What is the problem?
A customer was exporting Excel reports by OfficeWriter to the XLSM format and was alarmed when he opened his output and saw a security warning:
Obviously, anyone who hadn’t experienced the Excel Trust Center Security Warning before could easily have been alarmed by this.
What is going on?
The security prompts are caused by the settings in Excel’s Trust Center, which was introduced in Excel 2007. Basically, when a workbook is opened in Excel 2007 or 2010, it is automatically run through the Trust Center feature for security reasons. Excel’s behavior for handling workbooks with macros will change depending on the settings selected in the Trust Center.
|Some notes about Trust Center security warning messages
To get to the Trust Center: Office button > Excel Options > Trust Center > Trust Center Settings. And on my left, Macro settings:
For example, say the ‘Disable all macros with notification’ option is selected. This is the default macro security level for Excel 2007/2010 and this setting will prompt the user to enable macros anytime the workbook is opened. The end-user can change the security setting to ‘Enable all macros’, and then macros will run without the prompting.
For more general information about Macro security settings, please refer to this Microsoft article: http://office.microsoft.com/en-us/excel-help/change-macro-security-settings-in-excel-HP010096919.aspx
I am developing a workbook with macros. How can I avoid having the Trust Center prompt my end-users?
|A note about macro security settings
Enabling macros to run without prompts could be potentially dangerous if a workbook contains malicious macros. The security prompt is designed to prevent macros from running unless the user decides they are safe to run. Each of the following suggestions will allow macros to run without prompting, which may harm your computer if the macros are malicious
Since the Trust Center’s settings are determined on a per-user basis, depending on which security settings the user has selected, the behavior the end-user experiences may vary. Here are some ideas for avoiding the Trust Center security prompt:
One of the macro settings is to ‘Disable all macros except digitally signed macros’. This means that if the macros are signed by a Trusted Publisher, Excel will run the macros without any security prompts. All unsigned macros will still prompt the user to enable them, but they will not be prompted for workbooks that contained macros signed by the Trusted Publisher.
This Microsoft article explains how to digitally sign a macro project: http://office.microsoft.com/en-us/excel-help/digitally-sign-a-macro-project-HA001231781.aspx
After you have signed the project, the end-user will need to add you as a Trusted Publisher. This is explained below.
The first time the user opens a workbook with signed macros, they will be given the following options:
- Help protect me from unknown content (which is to leave the macro disabled)
- Enable this content (enable for one-time use)
- Trust all documents from this publisher (enable all macros from this publisher).
Instruct the end-user to select Trust all documents from this publisher, which will add the publisher who signed the macros, you, as a Trusted Publisher. All subsequent workbooks with macros signed by you will not display security prompts when opened on the end-user’s machine.
For more information about Trusted Publishers, please refer to this Microsoft article: http://office.microsoft.com/en-us/excel-help/add-remove-or-view-a-trusted-publisher-HA010034138.aspx?CTT=5&origin=HA010167227
If a workbook is opened from a trusted location, it does not go through the Trust Center. This means that regardless of the Trust Center settings, Excel will run the macros in the workbook without any security prompts. Trusted locations should always be secure and trustworthy.
If your end users are opening the workbooks directly from the browser cache (e.g. the workbook is streamed to the client from a web application), DO NOT tell them add their browser cache as a trusted location. The browser cache is an easy target for hackers who can force the browser to download potentially comprimised workbooks. This is not to say that trusted locations are never recommended. For instance, your end-users could specifically designate another location as trusted, and copy any files to that location before opening them, which is the secure way to use trusted locations to avoid the security prompts.
Here is a Microsoft article that discusses trusted locations: http://office.microsoft.com/en-us/excel-help/create-remove-or-change-a-trusted-location-for-your-files-HA010031999.aspx?CTT=5&origin=HA010167227
This option runs all macros without prompting. This is NEVER recommended because it potentially exposes the end-user to malicious macros, even if your macros are safe.
Macro Settings in Excel 2003
If you are using Excel 2003, the macro settings will be different. Excel Hints has a good overview of those settings here: http://excelhints.com/2010/08/06/adjust-the-security-level-in-excel/.