Template Security

[Scott]

Hi All,

Does anyone know of a way in which I can password protect
a template so that it can't be modified by an unauthorised
user?

I have looked into password protecting the document via
the "password to Modify" switch, but this can be easily
removed by a user and also presents users with a message
box whenever they open a document based on the template.

It would be preferable if no macros, styles or autotext
could be modified by an unauthorised user.

Kind Regards,

Scott

 

[Shandy]

Hi Scott

Why not make the template 'read only'? Otherwise you will need to go to the security level of the document using Windows Explorer's properties option. That's ensuring you have rights to that access level. Right Mouse click on the document, select Properties, Security and then select only allow read rights to the users.

 

[Jezebel]

Open the template itself. Switch to VBA. Select the template project in the
Project Explorer window. Go to Tools > Project Properties. Select the
Protection tab. Enter a password.

Note that this is not brilliant security: it's sufficient to prevent most
unauthorised access, but it is defeatable.

 

[Rob Schneider]

This probably would work, but I guess I would not bother since it runs
risk of this password being forgotten and then everyone is locked out of
the template file.

I would recommend you step back and figure out what risk you are
concerned with and then mitigate that risk.

If you are concerned that someone will change the template so that it it
is messed up for future users ... then consider protecting the template
file via the server permissions to ensure users can't write back to the
source template file.

If you are concerned that someone will change modify the document on
which the template is based and do something "bad" ... then this a
different risk. I can imagine where this would be very easy to do no
matter what permissions/security you put on the template. In certain
situations I can also imagine where Word would not be the appropriate
tool for controlling high-risk transactions.

Bottom line: focus on the "what", then work the "how".

Hope this is useful to you. Let us know.

rms

 

[Scott]

Thanks to Shandy and Jezebel for your assistance with
this.

Shandy, I have previously made the templates read-only but
some of my users know how to undo this function.

Jezebel, your solution works great for blocking the access
to the macros but still allows styles to be updated.

I am currently applying the macro protection as well as
the "password to modify" function, but the modify password
on the template results in the user getting a Read Only
message box everytime they view/modify their documents.

Any ideas how I could make this less obvious to the users?

 

[Jezebel]

It seems perverse to say you'd "not bother" using a password for fear that
you'll forget the password. There are downsides to password-protecting a
template, but assuming we're dealing with a serious intentions, *that* isn't
one of them. If you can't control your passwords then you can't control
*anything* in a multi-user environment.

Of course there are situations in which Word is not appropriate for
controlling "high-risk transactions" -- all of them. As already stated Word
doesn't even begin to provide security to deal with any serious risk.

Your examples omit the most common reason for protecting the template:
namely to hide the code, either to prevent someone stealing it outright, or
to prevent them duplicating it and then running it with modifications.
Write-protecting the file or folder obviously won't help with that.

 

[Suzanne S. Barnhill]

I don't understand why a "password to modify" on a template would have any
effect on documents created based on the template since users are *not*
modifying the template itself (unless they update styles in the document and
attempt to save the changes to the template). Are we talking about a .dot
template placed in the User (or Workgroup) Templates folder and accessed via
File | New?

I suspect you're using a document as a template (since you say "I have
looked into password protecting the document"), and this is the wrong
approach.

 

[Rob Schneider]

Well ... Scot didn't say what risk he is worrying about. Hence I'm not
going to assume. Nor was I prepared to elaborate on why one would
protect a template. Never even entered my mind to discuss. Sorry you
seem disappointed that I should have done that. Protecting macros is a
good thing to do. Scot didn't say that, though.

I just was thinking that before one applies security/control, one needs
to define/understand the risk they are dealing with.

I've seen so many documents where people used pw to "protect" them, and
then they "forgot" and got locked out. There are many ways to control
things (I don't know what you mean by "anything") in a multi-user
environment without proliferation of passwords. Profilferation of
passwords is thought by many (and I'm in that camp) is security risk in
itself.

You imply (maybe I'm wrong) that you know of a way to "control
passwords" ... in a "multi-user enviornment". Is this a centralized
way? How do you keep track of the pw that anyone puts on a Word
document or template?

I agree Word does not provide appropriate security to deal with any
serious risk. Frankly, I hope they never ever provide this. Word is a
word processor and writing tool. I hope it stays that way. Mitigate
serious risks using other appropriate measures.

Hope this is useful to you. Let us know.

rms