The destructive potential of macros has forced IT professionals to extend their security focus to commonly distributed documents.

To protect against this threat without curtailing distribution and use of macros, many organisations implement digital signatures, which allow verification that macros and other electronic content come from a trusted source.

Digital signatures on macros tell users who placed the signature in the document. The signature can be verified with a certificate root authority or using an internal mechanism within your organisation. You can implement digital signatures with your macros by:

• Using SelfCert.exe, the native Microsoft signing tool.
• Using a PKI implementation.
• Purchasing a package to give you a digital signature that is verified by a root certificate authority.

In this article, we will focus on Microsoft Excel, but other macro-enabled Office applications behave in a similar manner.

SelfCert.exe tool
Microsoft Office distributions include the SelfCert.exe tool as part of the default installation. This tool is distributed as a personal-use mechanism for creating digital signatures. It does not actually verify the identity of the author of the signature; instead, it writes a signature that it explicitly notes as not authentic. It is important to discuss this tool first, as fraudulent digital signatures may use it.

By default, the SelfCert tool is installed in C:\Program Files\Microsoft Office\Office\Selfcert.exe. Running the tool is fairly straightforward, and some basic safeguards are in place to ensure that certificate authorities are not spoofed. For example, you can't use Verisign, Inc., in the Name field of the SelfCert tool, although you can use similar variants of that name. (In other words, Verisign is rejected; Veri Sign is not.) SelfCert-created signatures don't have an actual certificate, but only a header. When you look at a certificate created with SelfCert, you'll see that it's "empty". Figure A shows an example.

Figure A

If a macro project contains a digital signature, users need to be able to distinguish a SelfCert-created certificate from a certificate authority-issued one. With Office installations using High or Medium security settings, running a macro will bring up the familiar security message to enable or disable macros. But as Figure B shows, SelfCert-created signatures appear with a warning.

Figure B

It's important to click the Details tab to get more information, because looking at the name of the macro issuer is not enough to determine whether a signature is valid. The Details tab will give the official information on any digital signature.

What about a PKI infrastructure?
If your organisation uses PKI, and you have an imported certificate, this certificate can function as a mechanism to sign macros. However, having a PKI infrastructure and a key installed will not automatically assign a digital signature to all authored content (macros). Further, if the PKI implementation did not issue the signatures through one of the root certificate authority organisations, the digital signature may not transport well out of your organisation.

Figure C

Notice that unlike the SelfCert example, where the status was marked as Not Trusted, this signature is marked as OK. When the status is marked as OK or as Verified with a root certificate authority, you can be sure that the macros are from the organisation or individual(s) listed on the macro startup screen. This does not mean that the contents of the electronic material are safe; digital signatures ensure only that the material was indeed digitally signed by the person specified as the signer.

Certification authority
Issuing certificates should be done by certificate authority for the most widespread acceptance of an authentic digital signature. Microsoft publishes a list of trusted commercial organisations that provide digital certificates. Approximately 15 of these companies can provide digital certificates for macros and other types of code. Among the other offerings are PKI, VPN, e-commerce, and SSL products. Costs for these products vary. Some packages start at $200 for digital signatures, and the prices go up from there. Microsoft's list of trusted companies includes some of the most popular and well-known names in this space, including VeriSign, eSign, and RSA Security.

Web resources
Microsoft offers additional details on macro signing in "Using SelfCert to Create a Digital Certificate for VBA Projects" and "Add a Digital Signature to a Custom Macro Project in an Office Program." The ZDNet white paper "Microsoft Office 2000 and Digital Macro Signatures" provides a look at both the strengths and shortcomings of Office 2000's digital signature mechanism.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.

©2004 TechRepublic, Inc.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.