Configure security settings for ActiveX controls, add-ins, and macros in the 2007 Office system

Updated: February 12, 2009

Applies To: Office Resource Kit

This Office product will reach end of support on October 10, 2017. To stay supported, you will need to upgrade. For more information, see , Resources to help you upgrade your Office 2007 servers and clients.

 

Topic Last Modified: 2016-11-14

You can configure settings for ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros by using the Office Customization Tool (OCT) and the Group Policy Object Editor.

Before you begin

Before you begin configuring settings, be sure you meet the planning requirements, administrative requirements, and tool requirements that are described in this section.

Use the following sections to determine how to configure settings for:

ActiveX controls

Add-ins

Macros

Configure settings for ActiveX controls

The following procedures show how to use the OCT and the Group Policy Object Editor to disable ActiveX controls and change the way ActiveX controls are initialized. To learn more about ActiveX control settings, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system.

Disable ActiveX controls

You can use the following procedures to disable ActiveX controls. The settings described in these procedures apply only to applications in the 2007 Microsoft Office system; that is, ActiveX controls are not disabled in documents that are opened in earlier versions of Office. In addition, even though you disable ActiveX controls in a document, ActiveX controls still initialize and run without notification if a document is opened from a trusted location.

Disable ActiveX controls by using the OCT

  1. In the left pane of the OCT, under Features, click Modify user settings.

  2. In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.

  3. In the details pane, double-click Disable all ActiveX.

  4. Click Enabled, select the Disable All ActiveX check box and click OK.

Note

You can also disable ActiveX controls by setting the Unsafe ActiveX initialization setting in the OCT to Do not prompt and disable all controls.

Disable ActiveX controls by using the Group Policy Object Editor

  1. In the Group Policy Object Editor tree, navigate to the following location:

    User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings

  2. In the details pane, double-click Disable All ActiveX, click Enabled, select the Disable All ActiveX check box and click OK.

Change the way ActiveX controls are initialized

The following procedures show how to use the OCT and the Group Policy Object Editor to change the way ActiveX controls are initialized. ActiveX control initialization depends on several factors, including whether there is a VBA project present in a document and whether a control is marked safe for initialization (SFI) or unsafe for initialization (UFI).

Change the way ActiveX controls are initialized by using the OCT

  1. In the left pane of the OCT, click Office security settings.

  2. In the details pane, in Unsafe ActiveX initialization, click one of the following:

    Prompt user to use control defaults. This setting initializes ActiveX controls with default values and might require user input before ActiveX controls are initialized.

    Prompt user to use persisted data. This setting initializes ActiveX controls with persisted values and might require user input before ActiveX controls are initialized.

    Do not prompt. This setting initializes all controls and does not require user input.

Change the way ActiveX controls are initialized by using the Group Policy Object Editor

  1. In the Group Policy Object Editor tree, navigate to the following location:

    User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings

  2. In the details pane, double-click ActiveX Control Initialization and click Enabled. In ActiveX Control Initialization, click the initialization setting that you want.

    There are six possible initialization settings for ActiveX controls. Some settings might require user input before ActiveX controls are initialized.

  3. Click OK.

Configure settings for add-ins

The following procedures show how to use the OCT and the Group Policy Object Editor to:

  • Disable add-ins.

  • Require that add-ins are signed by a trusted publisher.

  • Disable notifications for unsigned add-ins.

To learn more about security settings for add-ins, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system

Disable add-ins

You can use the following procedures to disable add-ins. When you disable add-ins, users are not notified that add-ins are disabled. Also, add-ins can be disabled only on a per-application basis. There is no global setting that disables add-ins.

Disable add-ins by using the OCT

  1. In the left pane of the OCT, click Office security settings.

  2. In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.

  3. In the Specify Security Settings dialog box, click Disable all application extensions and click OK.

Note

You can also disable add-ins by setting the Disable all application add-ins setting to Enabled in the OCT.

Disable add-ins by using the Group Policy Object Editor

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click Disable all application add-ins, click Enabled and click OK.

Require that add-ins are signed by a trusted publisher

You can use the following procedures to require that add-ins are signed by a trusted publisher. You can configure this setting only on a per-application basis. There is no global setting that requires add-ins to be signed by a trusted publisher.

Use the OCT to require add-ins to be signed by a trusted publisher

  1. In the left pane of the OCT, click Office security settings.

  2. In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.

  3. In the Specify Security Settings dialog box, click Require that application extensions are signed by trusted publisher and click OK.

Use the Group Policy Object Editor to require add-ins to be signed by a trusted publisher

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click Require that application add-ins are signed by trusted publisher, click Enabled and click OK.

Disable notifications for unsigned add-ins

You can use the following procedures to disable notifications for unsigned add-ins. You can configure this setting only on a per-application basis. There is no global setting that disables unsigned add-ins and disables notifications for unsigned add-ins.

Disable notifications for unsigned add-ins by using the OCT

  1. In the left pane of the OCT, click Office security settings.

  2. In the details pane, under Default security settings, double-click Application add-ins warnings options for the application you want to configure.

