Security minded organizations, such as the military, the nuclear sector etc, restrict how macros can be run in Excel. The steps usually taken are:
A publisher is any developer or software company that has created and distributed a digitally signed add-in or macro-enabled workbook.
- User Account control is enabled (applicable to Windows Vista or later), so users cannot modify Excel settings without administrator authorization. Read how to turn UAC on and off
- Trusted publishers are added in a list to designate add-in publishers that are trusted by the organization.
- VBA add-ins or macro-enabled workbooks are signed with a digital certificate.
A publisher is any developer or software company that has created and distributed a digitally signed add-in or macro-enabled workbook.
|
A trusted publisher is any publisher that was added to the Trusted Publishers list. When a user opens a file, and the file contains VBA code that is created by a trusted publisher, the trusted publisher’s content is enabled and users are not warned about potential risks that might exist in the file, as the code has been reviewed and designated as secure.
|
Here is how to add a Trusted Publisher to the Trusted Publisher list in Office 2007 or later:
Export Certificate From Internet Explorer
When a software client wants to add my company to their Trusted Publisher list, I select the certificate of 'Esoteric Consulting Ltd' and export it, without the private keys, as a file with the .CER extension.
Import Certificate Into Office
- Run Command Prompt in elevated mode: right click it and click 'Run as Administrator'.
- Run the certutil.exe that comes with Windows as shown.
The last parameter (*.cer file) is the name of the file certificate.
Require Add-ins To Be Signed By Trusted Publisher
The final and most important step is to require that all Excel add-ins must be signed by a Trusted Publisher. Please ensure that the first option is checked as shown below.
Add A Digital Signature Programmatically To Office VBA Macros
Besides Office, Excel files can be created using numerous software tools. More often than not, batches of macro-enabled Excel files are processed with scripts for productivity purposes.
If you want to sign Office macros in an automated process, you have to use Microsoft Office Subject Interface Packages for digitally signing VBA projects along with SignTool.exe
Unviewable+ locked VBA files can be signed with a digital code certificate without issues, even if the multi-layer option is checked.
Please download and follow instructions in the bundled readme.txt file. Here are the Microsoft links:
SIPs: https://www.microsoft.com/en-us/download/details.aspx?id=56617
SignTool: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool
If you want to sign Office macros in an automated process, you have to use Microsoft Office Subject Interface Packages for digitally signing VBA projects along with SignTool.exe
Unviewable+ locked VBA files can be signed with a digital code certificate without issues, even if the multi-layer option is checked.
Please download and follow instructions in the bundled readme.txt file. Here are the Microsoft links:
SIPs: https://www.microsoft.com/en-us/download/details.aspx?id=56617
SignTool: https://docs.microsoft.com/en-us/windows/desktop/seccrypto/signtool
