Share:

" /> Visio Guy » VBA Macro Security
Home » Code, News

VBA Macro Security

Submitted by on May 17, 2007 – 10:35 am | | 47421 views 25 Comments

Macro security is an important topic for anyone who deals with automated Microsoft Office solutions. Since Visio and other Office documents can contain Visual Basic code that can perform potentially harmful operations, you need to understand a little bit about how to secure your system.

This article will inform you about the various security settings available forVisio 2003 and Visio 2007, so that you can more confidently enjoy the downloads and code samples that you’ll find on Visio guy.

.

.

What are Macros and VBA?

For several versions now, Visio has shipped with Visual Basic for Applications (VBA), which offers a quick (and sometimes dirty) way of creating small automated solutions. It also offers an extremely convenient way of experimenting with Visio’s automation capabilities.

VBA also provides a wonderful vehicle for delivering sample-code and automated examples, that help you to learn the stuff of Visio development. In one Visio document, you can have custom master shapes, pre-built template graphics, and VBA “code-behind” that very effectively demonstrate the important parts of an automated Visio solution!

But often times, automated solutions require initialization code. Events such as OnDocumentCreated, OnDocumentOpened, and RunModeEntered allow code to execute when a Visio document is opened. This is where the danger presents itself. Any number of operations can take place just by opening a document! In security parlance, this VBA code-in-a-document is called macros. And protecting yourself from this code is, of course, called macro security.

Macro Security

Of course, it would be all too simple to advise you as follows: Always trust software from Visio Guy! But that would be naiive and irresponsible of me (and of you!), now wouldn’t it?

I could also list every line of VBA code in every single download. Then you could meticulously examine and approve each line, then copy it into your own VBA projects. Tedious at best, and rather impractical. It would also negate the convenience of all the nifty, pre-built downloads that you’ve come to know and love from Visio Guy.

Therefore, the Wizards at Microsoft have come up with a solution. And they’ve allowed you some flexibility in how you defend yourself. Using Visio’s macro security settings, you can choose what level of macro security you want. Based on the settings you choose, Visio will do one of the following when you open a macro-containing document:

  • Ignore macros and disable them
  • Inform you that macros are present
  • Allow you to enable or disable macros on a per-document basis
  • Allow all macros to run

Since there have been some changes to macro security in the newest version of Visio, we’ll look at the options for both Visio 2003 and Visio 2007.

Visio 2003 Macro Security

To configure your security in Visio 2003, look under the menus: Tools > Macros > Security. You’ll see this dialog box:

Visio 2003 Security Settings

These settings will have the following effects on the opening of a Visio document that contains VBA code:

Very High – The macros will not run, and you won’t be notified unless they are installed in trusted locations.

High – You will get a warning that macros are disabled, unless they are properly signed and certified.

Visio 2003 High Security Dialog

click to view larger image

Medium – you get a warning that there are macros in the document, and you can choose to enable or disable them:

Visio 2003 Medium Security Dialog

Low – All VBA code will run without any warning. If you are getting documents from various sources, this is rather risky.

Medium is the setting that I use. Most of the Visio documents that I use are created by me, or by other Visio freaks whom I know and love. If I get a document from a stranger (or a rookie), I can quickly and conveniently choose disable macros, then personally examine the VBA code before allowing it to run. Disabling the macros doesn’t make the VBA project inaccessible. It just stops it from running. So with a quick flick of the wrist, Alt + F11 will bring up the VBA editor, and I can search for something like: “Format C:\” or something equally malicious.

One final note: in Visio 2003, you have to close-down and restart Visio each time you change the level of your macro-security setting.

Visio 2007 Macro Security…er…Trust Center

In Visio 2007, there were slight changes made in the area macros security, along with the inevitable Microsoft name changes. In the new version, you’ll find your macro-security settings a bit more accessible. They now live right under: Tools > Trust Center.

Visio 2007 Security Settings

click to view larger image

These settings will have the following effects on the opening of a Visio document that contains VBA code:

Disable all macros without notification – This setting disables all macros that are not in a trusted location (more on trusted locations later) It’s not clear to me if digitally signed macros are still ok with this setting, though.

Disable all macros with notification – If you open a non-trusted, macro-containing Visio document, you’ll be presented with this sneaky bar that appears at the top of the Visio drawing window:

Visio 2007 With Notification Dialog

click to view larger image

All hope is not lost at this point. If you know where the code came from, and want to allow the macros to run, just click the Options… button. You’ll then see this dialog:

Visio 2007 With Notification Dialog

A quick click of the Enable this content radio button will allow you to proceed. This is analogous to the Medium setting in Visio 2003, but it’s a lot more work — well, three more clicks for every document, anyway.

Disable all macros except digitally signed macros – This one is pretty self-explanatory. No sign, no go.