  3. In the Specify Security Settings dialog box, click Require that extensions are signed, and silently disable unsigned extensions and click OK.

Disable notifications for unsigned add-ins by using the Group Policy Object Editor

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click Disable trust bar notifications for unsigned application add-ins, click Enabled and click OK.

Note

You must use the Disable trust bar notifications for unsigned application add-ins setting in conjunction with the Require that application add-ins are signed by trusted publisher setting.

Configure settings for macros

The following procedures show how to use the OCT and the Group Policy Object Editor to configure:

  • Default security settings for macros.

  • Disable VBA.

  • Provide Automation clients programmatic access to VBA projects.

  • Automation security for macros.

  • Prevent encrypted macros from being scanned for viruses.

To learn more about security settings for macros, see Security policies and settings in the 2007 Office system and Plan security settings for ActiveX controls, add-ins, and macros in the 2007 Office system

Configure default security settings for macros

You can use the following procedures to configure default security settings for macros. You can configure this setting only on a per-application basis.

Configure default security settings for macros by using the OCT

  1. In the left pane of the OCT, click Office security settings.

  2. In the details pane, under Default security settings, double-click VBA macro warnings options for the application you want to configure.

  3. In the Specify Security Settings dialog box, click the default security setting that you want and click OK.

Configure default security settings for macros by using the Group Policy Object Editor

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Access 2007/Application Settings/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Publisher 2007/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Visio 2007/Tools|Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click VBA macro warning settings, click Enabled, and choose the default security setting that you want.

  3. Click OK.

Note

You can also change the default security setting for macros in Microsoft Office Outlook 2007. For more information, see the security documentation for Office Outlook 2007.

Disable VBA

You can use the following procedures to disable VBA. You can configure this setting only on a global basis.

Disable VBA by using the OCT

  1. In the left pane of the OCT, under Features, click Modify user settings.

  2. In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.

  3. In the details pane, double-click Disable VBA for Office applications.

  4. Click Enabled and click OK.

Disable VBA by using the Group Policy Object Editor

  1. In the Group Policy Object Editor tree, navigate to the following location:

    User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings

  2. In the details pane, double-click Disable VBA in Office applications, click Enabled, and click OK.

Provide Automation clients programmatic access to VBA projects

You can use the following procedures to provide Automation clients programmatic access to VBA projects. You can configure this setting only on a per-application basis.

Provide Automation clients programmatic access to VBA projects by using the OCT

  1. In the left pane of the OCT, under Features, click Modify user settings.

  2. In the tree view of the OCT, navigate to one of the following locations:

    Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    Microsoft Office Word 2007/Word Options/Security/Trust Center

  3. In the details pane, double-click Trust access to Visual Basic project.

  4. Click Enabled and click OK.

Provide Automation clients programmatic access to VBA projects by using the Group Policy Object Editor

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click Trust access to Visual Basic project.

  3. Click Enabled and click OK.

Configure Automation security for macros

You can use the following procedures to configure Automation security for macros. You can configure this setting only on a global basis.

Configure Automation security for macros by using the OCT

  1. In the left pane of the OCT, under Features, click Modify user settings.

  2. In the tree view of the OCT, open Microsoft Office 2007 system and click Security Settings.

  3. In the details pane, double-click Automation security and click Enabled.

  4. In Set the Automation security level, click the setting that you want and click OK.

Configure Automation security for macros by using the Group Policy Object Editor

  1. In the Group Policy Object Editor tree, navigate to the following location:

    User Configuration/Administrative Templates/Microsoft Office 2007 system/Security Settings

  2. In the details pane, double-click Automation security and click Enabled.

  3. In Set the Automation security level, click the setting that you want and click OK.

Prevent encrypted macros from being scanned for viruses

You can use the following procedures to prevent encrypted macros from being scanned for viruses. You can configure this setting only on a per-application basis.

Prevent encrypted macros from being scanned for viruses by using the OCT

  1. In the left pane of the OCT, under Features, click Modify user settings.

  2. In the tree view of the OCT, navigate to one of the following locations:

    Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    Microsoft Office Word 2007/Word Options/Security/Trust Center

  3. In the details pane, double-click one of the following based on the application that you are configuring:

    Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

    Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

    Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

  4. Click Enabled and click OK.

Prevent encrypted macros from being scanned for viruses by using the Group Policy Object Editor

  1. Depending on which application you want to configure, navigate to one of the following in the Group Policy Object Editor tree:

    User Configuration/Administrative Templates/Microsoft Office Excel 2007/Excel Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office PowerPoint 2007/PowerPoint Options/Security/Trust Center

    User Configuration/Administrative Templates/Microsoft Office Word 2007/Word Options/Security/Trust Center

  2. In the details pane, double-click one of the following based on the application that you are configuring:

    Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

    Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

    Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

  3. Click Enabled and click OK.

Download this book

This topic is included in the following downloadable book for easier reading and printing:

See the full list of available books at Downloadable content for the 2007 Office Resource Kit.