Plan Trusted Locations settings for Office 2010

 

Applies to: Office 2010

Topic Last Modified: 2011-08-05

Banner stating end of support date for Office 2010 with link to more info

If you want to differentiate safe files from potentially harmful files, you can use the Trusted Locations feature in Microsoft Office 2010. The Trusted Locations feature lets you designate trusted file sources on the hard disks of users' computers or on a network share. When a folder is designated as a trusted file source, any file that is saved in the folder is assumed to be a trusted file. When a trusted file is opened, all content in the file is enabled and active, and users are not notified about any potential risks that might be contained in the file, such as unsigned add-ins and Microsoft Visual Basic for Applications (VBA) macros, links to content on the Internet, or database connections.

In this article:

  • About planning Trusted Locations settings

  • Implement Trusted Locations

  • Disable Trusted Locations

About planning Trusted Locations settings

Office 2010 provides several settings that let you control the behavior of the Trusted Locations feature. By configuring these settings, you can do the following:

  • Specify trusted locations globally or on a per-application basis.

  • Allow trusted locations to exist on remote shares.

  • Prevent users from designating trusted locations.

  • Disable the Trusted Locations feature.

The Trusted Locations feature is available in the following applications: Microsoft Access 2010, Microsoft Excel 2010, Microsoft InfoPath 2010, Microsoft PowerPoint 2010, Microsoft Visio 2010, and Microsoft Word 2010.

The following list describes the default configuration for the Trusted Locations feature:

  • Trusted Locations is enabled.

  • Users cannot designate network shares as trusted locations. However, users can change this setting in the Trust Center.

  • Users can add folders to the Trusted Locations list.

  • Both user-defined and policy-defined trusted locations can be used.

In addition, several folders are designated as trusted locations in a default installation of Office 2010. The default folders for each application are listed in the following tables. (InfoPath 2010 and Visio 2010 have no default trusted locations.)

Access 2010 trusted locations

The following table lists the default trusted locations for Access 2010.

Default trusted locations Folder description Trusted subfolders

Program Files\Microsoft Office\Office14\ACCWIZ

Wizard databases

Not allowed

Excel 2010 trusted locations

The following table lists the default trusted locations for Excel 2010.

Default trusted locations Folder description Trusted subfolders

Program Files\Microsoft Office\Templates

Application templates

Allowed

Users\user_name\Appdata\Roaming\Microsoft\Templates

User templates

Not allowed

Program Files\Microsoft Office\Office14\XLSTART

Excel startup

Allowed

Users\user_name\Appdata\Roaming\Microsoft\Excel\XLSTART

User startup

Not allowed

Program Files\Microsoft Office\Office14\STARTUP

Office startup

Allowed

Program Files\Microsoft Office\Office14\Library

Add-ins

Allowed

PowerPoint 2010 trusted locations

The following table lists the default trusted locations for PowerPoint 2010.

Default trusted locations Folder description Trusted subfolders

Program Files\Microsoft Office\Templates

Application templates

Allowed

Users\user_name\Appdata\Roaming\Microsoft\Templates

User templates

Allowed

Users\user_name\Appdata\Roaming\Microsoft\Addins

Add-ins

Not allowed

Program Files\Microsoft Office\Document Themes 14

Application themes

Allowed

Word 2010 trusted locations

The following table lists the default trusted locations for Word 2010.

Default trusted locations Folder description Trusted subfolders

Program Files\Microsoft Office\Templates

Application templates

Allowed

Users\user_name\Appdata\Roaming\Microsoft\Templates

User templates

Not allowed

Users\user_name\Appdata\Roaming\Microsoft\Word\Startup

User startup

Not allowed

Note

For information about how to configure security settings in the Office Customization Tool (OCT) and the Office 2010 Administrative Templates, see Configure security for Office 2010.

Implement Trusted Locations

To implement Trusted Locations, you must determine the following:

  • The applications for which you want to configure Trusted Locations.

  • The folders that you want to designate as trusted locations.

  • The folder sharing and folder security settings that you want to apply to your trusted locations.

  • The restrictions that you want to apply to trusted locations.

Determine the applications that you want to configure

Use the following guidelines to help determine the applications for which you want to configure Trusted Locations:

  • Trusted Locations affect all content in a file, including add-ins, ActiveX controls, hyperlinks, links to data sources and media, and VBA macros. Moreover, files opened from trusted locations skip file validation checks, File Block checks, and do not open in Protected View.

