locked
Copying the dotm file which contain macros to the trusted location of the WORD? RRS feed

  • Question

  • The macro have to be in trusted location to prevent macro virus,  but I found In my c++ program I could use ::CopyFile function to copy the dotm file to a trusted location

    C:\Users\cqh\AppData\Roaming\Microsoft\Word\Startup\

    without ask for administrator permissions,  Does this mean a macro virus could be copy to the trusted location without administrator permissions?


    • Moved by Cindy Meister MVP Tuesday, July 15, 2014 4:36 PM Administrator, not developer-related question
    Tuesday, July 15, 2014 8:34 AM

Answers

  • Hi,

    Per my understanding, it doesn't mean the files are completely safe to be saved in the trusted location. As a good behavior, we should determine folder sharing and folder security settings for trusted location folders.

    All folders that you specify as Trusted Locations must be secured. Use the following guidelines to determine which sharing settings and security settings that you have to apply to each trusted location:

    • If a folder is shared, configure sharing permissions so that only authorized users have access to the shared folder. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Read permission to those users who don’t have to change trusted files, and grant Full Control permission to those users who have to change trusted files.

    • Apply folder security permissions so that only authorized users can read or change the files in Trusted Locations. Make sure to use the principle of least privilege and to grant permissions that are appropriate to a user. That is, grant Full Control permissions to only those users who have to change files. Then, grant more-restrictive permissions to those users who need only to read files.

    We can learn from "Plan and configure Trusted Locations settings for Office 2013":

    http://technet.microsoft.com/en-us/library/cc179039(v=office.15).aspx

    Melon Chen
    TechNet Community Support

    Wednesday, July 16, 2014 2:24 AM

All replies

  • Hi,

    Per my understanding, it doesn't mean the files are completely safe to be saved in the trusted location. As a good behavior, we should determine folder sharing and folder security settings for trusted location folders.

    All folders that you specify as Trusted Locations must be secured. Use the following guidelines to determine which sharing settings and security settings that you have to apply to each trusted location:

    • If a folder is shared, configure sharing permissions so that only authorized users have access to the shared folder. Be sure to use the principle of least privilege and grant permissions that are appropriate to a user. That is, grant Read permission to those users who don’t have to change trusted files, and grant Full Control permission to those users who have to change trusted files.

    • Apply folder security permissions so that only authorized users can read or change the files in Trusted Locations. Make sure to use the principle of least privilege and to grant permissions that are appropriate to a user. That is, grant Full Control permissions to only those users who have to change files. Then, grant more-restrictive permissions to those users who need only to read files.

    We can learn from "Plan and configure Trusted Locations settings for Office 2013":

    http://technet.microsoft.com/en-us/library/cc179039(v=office.15).aspx

    Melon Chen
    TechNet Community Support

    Wednesday, July 16, 2014 2:24 AM
  • Hi,

    Per my understanding, it doesn't mean the files are completely safe to be saved in the trusted 

    This folder C:\Users\cqh\AppData\Roaming\Microsoft\Word\Startup\ is a default trusted location in WINWORD.exe. And current user can write file into it. I run a C++ program without ask for Administrator permission and copy a dotm file into it.

    According to your answer, to be safe, the user have to change the permission of this folder. But I can not figure out who will do this.

    So Is it safe for the WINWORD.exe to add this folder as a trusted location as default behavior?

    Wednesday, July 23, 2014 1:05 AM
  • For a macro to write to that folder, the macro has to be running (i.e. enabled or trusted), first. I certainly would not want folder permissions restricted.

    Charles Kenyon Madison, WI


    Wednesday, July 23, 2014 5:15 PM