|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here.|
Security in Office Solutions (2007 System)
The information in this topic applies only to the specified Visual Studio Tools for Office projects and versions of Microsoft Office.
Microsoft Office version
For more information, see Features Available by Application and Project Type.
The Visual Studio Tools for Office security model involves several technologies: the Visual Studio Tools for Office runtime, ClickOnce, the Trust Center in Microsoft Office, and the Internet Explorer restricted sites zone. The following sections describe how the different security features work:
Granting trust to Office solutions means modifying the security policy of each end user to trust the Office solution based on the following evidence:
The certificate used to sign the deployment manifest.
The URL of the deployment manifest.
For more information, see Granting Trust to Office Solutions (2007 System).
A Visual Studio Tools for Office document-level customization requires that the document be in a directory that is designated as a trusted location. For more information, see Granting Trust to Documents (2007 System).
The security features provided by the Microsoft .NET Framework 3.5 and the 2007 Microsoft Office system can help to protect against a variety of possible security threats in Visual Studio Tools for Office solutions. For more information, see Specific Security Considerations for Office Solutions.
To make your development process easier, Visual Studio Tools for Office sets the security policy that is required to run and debug your solution on your computer every time that you build a project. In some scenarios, you might need to take additional security steps to develop the project.
The fully qualified path of a document must be added to the list of trusted locations in the Microsoft Office application if you are developing the following types of projects:
Document-level solutions that are on a network file share such as \\servername\sharename.
Document-level solutions for Word that use .doc or .docm files.
Include the subdirectories when you add the document location to the trusted locations list, or specifically include the debug and build folders. For more information, see the Microsoft Office Online Help article Create, remove, or change a trusted location for your files.
Visual Studio Tools for Office creates a temporary certificate if a signing certificate does not already exist. You should use this temporary certificate only during development, and purchase an official certificate for deployment.
The temporary certificate is generated after a Visual Studio Tools for Office project is first built. The next time you press F5, the project is rebuilt because the project is marked as changed when the certificate is added.
There can be many temporary certificates after a while, so you should clear the temporary certificates occasionally.
The Visual Studio Tools for Office runtime has features to verify the identity of the publisher and the permissions that are granted to a customization. It verifies these permissions through a sequence of security checks.
Security During Customization Loading
When a document-level customization is loaded, the Microsoft Visual Studio Tools for the Microsoft Office system (version 3.0 Runtime) always checks whether the document is in the trusted locations list. In addition, the runtime checks whether the solution requests FullTrust in the application manifest. It performs no additional security checks while the customization is loading.
Sequence of Security Checks During Installation
When an Office solution is installed or updated, the Visual Studio Tools for Office runtime performs a set of security checks in a specific sequence to make a trust decision. A solution is installed or updated only if the runtime determines that the solution is trusted.
You can start the installation process in one of four ways: by running the Setup program, by opening the deployment manifest, by opening the Microsoft Office application host, or by running VSTOInstaller.exe.
The first security check applies only to document-level solutions. The document of a document-level solution must be in a trusted location. If the document is on a remote network file share or has a .doc or .docm file name extension, the document's location must be added to the trusted locations list. For more information, see Granting Trust to Documents (2007 System).
The next set of security checks are from the Visual Studio Tools for Office runtime and ClickOnce. To pass these checks, Office solutions must request FullTrust permissions, be signed with a certificate that is not listed in the Untrusted Publisher list, and be in a location that is not in the Internet Explorer restricted zone. If the certificate is in the Trusted Publisher list, then the solution is installed immediately. Otherwise, if it did not fail one of the checks, the solution continues to the final set of checks.
If the ClickOnce trust prompt is allowed and the solution has not yet been granted trust, the runtime will allow the trust decision to be made by the end user. If the user grants trust to the solution, an entry is added to the user inclusion list. All solutions in the user inclusion list have full trust and can be installed and run.