Security

Protecting your network with digital certificates

Macros can be a real thorn in the side for net admins. From the user's perspective, macros can be great time-savers. But they can also introduce a virus threat to your network. Find out how you can use digital certificates to minimize the risk.


In the past, I have recommended that you never permit users to download any Word file with the .doc file extension from external e-mail because of the macro virus possibility. Even if they think they know who sent the file, your network could be in danger since the sender’s system may have been hijacked by a virus and manipulated into sending a corrupted file. The macro threat can be just as dangerous when you have users in larger companies who have never met the fellow employee sending them a file. Although it may be construed as extremist, requiring users to send and receive messages employing the .rtf file format is a simple solution that lets you continue to use macros. If you don’t think you can enforce a no-.doc file extension rule, another solution is to use a digital certificate to authenticate the origin of any files. Certificates perform two major functions:
  • They protect files from tampering; you know the macro you activate is identical to the one the originator intended for you to get. Nothing's been added or removed.
  • They can be used to identify the sender so your security settings will let the macro run.

Definitions of digital certificate and signature
According to Microsoft documentation:
  • A digital certificate is an attachment to a macro project, used for security purposes. A digital certificate names the macro's source, plus additional information about the identity and integrity of that source. To digitally sign macro projects, you need to obtain and install a digital certificate that you can use to sign macro projects to identify them as your work.
  • A digital signature is a digital stamp of identification on a macro that confirms that the macro originated from the developer who signed it and that the macro hasn't been altered. To digitally sign macro projects and identify them as your work, you need to obtain and install a digital certificate. When you open a file or load an add-in that contains a digitally signed macro, a digital signature appears on your computer as a certificate that names the macro's source, plus additional information about the identity and integrity of that source.


Three ways to obtain digital certificates
User digital certification: This is the easiest way to deal with the problem of obtaining a certificate. However, whether or not you can use the digital certificate method depends on the security level settings and protocols observed by your company. In many smaller organizations, self-certification is the simplest route to improving macro security dramatically without adding burdensome layers of management to the process.

MS Office includes a digital certificate program. To access it, run the Office setup program and look in Office Tools on the Selecting Features screen. Macros are really just pieces of Visual Basic code, so select Digital Signatures For VBA projects and Run From My Computer. For more help, look under Obtain A Digital Certificate in Word's help index on your system.

To determine whether the Office 2000 SelfCert tool is installed on your system, use the Find Files Or Folders tool to search for a file called selfcert.exe. As a security administrator, you could delete this program from all users' systems after you create a certificate for them.

Internal certificate authority: The second, and often better, way for users to obtain a digital certificate is for the security administrator to act as an internal certificate authority and distribute digital certificates using the Microsoft Certificate Server. Security policies must be established to determine who can issue certificates. Also, steps must be taken to control which users are authorized to sign their own macros and which ones an administrator must approve.

Commercial certification authorities: The third way to obtain a digital certificate is to use an external authority such as VeriSign. You can learn more about certification authorities at the MS Security Advisor Web site. This is a complex process because it is used to guarantee the origin of your work to everyone on the Internet, not just users within your organization. A Class 3 digital certificate is only for commercial software publishers and requires measures such as a Dun & Bradstreet credit check. The Authenticode Technology Web page has additional background on using digital certificates with Microsoft products.

Using digital certificates
You won't need to buy any new tools, but as with all security measures, there are costs involved in creating certificates and either certifying macros yourself or training users to do it. Once you have a digital certificate or have distributed certificates to authorized users, your next step is to set the security level (high, medium, or low) that specifies how your Word or Excel program will treat macros. If you open the Tools menu and select Macro | Security, you will see descriptions of the three security levels.

Now you're ready to start signing macros. If there are only a few authorized developers in your organization, it is probably easiest if the security administrator checks each macro, locks it, and affixes the certificate. This way, if the developer is using his or her individual certificate, the origin can easily be tracked.

Open a document with the macro. Next, open the VBE (Visual Basic Editor) by pressing [Alt][F11] and select the project. Now select Digital Signature from the Tools menu and choose from the available certificates. If you don't lock the macro and any changes are made, the certificate disappears. This is far from foolproof, and developers who know how this works can always "steal" the macro and put their own certificate on it. However, this is not a way of enforcing copyright; it merely provides insurance that your users have a solid layer of protection against macro viruses.

John McCormick is a security consultant and technical writer (five books and 15,500-plus articles and columns) who has been working with computers for more than 35 years.


Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.


Editor's Picks

Free Newsletters, In your Inbox