The destructive potential of macros has forced IT professionals to extend their security focus to commonly distributed documents. To protect against this threat without curtailing distribution and use of macros, many organizations implement digital signatures, which allow verification that macros and other electronic content come from a trusted source.
Digital signatures on macros tell users who placed the signature in the document. The signature can be verified with a certificate root authority or using an internal mechanism within your organization. You can implement digital signatures with your macros by:
- Using SelfCert.exe, the native Microsoft signing tool.
- Using a PKI implementation.
- Purchasing a package to give you a digital signature that is verified by a root certificate authority.
In this article, we will focus on Microsoft Excel, but other macro-enabled Office applications behave in a similar manner.
Microsoft Office distributions include the SelfCert.exe tool as part of the default installation. This tool is distributed as a personal-use mechanism for creating digital signatures. It does not actually verify the identity of the author of the signature; instead, it writes a signature that it explicitly notes as not authentic. It is important to discuss this tool first, as fraudulent digital signatures may use it.
By default, the SelfCert tool is installed in C:\Program Files\Microsoft Office\Office\Selfcert.exe. Running the tool is fairly straightforward, and some basic safeguards are in place to ensure that certificate authorities are not spoofed. For example, you can't use Verisign, Inc., in the Name field of the SelfCert tool, although you can use similar variants of that name. (In other words, Verisign is rejected; Veri Sign is not.) SelfCert-created signatures don't have an actual certificate, but only a header. When you look at a certificate created with SelfCert, you'll see that it's "empty." Figure A shows an example.
If a macro project contains a digital signature, users need to be able to distinguish a SelfCert-created certificate from a certificate authority-issued one. With Office installations using High or Medium security settings, running a macro will bring up the familiar security message to enable or disable macros. But as Figure B shows, SelfCert-created signatures appear with a warning.
It's important to click the Details tab to get more information, because looking at the name of the macro issuer is not enough to determine whether a signature is valid. The Details tab will give the official information on any digital signature.
What about a PKI infrastructure?
If your organization uses PKI, and you have an imported certificate, this certificate can function as a mechanism to sign macros. However, having a PKI infrastructure and a key installed will not automatically assign a digital signature to all authored content (macros). Further, if the PKI implementation did not issue the signatures through one of the root certificate authority organizations, the digital signature may not transport well out of your organization.
Digital signature example
Let's look at a macro that has a validdigital signature and see how Microsoft Excel recognizes it. When you first open a signed Excel document, it may not to appear any different from an unsigned document. Therefore, as a matter of practice, users should always view the details of a signature and check the Digital Signature Information field for the signature. In our sample digitally signed document, this signature was issued by SSNS (Sample Security Name Systems—a fictitious organization). Clicking on the Details tab of the macro security prompt (which, again, appears only with High or Medium security settings) shows the information in Figure C.
Notice that unlike the SelfCert example, where the status was marked as Not Trusted, this signature is marked as OK. When the status is marked as OK or as Verified with a root certificate authority, you can be sure that the macros are from the organization or individual(s) listed on the macro startup screen. This does not mean that the contents of the electronic material are safe; digital signatures ensure only that the material was indeed digitally signed by the person specified as the signer.
Issuing certificates should be done by certificate authority for the most widespread acceptance of an authentic digital signature. Microsoft publishes a list of trusted commercial organizations that provide digital certificates. Approximately 15 of these companies can provide digital certificates for macros and other types of code. Among the other offerings are PKI, VPN, e-commerce, and SSL products. Costs for these products vary. Some packages start at $200 for digital signatures, and the prices go up from there. Microsoft's list of trusted companies includes some of the most popular and well-known names in this space, including VeriSign, eSign, and RSA Security.
Microsoft offers additional details on macro signing in "Using SelfCert to Create a Digital Certificate for VBA Projects" and "Add a Digital Signature to a Custom Macro Project in an Office Program." The ZDNet white paper "Microsoft Office 2000 and Digital Macro Signatures" provides a look at both the strengths and shortcomings of Office 2000's digital signature mechanism.
Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.