Enable all macros (not recommended; potentially dangerous code can run) – Also pretty clear. Everything goes! Open Visio document, run macro, Format C:\!!!

You’ll also see the setting for Trust access to the VBA project object model right here on this screen. This is nice and convenient. In Visio 2003, this check box was buried under Tools > Macros > Security > Trusted Publishers Tab.

Also, another improvement is that in Visio 2007, you don’t have to restart Visio for the security settings to take effect.

Let’s Play: Complain About the Changes in the New Version!

As I mentioned before, the second option; Disable all macros with notification is about the same as the Medium security in Visio 2003, except that you have to click a button, view another dialog, click a radio button, and then (finally) click OK. If you have as many Visio files with VBA code as I do, then you will immediately file this change under HUGE PAIN IN THE ASS.

“But, Mr. Visio guy, you can easily get around this, by digitally signing your VBA projects, right?” Well yes, but this might pose a hindrance because:

  1. You have to actually have a Digital Signature certificate for signing a document’s code project
  2. You have to actually bother to sign the document
  3. If you change the code in the project, you have to re-sign the document

I think there are cost-free methods for creating and obtaining your own personal Digital Signature, so that code that you created can be run by you. I haven’t researched this yet. If you plan on deploying your documents to a wide audience, then you’ll need to get a certificate and properly sign your stuff. I have no qualms with this, but I believe that is not cheap to obtain one.

I’ll go so far as to say that Visio Guy should probably grow up digitally sign the downloads it offers, but, well, we aren’t generating a lot of cash with free downloads, and we’re, like, travelling around the world right now, and well, um, er, you know… :)

Fortunately, there’s another option. Back in our friendly Trust Center, you can set up trusted locations on your machine. If you highlight the Trusted Locations tab, you’ll be able to add local folders to a list of trusted locations. These files will behave as though they’ve been digitally signed, and not pester you with macro warnings:

Visio 2007 Add Trusted Locations

click to view larger image

Note also the handy-dandy subfolders check box in the path-entry dialog box. This allows you to set up an entire Good Guy Macro-document Location on your machine, where all macros are benign and benevolent.

Summary

Visio 2007 seems to offer more features regarding macro security than Visio 2003. I’m sure that Microsoft were faced with loads of security issues that I haven’t considered or would necessarily even fully understand. It seems that the new method is more flexible, and is surely more secure.

However, I personally like the Visio 2003 flow better, because it allows lazy hackers like me to be safer. I didn’t find it difficult to click Enable or Disable every time a macro’d document was open, because MS put the dialog right in my face, when I chose the Medium setting.

With Visio 2007, it seems likely that a developer would set, say, the Desktop and all sub-folders as a trusted location, and then haphazardly drop a document from an e-mail to that location and open it. In this case, they won’t get any warning about the macros, and they could possibly get bitten. It would be nice to still have the ask me every time option.

With the new setup, users need to be disciplined enough not to defeat the system too widely — with trusted locations that are too general. They also have be disciplined enough to place unknown documents in non-trusted locations. I imagine that opening a document from an e-mail is the same as opening from an untrusted location, but I haven’t researched this yet.

I do like the fact that with good habits, Visio 2007 will allow you to do less. You can easily get rid of macro-warnings for all of your trusted files.

More on Macro Security

Enable or disable macros in Office documents Covers all the options involved in Trust Center, and highlights the differences in macro security between the various Office 2007 applications.

Todo…

Some items that might make this article more complete:

  • Discuss the other tabs under Trust Center: Trusted Publishers, Add-ins, Active-X Settings, Macro Settings, Message Bar, Privatcy Options. What they are, where they were buried in older versions, if they existed at all, etc.
  • More about Digital Signatures and how to obtain a certificate. Obvious places to start: VeriSign.
  • More links to “Office Security”, links to information about Microsoft Office solution-distribution and deployment.

25 Comments »

  • This is a test of the Visio Guy commenting system. The bloggers of your area, in voluntary cooperation with Federal, State, and Local authorities, have developed this system to keep you informed in the event of a comment. If this had been an actual comment, the attention signal you just heard would have been followed by news and instructions. This system serves the http://www.visguy.com area. This concludes this test of the Visio Guy commenting system.

  • [...] run. If you’re not familiar with VBA macros, and the related security issues, please have a look at VBA Macro Security first. Once you’ve downloaded the file, opened the document, checked the code, and enabled the [...]

  • [...] ShapeSheet. There’s no VBA code behind the number generation, so you don’t have to worry about any VBA Macro Security [...]

  • [...] If you’re wondering about the ShapeSheet, and how to run VBA code in Visio, have a look at the following articles: John Goldsmith: Just For Starters, Run VBA Code When Documents Open and VBA Macro Security [...]

