The destructive potential of macros has forced IT professionals to extend their security focus to commonly distributed documents.
To protect against this threat without curtailing distribution and use of macros, many organisations implement digital signatures, which allow verification that macros and other electronic content come from a trusted source.
Digital signatures on macros tell users who placed the signature in the document. The signature can be verified with a certificate root authority or using an internal mechanism within your organisation. You can implement digital signatures with your macros by:
- Using SelfCert.exe, the native Microsoft signing tool.
- Using a PKI implementation.
- Purchasing a package to give you a digital signature that is verified by a root certificate authority.
In this article, we will focus on Microsoft Excel, but other macro-enabled Office applications behave in a similar manner.
SelfCert.exe tool
Microsoft Office distributions include the SelfCert.exe tool
as part of the default installation. This tool is distributed as a personal-use
mechanism for creating digital signatures. It does not actually verify the
identity of the author of the signature; instead, it writes a signature that it
explicitly notes as not authentic. It is important to discuss this tool first,
as fraudulent digital signatures may use it.
By default, the SelfCert tool is installed in C:\Program Files\Microsoft Office\Office\Selfcert.exe. Running the tool is fairly straightforward, and some basic safeguards are in place to ensure that certificate authorities are not spoofed. For example, you can't use Verisign, Inc., in the Name field of the SelfCert tool, although you can use similar variants of that name. (In other words, Verisign is rejected; Veri Sign is not.) SelfCert-created signatures don't have an actual certificate, but only a header. When you look at a certificate created with SelfCert, you'll see that it's "empty". Figure A shows an example.
Figure A |
If a macro project contains a digital signature, users need to be able to distinguish a SelfCert-created certificate from a certificate authority-issued one. With Office installations using High or Medium security settings, running a macro will bring up the familiar security message to enable or disable macros. But as Figure B shows, SelfCert-created signatures appear with a warning.
Figure B |
It's important to click the Details tab to get more information, because looking at the name of the macro issuer is not enough to determine whether a signature is valid. The Details tab will give the official information on any digital signature.
What about a PKI infrastructure?
If your organisation uses PKI, and you have an imported certificate, this certificate can function as a mechanism to sign macros. However, having a PKI infrastructure and a key installed will not automatically assign a digital signature to all authored content (macros). Further, if the PKI
implementation did not issue the signatures through one of the root certificate authority organisations, the digital signature may not transport well out of your organisation.
Let's look at a macro that has a validdigital signature and see how Microsoft Excel recognises it. When you first open a signed Excel document, it may not to appear any different from an unsigned document. Therefore, as a matter of practice, users should always view the details of a signature and check the Digital Signature Information field for the signature. In our sample digitally signed document, this signature was issued by SSNS (Sample Security Name Systemsââ,¬"a fictitious organisation). Clicking on the Details tab of the macro security prompt (which, again, appears only with High or Medium security settings) shows the information in Figure C.
Figure C |
 |
Notice that unlike the SelfCert example, where the status was marked as Not Trusted, this signature is marked as OK. When the status is marked as OK or as Verified with a root certificate authority, you can be sure that the macros are from the organisation or individual(s) listed on the macro startup screen. This does not mean that the contents of the electronic material are safe; digital signatures ensure only that the material was indeed digitally signed by the person specified as the signer.
Certification authority
Issuing certificates should be done by certificate authority
for the most widespread acceptance of an authentic digital signature. Microsoft
publishes a list of trusted
commercial organisations that provide digital certificates. Approximately
15 of these companies can provide digital certificates for macros and other
types of code. Among the other offerings are PKI, VPN, e-commerce, and SSL
products. Costs for these products vary. Some packages start at $200 for
digital signatures, and the prices go up from there. Microsoft's list of
trusted companies includes some of the most popular and well-known names in
this space, including VeriSign, eSign, and RSA Security.
Web resources
Microsoft offers additional details on macro signing in "Using SelfCert to Create a Digital Certificate for VBA
Projects" and "Add a
Digital Signature to a Custom Macro Project in an Office Program."
The ZDNet white paper "Microsoft
Office 2000 and Digital Macro Signatures" provides a look at
both the strengths and shortcomings of Office 2000's digital signature
mechanism.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2004 TechRepublic, Inc.
7%
2%
