Plan and configure Trusted Publishers settings for Office 2013

 

Applies to: Office 365 ProPlus

Summary: Explains how to use the Trusted Publishers list in Office 2013 to designate content publishers that you trust.

Audience: IT Professionals

You can use the Trusted Publishers list to designate content publishers that you trust. This can be helpful if your organization uses published content, such as Microsoft ActiveX controls, add-ins, and Visual Basic for Applications (VBA) macros.

A publisher is any developer, software company, or organization that has created and distributed a digitally signed ActiveX control, add-in, or VBA macro. A trusted publisher is any publisher that was added to the Trusted Publishers list. When a user opens a file, and the file contains active content that is created by a trusted publisher, the trusted publisher’s content is enabled and users are not notified about any potential risks that might be contained in the file.

For information about how to add trusted publishers, see Add, remove, or view a trusted publisher.

Roadmap arrow for guide to Office security.

This article is part of the Guide to Office 2013 security. Use the roadmap as a starting point for articles, downloads, posters, and videos that help you assess Office 2013 security.

Are you looking for security information about individual Office 2013 applications? You can find this information by searching for “2013 security” on Office.com.

In this article:

  • Plan Trusted Publishers settings in Office 2013

  • Obtain certificates from known publishers

  • Determine which certificates must be added to the Trusted Publishers list

  • Related Trusted Publishers settings for Office 2013

Plan Trusted Publishers settings in Office 2013

To designate a publisher as a trusted publisher, you have to add the publisher’s certificate to the Trusted Publishers list. In this context, the publisher’s certificate is the digital certificate (.cer file) that the publisher used to digitally sign its published content. In most cases, you can obtain the .cer file from the publisher, or you can export it from the .cab, .dll, .exe, or .ocx file that is associated with the published content. If you are unsure which published content the organization uses, you might also have to determine whether any other published content runs with the organization’s Office 2013 applications and then obtain certificates for that published content.

There are two methods that you can use to add a publisher’s certificate to the Trusted Publishers list: the Office Customization Tool (OCT) or Group Policy. The OCT provides no settings for managing certificates other than adding a trusted publisher’s certificate to the Trusted Publishers list. If you want to manage certificate trust or if you want to establish specific trust relationships to satisfy business scenarios, you must use Group Policy. For more information about how to add trusted publishers to the Trusted Publishers list and how to manage trusted root certificates, see Manage Trusted Root Certificates and Manage Trusted Publishers.

Obtain certificates from known publishers

You can usually obtain a certificate for published content by asking the publisher to send it to you. If you can’t get the certificate in this manner, and you know the name of the digitally signed .cab, .dll, .exe, or .ocx file that contains the published content, you can take the following steps to export the certificate file.

Note

You can complete tasks in all Office 2013 suites by using a mouse, keyboard shortcuts, or touch. For information about how to use keyboard shortcuts and touch with Office products and services, see Keyboard shortcuts and Office Touch Guide.

Important

To use this procedure, your computer must be running the Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 operating system.

To export a certificate from a .dll file

  1. Select the file that the publisher has signed, open its shortcut menu (right-click), and then choose Properties.

  2. Choose the Digital Signatures tab.

  3. In Signature list, choose the certificate, and then choose Details.

  4. In the Digital Signature Details dialog box, choose View Certificate.

  5. Choose the Details tab, and then choose Copy to File.

  6. On the Certificate Explore Wizard welcome page, choose Next.

  7. On the Export File Format page, choose DER encoded binary X.509 (.CER), and then choose Next.

  8. On the File to Export page, type a path and name for the .cer file, choose Next, and then choose Finish.

Make sure that you save all of the .cer files on a network share that can be accessed by client computers during installation.

Determine which certificates must be added to the Trusted Publishers list

In some cases, you might not know whether an organization uses published content or you might not know which published content to add to the Trusted Publishers list. This is usually relevant only if you have a highly restrictive environment and you require that all published content be signed. You can test Office 2013 applications for digitally signed content by using the following procedure.

To identify published content and add the content publisher to the Trusted Publishers list

  1. On a test computer, or a client computer that is running the standard configuration for the organization (including any add-ins that users need), enable the Require Application Add-Ins to be signed by Trusted Publisher setting in the Trust Center by doing the following:

    1. Choose the File tab.

    2. Choose Options.

    3. Choose Trust Center.

    4. Choose Trust Center Settings.

    5. Choose Add-ins.

    6. Choose Require Application Add-ins to be signed by Trusted Publisher.

    7. Choose OK.

  2. Exit and restart the Office application. If add-ins are installed, the Message Bar displays the following message: Security Warning Some active content has been disabled. Click here for more details.

  3. On the Message Bar, choose Some active content has been disabled. Click for more details.

  4. Choose the File tab and, in the Backspace View, choose Enable Content, and then choose Advanced Options.

  5. In the Security Alerts – Multiple Issues dialog box, install each certificate to the Trusted Publishers list by following these steps for each add-in that shows a valid digital signature:

    1. Choose Show Signature Details.

    2. In the Digital Signature Details window, choose View Certificate.

    3. In the Certificate window, choose Install Certificate.

    4. In the Certificate Import Wizard, choose Next, choose Place all certificates in the following store, choose Browse, choose Trusted Publishers, choose OK, choose Next, and then choose Finish.

  6. Prepare the certificate files for distribution:

    1. Choose the File tab, choose Options, choose Trust Center, choose Trust Center Settings, and then choose Trusted Publishers.

    2. For each certificate, select the certificate, choose View, and then follow these steps:

      1. In the Certificate window, on the Details tab, choose Copy to File.

      2. In the Certificate Export Wizard, choose Next, and then choose Next again to accept the default file format, enter a file name, select a location to store the file, and then choose Finish.

The following Group Policy and Trust Center settings are often used with Trusted Publishers settings:

  • Require that application add-ins are signed by Trusted Publisher
This setting restricts add-ins to only those that are signed by a trusted publisher. This is a per application setting.
  • Disable Trust Bar notification for unsigned application add-ins and block them
This setting prevents users from seeing Message Bar warnings about add-ins that are not signed by a trusted publisher. This is a per application setting.
  • VBA macro notification settings
This setting restricts VBA macros to only those that are signed by a trusted publisher. This is a per application setting.
  • Disable All ActiveX
This setting restricts ActiveX controls to only those that are signed by a trusted publisher. This is a global setting, not per application.

Note

For the latest information about policy settings, refer to the Excel 2013 workbook Office2013GroupPolicyAndOCTSettings_Reference.xlsx that is included in the Office 2013 Administrative Template files. For more information, see the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool TechNet article.

See also

Guide to Office 2013 security
Overview of security in Office 2013
Configure security by using OCT or Group Policy for Office 2013
Understand security threats and countermeasures for Office 2013
Plan and configure Trusted Locations settings for Office 2013