  • Each application provides the same settings for configuring Trusted Locations. This means that you can independently customize Trusted Locations for each application.

  • You can disable Trusted Locations for one or more applications, and implement Trusted Locations for other applications.

Determine the folders to designate as trusted locations

Use the following guidelines to help determine the folders that you want to designate as trusted locations:

  • You can specify trusted locations on a per-application basis or globally.

  • One or more applications can share a trusted location.

  • To prevent malicious users from adding files to a trusted location or from modifying files that are saved in a trusted location, you must apply operating system security settings to any folder that you designate as a trusted location.

  • By default, only trusted locations that are on users' hard disks are allowed. To enable trusted locations on network shares, you must enable the Allow Trusted Locations not on the computer setting.

  • We do not recommend that you specify root folders, such as drive C, or the whole Documents or My Documents folder as trusted locations. Instead, create a subfolder within those folders and specify only that folder as a trusted location.

In addition, you must use the guidelines in the following sections if you want to:

  • Use environment variables to specify trusted locations.

  • Specify Web folders (that is, http://paths) as trusted locations.

Use environment variables to specify trusted locations

You can use environment variables by using Group Policy and the OCT to specify trusted locations. However, when you use environment variable within the OCT, you must change the value type that is used to store trusted locations in the registry for environment variables to work correctly. If you use an environment variable to specify a trusted location, and you do not make the necessary registry modification, the trusted location appears in the Trust Center. But it is unavailable and it appears as a relative path that contains the environment variables. After you change the value type in the registry, the trusted location appears in the Trust Center as an absolute path and is available.

To use environment variables to specify trusted locations

  1. Use Registry Editor to locate the trusted location that is represented by an environment variable.

    To open Registry Editor, click Start, click Run, type regedit, and then click OK.

    Trusted locations that are configured by using the OCT are stored in the following location:

    HKEY_CURRENT_USER/Software/Microsoft/Office/14.0/application_name/Security/Trusted Locations

    Where application_name can be Microsoft Access, Microsoft Excel, Microsoft PowerPoint, Microsoft Visio, or Microsoft Word.

    Trusted locations are stored in registry entries named Path, and they are stored as String Value (REG_SZ) value types. Be sure to locate each Path entry that uses environment variables to specify a trusted location.

  2. Change the Path value type.

    Applications in the Office 2010 cannot recognize environment variables that are stored as String Value (REG_SZ) value types. For applications to recognize environment variables, you must change the value type of the Path entry so that it is an Expandable String Value (REG_EXPAND_SZ) value type. To do this, follow these steps:

    1. Write down or copy the value of the Path entry. This should be a relative path that contains one or more environment variables.

    2. Delete the Path entry.

    3. Create a new Path entry of type Expandable String Value (REG_EXPAND_SZ).

    4. Modify the new Path entry so that it has the same value that you wrote down or copied in the first step.

    Be sure to make this change for each Path entry that uses environment variables to specify a trusted location.

Specify Web folders as trusted locations

You can specify Web folders (that is, http://paths) as trusted locations. However, only those Web folders that support Web Distributed Authoring and Versioning (WebDAV) or FrontPage Server Extensions Remote Procedure Call (FPRPC) protocols are recognized as trusted locations. Use the following guidelines if you are not sure whether a Web folder supports the WebDAV or FPRPC protocols:

  • If an application is opened by Internet Explorer, check the most recently used files list. If the most recently used files list indicates that the file is located on a remote server, rather than in the Temporary Internet Files folder, it is likely that the Web folder supports WebDAV in some form. For example, if you click a document while browsing Internet Explorer, and the document opens in Word 2010, the most recently used files list should show that the document is located on the remote server and not in the local Temporary Internet Files folder.

  • Try to use the Open dialog box to browse to the Web folder. If the path supports WebDAV, you probably can browse to the Web folder or you are prompted for credentials. If the Web folder does not support WebDAV, navigation fails and the dialog box closes.

Note

Sites that are created with Windows SharePoint Services and Microsoft SharePoint Server can be designated as trusted locations.

Determine folder sharing and folder security settings

All folders that you specify as trusted locations must be secured. Use the following guidelines to determine which sharing settings and security settings that you have to apply to each trusted location:

  • If a folder is shared, configure sharing permissions so that only authorized users have access to the shared folder. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Read permission to those users who do not have to modify trusted files, and grant Full Control permission to those users who have to modify trusted files.

