Home page logo

educause logo Educause Security Discussion mailing list archives

Office 2007 security using signed add-ins
From: "Fowler, Steve" <steve.fowler () OREGONSTATE EDU>
Date: Thu, 9 Oct 2008 16:44:12 -0700


We've begun wide scale deployment of Office 2007 in our computing
environment.  Since beginning the process we've run into an issue
surrounding setting macro level security for add-ins.  In Microsoft's
trust security model only add-ins signed by a trusted publisher are
allowed to function.  We have at least three products that are used that
come with unsigned add-ins.  To attempt to get this corrected we've
addressed the security concern with the vendor and asked whether they
intend on providing a signed add-in.  I don't think we've gained much
traction so far.

I am curious how others are addressing this issue.

As a backup plan we have discovered that we can sign the add-ins with a
locally trusted cert and when the signed add-in and cert are deployed we
are able to have the product work.  This, of course, raises EULA issues
and requires processes that would have to be followed when updating the
application to a new version.

Thanks in advance
Steve Fowler
Systems Manager
Technology Support Services
Oregon State University

  By Date           By Thread  

Current thread:
  • Office 2007 security using signed add-ins Fowler, Steve (Oct 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]