Prevent a user from blocking macros signed with a trusted cetificate

[Guest]

Hi,

I developed a solution with Word and VBA and I want to force all my network
users to use the macros contained in the documents.
I signed the macros using a Verisign certificate, so absolutely trusted
source. Also the certificate is in the personal certificate store of the
computer. Anyway, the first time a user opens a document, still has the
option to disable macros. He must manually click "always trust...." and then
enable macros. After this, any document with macro signed with the same
certificate will be macro enabled without any further inquiry.
My problem is that I absolutely need to be sure that a user cannot work on
any document without the control of the macros. So I need to mark as always
trustable my certificate, without user intervention. anyone knows how to do
this, considering that I'm in an Active Directory environment, so I
eventually have group policies, logon scripts, etc.
Another problem is that, if the macro protection in Word is set to Very
High, the macro is never activated without any notification to user.
Documents are all on a network share. Maybe I also need to make that share
trustable for Office, but I don't know how. I tryed to add to trusted sites
in IE, but seems not to be related.

Any help is very welcome.

 

[Tony Jollans]

You cannot, by any technical means, force people to run your code.
Ultimately it is the user's decision whether or not to run anything. By
signing your code you are giving them confidence that it comes from you;
that is all; it is still their decision whether or not to trust you.

If their job requires that they run your code, it is a personnel management
issue, not a technical one, to ensure that they do so.

 

[Guest]

Hi Tony,

sorry, but I don't agree with you.

"You cannot, by any technical means, force people to run your code."
Technically is possible, the problem is how. When you trust a publisher Word
MUST write this information somewhere (registry, configuration file,...) if
you write the same info by code (i.e. in logon script) you achieve the same
result.

"Ultimately it is the user's decision whether or not to run anything."
This is true for a user who downloads your document, not for a Corporate
User. In this case the final decision is up to the CIO (me). If I can force
users to run any kind of code at logon, logoff, IE opening, etc. why can't I
force them to run a Word macro ?

Anyway, my only solution by now is to password lock the document and unlock
with Document_Open procedure. If user refuses macros, the document remains
locked. End of the story. I was just looking for something more elegant.

Thanks.

Massimo.


--
Massimo

You cannot, by any technical means, force people to run your code.
Ultimately it is the user's decision whether or not to run anything. By
signing your code you are giving them confidence that it comes from you;
that is all; it is still their decision whether or not to trust you.

If their job requires that they run your code, it is a personnel
management issue, not a technical one, to ensure that they do so.

 

[Tony Jollans]

I guess we'll have to agree to differ then.

Anyway, my only solution by now is to password lock the document and
unlock with Document_Open procedure. If user refuses macros, the document
remains locked. End of the story.

I'd be interested to see how you propose to do that.

--
Enjoy,
Tony

Hi Tony,

sorry, but I don't agree with you.

"You cannot, by any technical means, force people to run your code."
Technically is possible, the problem is how. When you trust a publisher
Word MUST write this information somewhere (registry, configuration
file,...) if you write the same info by code (i.e. in logon script) you
achieve the same result.

"Ultimately it is the user's decision whether or not to run anything."
This is true for a user who downloads your document, not for a Corporate
User. In this case the final decision is up to the CIO (me). If I can
force users to run any kind of code at logon, logoff, IE opening, etc. why
can't I force them to run a Word macro ?

Anyway, my only solution by now is to password lock the document and
unlock with Document_Open procedure. If user refuses macros, the document
remains locked. End of the story. I was just looking for something more
elegant.

Thanks.

Massimo.

 

[Guest]

It's trivial:

1) on the document create the following macro in VBA:

Private Sub Document_Open()
ActiveDocument.Unprotect ("mypassword")
End Sub

2) protect the document using the password: mypassword

If a user enable macros, the document is unprotected, if he disable macros
the document remains protected and read only (unless he knows the password
of course). This is not a total protection because the document can in any
case be consulted and printed, but is good for fillable forms. If you don't
enable macros you'll not be able to fill the form. You also have no mean to
tell the user why the document is read only. You have to train the users
first.
Anyway, I'm still looking for something more elegant and flexible.

--
Massimo

I guess we'll have to agree to differ then.

Anyway, my only solution by now is to password lock the document and
unlock with Document_Open procedure. If user refuses macros, the document
remains locked. End of the story.

I'd be interested to see how you propose to do that.

 

[Tony Jollans]

Apart from being ludicrously simple to bypass, that does not address your
original request:

My problem is that I absolutely need to be sure that a user cannot work on
*any* document without the control of the macros.

(my emphasis)

As I said to begin with, you just have to tell your people they have to do a
one-time operation or they will be unable to do their jobs properly. I do
sympathise with you a little but there is no way you can force this: such a
facility would be an open invitation for malicious software to make its
author trusted, and that would destroy the whole trust mechanism.

 

[Jean-Guy Marcil]

It's trivial:

1) on the document create the following macro in VBA:

Private Sub Document_Open()
ActiveDocument.Unprotect ("mypassword")
End Sub

2) protect the document using the password: mypassword

If a user enable macros, the document is unprotected, if he disable macros
the document remains protected and read only (unless he knows the password
of course). This is not a total protection because the document can in any
case be consulted and printed, but is good for fillable forms. If you don't
enable macros you'll not be able to fill the form. You also have no mean to
tell the user why the document is read only. You have to train the users
first.
Anyway, I'm still looking for something more elegant and flexible.

I will have to second Tony on this. This is no protection as it is very easy
to bypass.
Since you have decided (and seem to have the authority to do so) that users
must accept the macros and work with them, a minimum of training will be
necessary.

If you are looking for alternate tricks, you can have a totally blank
document that can only be properly laid out with code (by using an Autotext
entry from a separate template located in a "secret" location on the
network...)

Also, you can set a document variable to a certain value in the document.
Then, when macros are used, this document variable's value can be changed by
the macro. This way, later on, if you suspect some people are not using the
macros, you have an easy way of checking (especially since document variables
can only be altered by VBA and are totally invisible to users...)

But I do believe that some basic training is necessary.