  • Apply folder security permissions so that only authorized users can read or modify the files in trusted locations. Make sure to use the principle of least privilege and to grant permissions that are appropriate to a user. That is, grant Full Control permissions to only those users who have to modify files; and grant more-restrictive permissions to those users who need only to read files.

Determine restrictions for trusted locations

Office 2010 provides several settings that enable you to restrict or control the behavior of trusted locations. Use the following guidelines to determine how to configure these settings.

Setting name: Allow mix of policy and user locations


  • Description: This setting controls whether trusted locations can be defined by users, the OCT, and Group Policy, or if they must be defined by Group Policy alone. By default, users can designate any location as a trusted location and a computer can have any combination of user-created, OCT-created, and Group Policy-created trusted locations.


  • Impact: If this setting is disabled, all trusted locations that are not created by Group Policy are disabled and users cannot create new trusted locations in the Trust Center. Disabling this setting will cause some disruption for users who have defined their own trusted locations in the Trust Center. Applications treat such locations as they treat any other untrusted locations, which means that users see Message Bar warnings about content such as ActiveX controls and VBA macros when they open files, and they have to choose whether to enable controls and macros or leave them disabled This is a global setting that applies to all applications for which you configure trusted locations.


  • Guidelines: Organizations that have a highly restrictive security environment typically disable this setting. Organizations that manage their desktop configurations through Group Policy typically disable this setting.

Setting name: Allow Trusted Locations not on the computer


  • Description: This setting controls whether trusted locations on the network can be used. By default, trusted locations that are network shares are disabled. But users can still select the Allow Trusted Locations on my network check box in the Trust Center, which will enable users to designate network shares as trusted locations. This is not a global setting. You must configure this setting on a per-application basis for Access 2010, Excel 2010, PowerPoint 2010, Visio 2010, and Word 2010.


  • Impact: Disabling this setting disables all trusted locations that are network shares and prevents users from selecting the Allow Trusted Locations on my network check box in the Trust Center. Disabling this setting will cause some disruption for users who have defined their own trusted locations in the Trust Center. If you disable this setting, and a user attempts to designate a network share as a trusted location, a warning informs the user that the current security settings do not allow the creation of Trusted Locations that are remote paths or network paths. If an administrator designates a network share as a trusted location through Group Policy or by using the OCT, and this setting is disabled, the trusted location is disabled. Applications treat such locations like any other untrusted locations, which means that users see Message Bar warnings about content such as ActiveX controls and VBA macros when they open files, and they have to choose whether to enable controls and macros or leave them disabled.


  • Guidelines: Organizations that have a highly restrictive security environment typically disable this setting.

Note

You can also use the Remove all Trusted Locations written by the OCT during installation setting to delete all trusted locations that have been created by configuring the OCT.

Disable Trusted Locations

Office 2010 provides a setting that enables you to disable the Trusted Locations feature. This setting must be configured on a per-application basis for Access 2010, Excel 2010, PowerPoint 2010, Visio 2010, and Word 2010. Use the following guidelines to determine whether you should use this setting.

Setting name: Disable all Trusted Locations


  • Description: This setting lets administrators disable the Trusted Locations feature on a per-application basis. By default, the Trusted Locations feature is enabled and users can create trusted locations.


  • Impact: Enabling this setting disables all trusted locations, including trusted locations that are:

    • Created by default during setup.

    • Created by using the OCT.

    • Created by users through the Trust Center.

    • Created by using Group Policy.

    Enabling this setting also prevents users from configuring Trusted Locations settings in the Trust Center. If you enable this setting, make sure that you notify users that they cannot use the Trusted Locations feature. If users have been opening files from trusted locations, and you enable this setting, users might start seeing warnings in the Message Bar and they might be required to respond to Message Bar warnings to enable content, such as ActiveX controls, add-ins, and VBA macros.


  • Guidelines: Organizations that have a highly restrictive security environment typically enable this setting.

Note

For the latest information about policy settings, refer to the Microsoft Excel 2010 workbook Office2010GroupPolicyAndOCTSettings_Reference.xls, which is available in the Files in this Download section on the Office 2010 Administrative Template files (ADM, ADMX, ADML) and Office Customization Tool (https://go.microsoft.com/fwlink/p/?LinkID=189316&clcid=0x409) download page.