Microsoft Visio 2002 Resource Kit
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Chapter 9 - Security Settings
On This Page
Microsoft Visio Macro Security Settings
Security Settings and Related System Policies
This chapter describes many of the tools and strategies you can use to manage security and lower the total cost of ownership for Visio, including information on how to protect documents and safeguard your systems from viruses.
Microsoft Visio Macro Security Settings
.gif "Cc767120.spacer(en-us,TechNet.10).gif")
Macro security depends on a certificate being associated with the applications data file or executable code attached to a document, workbook, presentation, or e-mail message. The validation of this certificate requires legitimate authentication of the author who signed the certificate and authentication of the digital signature created for the author. Attaching a certificate of authenticity to a file, executable, Microsoft ActiveX control, dynamic-link library (DLL) file, and so on, requires obtaining a certificate from a Certificate Authority such as VeriSign. For more information about digital signatures and certificates, see Protecting Office Documents in the Office XP Resource Kit.
Use of the term macro also implies ActiveX controls, COM objects, OLE objects, and any executable that can be attached to a drawing in Microsoft Visio.
Visio features that make calls to Internet addresses inherit the security settings of Microsoft Internet Explorer.
Macro security levels in Visio
The following list summarizes how macro-virus protection reacts to the different types of signed and unsigned macros encountered under each setting. Users can change these settings on the Security Level tab in the Security dialog box (on the Tools menu, point to Macro).
In all cases, Low security presents no prompt to the user, and macros are allowed to run. Any certificates attached to macros that are run under low security are not posted to the trusted source list for Visio features. Only when security is set to Medium or High, and a user agrees to trust a certificate, will a certificate be added to the trusted source list for Visio. This list of security settings does not present the Low security option, because low security is the same for all cases.
Unsigned macros
High—Macros are disabled and the drawing is opened.
Medium—User is prompted to enable or disable macros.
Signed macros from a trusted source with a valid certificate
High and Medium—Macros are enabled, and the drawing is opened.
Signed macros from an unknown source with a valid certificate
High—A dialog box appears with information about the certificate. Users must then determine whether they should enable any macros based on the content of the certificate. To enable the macros, users must accept the certificate.
Medium—A dialog box appears with information about the certificate. Users must then determine whether they should enable any macros based on the content of the certificate. Users can enable macros without accepting the certificate.
Note A network administrator can lock the list of trusted sources and prevent a user from adding the certificate to the list, thereby disabling any macros associated with the drawing.
Signed macros from any source with an invalid certificate
High and Medium—User is warned of a possible virus. Macros are disabled.
Signed macros from any source in which validation of the certificate is not possible, because the public key is missing or an incompatible encryption method was used
High—User is warned that certificate validation is not possible. Macros are disabled.
Medium—User is warned that certificate validation is not possible. User is given the option to enable or disable macros.
Signed macros from any source in which the macro was signed after the certificate had expired or was revoked by the Certificate Authority
High—User is warned that the certificate has expired or was revoked. Macros are disabled.
Medium—User is warned that the certificate has expired or was revoked. User is given the option to enable or disable macros.
Security and policy settings that can affect your solution's VBA code
Administrators and users can set security levels, installation options, or runtime options for VBA projects that might interfere with your solution's ability to run VBA code in Visio.
Users can set Visio security levels and whether VBA is enabled or disabled in Visio at run time in the Visio application. Administrators can set security policies using a Policy Editor or log-on scripts or by manually updating the registry.
Security level settings In addition to user control over security level settings, administrators can also set policies that determine the minimum allowable security level for a user or a group. The highest security level setting (user or administrator) is enforced.
Disabling VBA in Visio Visio users can temporarily disable VBA in Visio by clearing the Enable Visual Basic for Applications check box on the Advanced tab of the Options dialog box (on the Tools menu, click Options). Administrators can set a policy for this option to disable VBA for a user or a group.
Visio users and administrators can also disable VBA in Visio by choosing not to install VBA. If another application then installs VBA, it will become available to Visio. Users and administrators then still have the option to disable VBA temporarily using the methods previously mentioned.
Denying access to the Visual Basic object model from Visio An administrator can set a policy that denies access to the Visual Basic object model from Visio. When access to the Visual Basic object model is denied, the Application.VBE property and the Document.VBProject property are disabled. This setting provides security against viruses that use these properties to replicate themselves into projects of other documents. This is an administrator setting only; users cannot set this property by using the Visio user interface.
Security Settings and Related System Policies
Security is an important subject for today's businesses. The increase in malicious hacking of corporate computers has forced businesses worldwide to develop better methods of protecting their data and systems. As a way to help administrators enable the security features of Microsoft Visio 2002, Microsoft has created system policies that force the use of security features. These files are available in the Visio10.adm policy template in the Appendix of this document.
Note Removing registry keys in the HKEY_CURRENT_USER registry branch by using the Add/Remove Registry Entries page of the Custom Installation Wizard does not work on Windows Terminal Server. However, adding registry keys by using this page works as expected.
