(0) exportieren Drucken
Alle erweitern

Plan security settings for add-ins for Office 2013

 

Gilt für: Office 365 ProPlus, Office

Letztes Änderungsdatum des Themas: 2014-06-05

Summary: Explains how to control the way that add-ins behave in Office 2013, and how to prevent users from running add-ins.

Audience: IT Professionals

Modify Office 2013 add-in settings to reduce the potential security risks that are posed by unknown or untrusted add-ins to Office 2013 applications.

 

b06aedee-d614-48a5-a654-62f178dee36f

This article is part of the Inhaltsübersicht für die Office 2013-Sicherheit. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.

Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.

In this article:

Office 2013 provides several settings that enable you to control the behavior of add-ins. By configuring these settings, you can do the following:

  • Disable add-ins on a per-application basis.

  • Require that add-ins are signed by a trusted publisher.

  • Disable notifications for unsigned add-ins.

You can configure add-in settings only on a per-application basis. There are no global add-in settings.

For detailed information about the settings that are discussed in this article, see Sicherheitsrichtlinien und -einstellungen in 2007 Office System. For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2013 Administrative Templates, see Konfigurieren der Sicherheit mithilfe des OAT oder Gruppenrichtlinien für Office 2013.

By default, any add-in that is installed and registered can run without requiring user intervention or warning. Installed and registered add-ins can include the following:

  • Component Object Model (COM) add-ins

  • Visual Studio Tools for Office (VSTO) add-ins

  • Automation add-ins

  • RealTimeData (RTD) servers

  • Application add-ins (for example, .wll, .xll, and .xlam files)

  • XML expansion packs

  • XML style sheets

This default behavior is the same as selecting the Trust all installed add-ins and templates setting in Office 2003 or an earlier Office system.

Office 2013 provides a setting that enables you to disable add-ins. Use the following guidelines to determine whether to use this setting.

Group Policy setting name: Disable all application add-ins

Description: This setting disables all add-ins. By default, all installed and registered add-ins can run.

Impact: If you enable this setting, add-ins are disabled and users are not notified that add-ins are disabled. Enabling this setting could cause significant disruptions for users who work with add-ins. If users have business-critical add-ins installed, you might be unable to enable this setting.

Guidelines: Most organizations use the default configuration for this setting and do not change it.

Office 2013 provides a setting that enables you to require that all add-ins be signed by a trusted publisher. Use the following guidelines to determine whether to use this setting.

Group Policy setting name: Require that application add-ins are signed by trusted publisher

Description: This setting controls whether add-ins must be digitally signed by a trusted publisher. By default, the publisher of an add-in does not have to be on the Trusted Publishers list for an add-in to run.

Impact: When you enable this setting, add-ins that are signed by a publisher that is on the Trusted Publishers list will run without notification. Unsigned add-ins and add-ins that are signed by a publisher that is not on the Trusted Publishers list will be disabled, but users are prompted to enable the add-ins, even though they won’t be able to enable unsigned and untrusted add-ins. Enabling the Require that application add-ins are signed by trusted publisher setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.

Guidelines: Organizations that have a highly restrictive security environment typically enable this setting.

Office 2013 provides a setting that enables you to prevent users from seeing Message Bar warnings when unsigned add-ins can’t run. Use the following guidelines to determine whether to use this setting.

Group Policy setting name: Disable Trust Bar Notification for unsigned application add-ins

Description: This setting controls whether to notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. By default, a warning appears in the Message Bar when an unsigned add-in attempts to run.

Impact: If you enable this setting, users won’t see a warning in the Message Bar when an unsigned add-in attempts to run. Users won’t be able to enable the unsigned add-in. Enabling this setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.

Guidelines: Organizations that have a highly restrictive security environment typically enable this setting if they require that all add-ins be signed by a trusted publisher.

HinweisHinweis:
For the latest information about policy settings, refer to the Office 2013 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool TechNet article.

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.
Microsoft führt eine Onlineumfrage durch, um Ihre Meinung zur MSDN-Website zu erfahren. Wenn Sie sich zur Teilnahme entscheiden, wird Ihnen die Onlineumfrage angezeigt, sobald Sie die MSDN-Website verlassen.

Möchten Sie an der Umfrage teilnehmen?
Anzeigen:
© 2014 Microsoft