Trust Center Part 4: Trusted Locations

re: Trust Center Part 4: Trusted Locations

Harlan Grove — Tue, 01 Aug 2006 19:44:22 GMT

As long as %APPDATA%\Microsoft\Excel\XLSTART is a trusted location by default, who wouldn't target it? And it's the same for most users across companies and countries. It's a great big bullseye for maliciously constructed XLS files.

While signing and certificates may be a royal pain to handle in a distributed environment, keying on particular document properties, such as the original creator's name, would nicely complement trusted locations. Any file can have only one creator, so only one creator's name. And most companies and individuals across the globe are highly unlikely all to trust the same person(s).

Trusted locations without either signing and certificates or checking file creator's name is a bad joke. It makes these locations inherently insecure. MAYBE if trusted locations were restricted to network shares in which users can't save files, either new ones or modified existing ones, they'd be OK. That way IT departments or other central authorities could distribute files to trusted locations, but users couldn't. That'd handle XLA[M] add-ins and XLT[M] templates.

XLS[M] files with macros in which users would be expected to make changes would be trickier. Maybe the best that could be done would be putting all the VBA/macros/udfs into XLA[M] add-ins and none into the XLS[X] files. Have users load such models by loading the add-in, and put Open event handlers in the add-ins to prompt for the XLS[X] file to open.

Trust Centre and Office Development

Kevin Boske - Office Development — Tue, 01 Aug 2006 22:30:09 GMT

As developers writing code for Office, we all need to be aware of security.&nbsp;Let's face it, we've...

re: Trust Center Part 4: Trusted Locations

sam — Wed, 02 Aug 2006 07:27:42 GMT

"Any file can have only one creator, so only one creator's name. "

Harlan....some years ago... I lost a challange

The challange was to try and create a xls file which if you copy and open the copy will pop up a message..."You have a copy of the orginial"

I tried several approaches...one of them was to get the file creation date, time (minute, hour, sec)of the orginal and compare it with the copy....

Unfortunately if a user simply set the date of his computer to that of the original file and the time a few seconds(say 10) before the original file creation time... and started making copies....one of them will have a date and time of the original....trial and error...but will work...

It is sad that a file's creator doesnt change when copied.....In my opinion it should...It could be used as a one of the parameter to test if the file is an original or a copy

A problem with the the windows os..that we have to live with...

Sam

re: Trust Center Part 4: Trusted Locations

A User — Wed, 02 Aug 2006 23:00:55 GMT

Given that a certain amount of paranoia seems justified these days, this seems a reasonable approach even though it is somewhat inconvenient and is still susceptible to some attacks. Thanks to Dan, Sam, & Sam for workaround suggestions in the Part 2 thread.

I do have an issue with the "disable without notice" option. I realize this is only an option, and probably not a default one, but when a file is opened in a mode other than its intended mode of operation there really should be a warning. If someone has good reason to do this regularly they should be able to deal with a click through, and would probably benefit from visibility of the mode. If not, they should be warned away!

re: Trust Center Part 4: Trusted Locations

samrad — Mon, 07 Aug 2006 14:05:03 GMT

Hey again! Thanks for the comments, replies below:

Harlan:
we wanted to ensure xlstart is trusted mainly for backwards compat. since the locations are customizable and admin controllable, they can remove xlstart if they don't need it, and trust only particular locations, like only network shares as you suggest. also note, there are other layers of security that will help against putting malicous files in there (os/ie wise). just to state it again, particular care should be taken when designating a path as a trusted location.

A User:
You're right, the disable w/o notification is not the default :) We wanted to make the settings flexable, and allow admins to configure when their users would see security issues and alerts.

Trusted Location in Office 2007

Marco Scheel aka GeekDotNet — Sat, 06 Jun 2009 23:13:44 GMT

Wer mit SharePoint arbeitet und darin die üblichen verdächtigen Dateitypen der Office Familie verwendet, kennt vielleicht die Securityhinweise, wenn zum Beispiel Excel aus einer SharePoint Lib geladen wird. SharePoint gilt in solchen Situationen eigentlich

Microsoft Excel Trust Center Part 4 Trusted Locations | alternative dating

Microsoft Excel Trust Center Part 4 Trusted Locations | alternative dating — Wed, 17 Jun 2009 10:51:43 GMT

PingBack from http://topalternativedating.info/story.php?id=15417