Security settings can be enforced in one of four registry areas within two branches of the registry—Local Machine (HKLM) and Current User (HKCU).
Local Machine (associated with the Default Computer policy profile in the System Policy Editor)
HKLM\Software\Policies\Microsoft\Visio
HKLM\Software\Microsoft\Visio
Current User (associated with the Default User policy profile in the System Policy Editor)
HKCU\Software\Policies\Microsoft\Visio
HKCU\Software\Microsoft\Visio
Most of these settings can also be set using a policy when the appropriate ADM template is added to the System Policy Editor or Group Policy snap-in with Microsoft Windows 2000.
Included in this topic are policy settings relevant to maintaining a secure user environment related to the operating system user interface.
Adding Microsoft to the trusted source list
The trusted source list is managed in four possible places within the registry. Policy settings are in the Policies node of the registry and are controlled by using the System Policy Editor. Registry key examples:
HKLM\Software\Microsoft\VBA\Trusted
HKCU\Software\Microsoft\VBA\Trusted
HKLM\Software\Policies\Microsoft\VBA\Trusted
HKCU\Software\Policies\Microsoft\VBA\Trusted
Use of the HKLM key prevents users from modifying the trusted sources list.
Adding recognized value names and data to any of these keys instructs Visio to trust or not trust sources. For example, adding Microsoft Corporation nnnn (where nnnn is a year) as a value name instructs Visio to trust all sources with a digital signature from Microsoft. You use the listed value name and data to populate the registry setting.
Value Name: Microsoft Corporation nnnnData type: REG_BINARYValue data: (data content provided by wizards)
Setting the value name of the key to No source will be trusted. - your Administrator forces Visio to not trust any sources. Setting this key disallows the option to let users trust a source.
Value Name: No source will be trusted. - your AdministratorData type: REG_BINARYValue data:(d3,0f,d6,00,91,21,bf,51,7e,60,48,a2,99,ba,25,00,b7,96,08,01)
Use of the HKLM node only allows the use of what is in the list and does not allow users to add entries through the Visio user interface.
Application Security key
By using the application Security key, you can instruct Visio to set macro security levels for the application. The basic keys consist of the following:
HKCU\Software\Microsoft\Visio\Security\Level
HKLM\Software\Microsoft\Visio\Security\Level
The HKCU key is used to set the security level for each user, while the HKLM key is used to set the minimum security level for all users of the computer.
Configuring security-related system policies
This section includes samples of system policies for security-related configuration options of Visio. Most of these policies do not affect security directly, nor do they directly change Visio; however, they limit the exposure of critical portions of a network, operating system, or user interface to destructive changes by users. By setting these policies, an administrator can reduce the amount of data users must consider or reduce the choices users must make while they interact with the system. As a result, you can increase productivity by not having to support some features and by streamlining the user interface of the operating system. The policies in this section are available with the listed templates.
It is highly recommended that administrators examine the policy templates for the operating systems with which their users are working. Several policies provide methods to control and enforce the configuration of the operating system and reduce the probability of a user creating a problem. These policies limit the access of users to features of the operating system they do not need to change.
Windows NT and Windows 2000
The following list of policy templates and system policies highlights some of the more important system policies you can use to limit the user environment in Microsoft Windows NT and Windows 2000 operating systems:
common.adm - Shell | Restrictions
common.adm - System | Restrictions
winnt.adm - Windows NT Shell | Restrictions
Windows 2000–related system policies are also found in the conf.adm and system.adm policy templates.
common.adm - Shell | Restrictions
From Start Menu, remove Run command
Hide drives in My Computer
No "Entire Network" in Network Neighborhood
From Start menu, remove Shut Down command
common.adm - System | Restrictions
- Run only allowed Windows applications
winnt.adm - Windows NT Shell | Restrictions
- Remove the "Map Network Drive" and "Disconnect Network Drive" options
Windows 2000 only
The following list of policies highlights some of the more important system policies you can use to limit the user environment in the Windows 2000 operating system:
system.adm - Administrative | Start Menu & Taskbar
system.adm - Administrative | Windows Components | Windows Explorer | Common Open File Dialog
system.adm - Administrative | Start Menu & Taskbar
- Do not keep history of recently opened documents
system.adm - Administrative | Windows Components | Windows Explorer | Common Open File Dialog
Hide the Common Dialog Places bar
Hide Common Dialog Back button
Hide the list of recent files
Sample system policies explained
Provided in this section is an in-depth explanation of the policies presented earlier in this topic. Each explanation provides the registry key, value name, data type, and associated data necessary to enforce the policy.
Remove Run command from Start Menu
When this policy is enabled, Windows 2000 removes Run from the Start menu and disables launching the Run dialog by pressing the Windows Key**+**R.