  • [...] run. If you’re not familiar with VBA macros, and the related security issues, please have a look at VBA Macro Security first. Once you’ve downloaded the file, opened the document, checked the code, and enabled the [...]

  • [...] file. That means you’ll have to allow the macros to run on your machine. See the article on VBA macros and security inside of Visio. The story and procedures for PowerPoint should be similar if not [...]

  • [...] the VBA macros in the diagram, when you open it. See:VBA Macro Security for more [...]

  • [...] get the job done, you’ll need to know how to deal with Visio’s macro security. While the document VBA Macro Security will tell you all you need to know, the correct thing to do is [...]

  • Gary Lacey says:

    In Visio 2003, I get warned of macros, but there are no macros in the document. How can I find out what is causing the warning and eliminate it?

  • Visio Guy says:

    Hi Gary,

    Is your document opening with other stencils? Some of the stencils might have some VBA code.

    Also, sometimes a project with virtually nothing in it still “counts” as a project. I just tried this in Visio 2007, maybe it’ll work in 2003:

    1. Delete everything in the ThisDocument module (use Ctrl + A to Select All, then delete)
    2. Close the ThisDocument window
    3. Save

    That should clean out your VBA project so you don’t get the macro warning any more.

    - Chris

  • Greg says:

    I have download and unzipped the Circular text generator (V1) but there is no ‘File’ menu button – ????

  • Edgar says:

    Hi, I am trying to save/create a macro, but after clicking alt+F8 all options are grayed out. In the Trust center, I have added the folder where the file is located to the trusted locations, enabled all macros, and checked “trust access to the VBA project object model”, closed Visio and opened it again. I also cannot access the VBE. I’m using Visio 2007 (activated) in Developer Mode. Any ideas why I can’t create any macros? Thanks for your help!

  • Visio Guy says:

    Hi Edgar,

    I think that is how Excel and Word work, but Visio doesn’t have a “central repository” of macros or a Normal.dot-like structure.

    The macros you use have to be in the Visio drawing that is open (or one of the Visio files that is open, really)

    You could have a document called “General Code” full of all your macros, and just open that with any drawing you need to work on.

  • Edgar says:

    Thank you Visio Guy. I think my issue is that I cannot create any Macros because the option is greyed out, even if I start a brand new Visio document. I have a script in a text file that I was trying to edit in the VBE, but I can’t start the VBE or record a Macro.

  • Visio Guy says:

    What happens when you press “Alt + F11″?

    Your security settings might be on “High” or your network administrator has turned off macros for Visio. Do you work for a big company that locks down computers?

  • Edgar says:

    Nothing happens on my computer. On other computers in the office the VBE opens, just not on mine. We have system administrators but I am also an admin on my computer. Do you know how I can enable VBE on my computer? Are there other security settings to modify other than Macro settings in the Trust Center?
    Thanks again!

  • JK says:

    Thank you thank you for this tip. I have been bombarded by so many Visio macro messages each time I open my documents, and forced to click “enable” so many times that the frustration has become second nature! For the first time in over a year I just opened a vsd pain free… I’m in shock!

  • Visio Guy says:

    Hi JK,

    I know the feeling! When I work on a project for a customer, I add the project-directory to the “safe macro” list, and it is like a breath of fresh air, absolute heaven, to not have that darn warning pop up every time!

    - Chris

  • Safieh says:

    Hello everyone,

    I recently download Visio 2007 to do some assignment for my class. But I do not see “Database” tab all I have is following:

    File, Edit, View, Insert, Format, Tools,Data, Shap, Window and help. And of course help does not help in this situation. Is anybody know why I am missing “Database” tab?

    Thank you

  • Visio Guy says:

    Data is available only with Visio 2007 Professional and 2010 Pro or Premium. Perhaps you have Standard?

  • ed says:

    QUESTION:
    Is there a way to permanently brand or watermark a Visio document/template prior to distribution such that the actual information, shapes, etc on the template could be altered – but the permanent brand/watermark could not be deleted or altered??
    This would allow for the distribution of Visio templates which would be permanently marked as “different” from the original file – but allow recipients to alter the components of the Visio document/template.

  • Visio Guy says:

    Hi Ed,

    Three ways to do this:

    1. Printer settings often have a watermark option, might not be what you need though.

    2. Background pages: put a watermark on a background page, then assign the background to the foreground. User will have to do a bit of futzing to get rid of this.

    3. Use layers. Make a “watermark” shape. Assign it to a layer. Lock the layer so the shape can’t be moved or selected. Only drawback is that shapes can be “brought to front” or “sent to back” so they can appear in front of and behind the watermark. But this will work fairly well.

  • Margie says:

    Hello to every body, it’s my first pay a quick visit of this web site; this weblog consists of remarkable and really good stuff designed for readers.

Leave a comment!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

*