in applications that have been started programmatically through Automation. By default, when a separate program is used to programmatically start Excel 2010, PowerPoint 2010, or Word 2010, any macros can run in the application that was programmatically started. Use these guidelines to determine how to configure this setting if you want to do the following:
Prevent macros from running in applications that are programmatically started through Automation.
Allow VBA macros to run according to the VBA macro security settings that are configured for the applications that are programmatically started through Automation.
Setting name: Automation security
Description: This setting controls whether macros can run in an application that is opened programmatically by another application. This setting is a global setting and applies to Excel 2010, PowerPoint 2010, and Word 2010. You cannot configure this setting on a per-application basis. You can choose one of three possible options for this setting:
Disable macros by default All macros are disabled in the programmatically opened application.
Macros enabled (default) Macros are allowed to run in the programmatically opened application. This option enforces the default configuration.
Use application macro security level Macro functionality is determined according to how you configure the VBA macro warning settings setting for each application.
Impact: If you enable this setting and select the Disable macros by default option, macros will not run in applications that are programmatically started. This can be a problem if an application is started programmatically and then opens a document or a template that contains macros. In this case, the functionality that is provided by the macros is not available. The same situation might occur if you select the Use application macro security level option and you disable macros using the VBA macro warning settings setting.
Guidelines: Most organizations enable this setting and select the Use application macro security level option. However, organizations that have a highly restrictive security environment typically enable this setting and select the Disable macros by default option.
Change how encrypted VBA macros are scanned for viruses
Office 2010 provides a setting that enables you to modify the way encrypted VBA macros are scanned by antivirus software in Excel 2010, PowerPoint 2010, and Word 2010. By default, if a document, presentation, or workbook is encrypted and contains VBA macros, the VBA macros are disabled unless an antivirus program is installed on the client computer. In addition, encrypted VBA macros are scanned by the client computer’s antivirus program when a user opens a document that contains encrypted macros. Use these guidelines to determine how to configure this setting if you want to do the following:
Allow all encrypted VBA macros to run without being scanned by an antivirus program.
Scan encrypted VBA macros if an antivirus program is installed, but enable encrypted VBA macros if no antivirus program is installed.
Setting name: Scan encrypted macros in Excel Open XML documents, Scan encrypted macros in PowerPoint Open XML documents, Scan encrypted macros in Word Open XML documents
Description: This setting controls the way encrypted VBA macros undergo virus scanning. This setting is a per-application setting and can be configured for Excel 2010, PowerPoint 2010, and Word 2010. You can choose one of three possible options for this setting:
Scan encrypted macros (default). All encrypted VBA macros are disabled unless they are scanned by an antivirus program. This option enforces the default configuration.
Scan if antivirus software available. Encrypted VBA macros are disabled unless they are scanned by an antivirus program. However, if no antivirus program is installed on the client computer, all encrypted VBA macros are enabled.
Load macros without scanning. Encrypted VBA macros are enabled and are not scanned, regardless of whether an antivirus program is installed on the client computer.
Impact: If you enable this setting and select the Load macros without scanning option, security could be significantly reduced by encrypted macros that have not been scanned for viruses. The same is true if the client computer does not have an antivirus program installed and you enable this setting and select the Scan if antivirus software available option.
Guidelines: Most organizations use the default configuration for this setting and do not change this setting.
Related VBA macro settings
Several other settings affect how VBA macros behave in Office 2010 applications. If you are modifying VBA macro settings because you have a special security environment, you might want to evaluate the following settings:
Trust access to VBA projectThis setting determines whether automation clients can access the VBA project.
Disable all Trust Bar notifications for security issuesThis setting prevents users from seeing Message Bar warnings, including warnings about unsafe VBA macros.
Note
For the latest information about policy settings, refer to theMicrosoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.