If a feature has a run function that allows users to start a program by typing in its name and path in a dialog box, the application disables this functionality when this policy is enabled.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoRunData type: REG_DWORDValue data:** 0** // Display the Run option** 1** // Do not display the Run option
Hide drives in My Computer
When enabled, this policy removes the icons representing the selected disk drives from My Computer, Windows Explorer, My Network Places, and the Windows common dialog boxes.
Visio hides any of the listed drives when this policy is enabled. This includes any buttons, menu options, icons, or other visual representation of drives in Visio. This does not preclude the user from accessing drives by manually entering drive letters in dialog boxes.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoDrivesData type: REG_DWORDValue data:** 0** // Display drives** 1** // Do not display drives
No "Entire Network" in "My Network Places"
When enabled, this policy removes all computers outside of the user's workgroup or local domain from lists of network resources in Windows Explorer and My Network Places.
When this policy is enabled, applications that allow users to browse network resources must limit browsing functionality to a local workgroup or domain.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network
Value name: NoEntireNetworkData type: REG_DWORDValue data:** 0** // Show** 1** // Remove
Remove Shut Down command from Start menu
This policy prevents the user from using the Windows user interface to shut down the system.
When this policy is enabled, applications that enable the user to shut down Windows must disable this capability.
Template: common.adm
Path: Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoCloseData type: REG_DWORDValue data:** 0** // disabled** 1** // enabled
Run only allowed Windows Applications
When this policy is enabled, users can only run applications listed in the value data field of this registry key. Applications with the ability to run and start other applications are also restricted to the applications appearing in this value data field.
This restriction does not apply when launching applications via OLE/COM/DCOM. If you use ShellExecuteEx, Windows 2000 will handle this automatically.
The only exception to this restriction is for OLE/DCOM where an installation of Microsoft Internet Explorer is displaying a Visio file in its native format within the browser. Use the executable names (including extension) in the Data field separated by a semicolon.
Template: common.adm
Path: System | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: RestrictRunData type: REG_SZ (string)Value data:** Visio.exe**
Remove "Map Network Drive" and "Disconnect Network Drive"
When this policy is enabled, users are prevented from using Windows Explorer and My Network Places to connect to other computers or to close existing connections.
When this policy is enabled, applications do not provide buttons, menu options, icons, or any other visual representation that enable a user to map to or disconnect from network drives.
Template: winnt.adm
Path: Windows NT Shell | Restrictions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Value name: NoNetConnectDisconnectData type: REG_DWORDValue data:** 0** // Display** 1** // Remove
Do not keep history of recently opened documents
When this policy is enabled, the system does not save shortcuts to most recently used (MRU) documents in the Start menu.
When this policy is enabled, applications must not keep any MRU lists.
Template: system.adm
Path: Administrative | Start Menu & Taskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value name: NoRecentDocsHistoryData type: REG_DWORDValue data:** 0** // Display shortcuts in MRU list** 1** // Do not display shortcuts in MRU list
This policy affects Visio features in the following ways:
Do not show MRU lists while the policy is enabled.
Do not save new entries into MRU lists (freeze the list) while the policy is enabled, which means that after the policy is turned off, the MRU list will not contain any files used while the policy was on, but will contain files used before the policy was enabled.
If there is an MRU option in the Options dialog box, it is unavailable while the policy is enabled.
After the policy is turned off, the user MRU settings and the application policy MRU settings are restored to the state before the policy was enabled.
For example, if the number of MRU files was five before the policy was enabled, it becomes zero when the policy is turned on, and it becomes five again when the policy is turned off.
If both the application MRU policy and the system MRU policy are enabled, the system policy setting is used.
Hide Common Dialog Places Bar
The places bar allows users to navigate via the common file open/file close dialog box directly to the following locations:
History folder
Desktop
My Documents
My Computer
My Network Places
When this policy is enabled, Windows 2000 removes the Places Bar from the Windows common dialog box.
When this policy is set, applications that provide their own file open/file close dialog boxes must remove any equivalent functionality from the Places Bar. Applications using the Windows common dialog box API automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoPlaceBarData type: REG_DWORDValue data:** 0** // Display Places bar** 1** // Do not display Places bar
Hide Common Dialog Back button
When this policy is enabled, Windows 2000 removes the Back button from the common dialog box, preventing the user from browsing to the previous folder accessed from the dialog box.
When this policy is set, applications with their own file open/file close dialog boxes must remove any Back button functionality from these dialog boxes. Applications using the Windows common dialog API automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoBackButtonData type: REG_DWORDValue data:** 0** // Display back button** 1** // Do not display back button
Hide the dropdown list of recent files
When this policy is enabled, Windows 2000 removes the MRU list from the common dialog.
When this policy is set, applications with their own file/open dialog boxes must not display an MRU list in these dialog boxes. Applications using the Windows common dialog API will automatically comply with this policy.
Template: system.adm
Path: Administrative | Windows Components | Windows Explorer | Common Open File Dialog
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Value name: NoFileMruData type: REG_DWORDValue data:** 0** // Display MRU list** 1** // Do not display MRU list