To enhance security by preventing malicious add-ins from automatically activating, Visual Studio 2005 provides settings in a Tools Options page named Add-in/Macros Security.
In addition, this options page allows you to specify the folders in which Visual Studio searches for .Addin registration files. This enhances security by allowing you to limit the locations where .Addin registration files can be read, helping prevent malicious .Addin files from inadvertently being used.
The settings in the Add-in/Macros Security, Environment, Options Dialog Box that relate to add-in security are:
Allow add-in components to load. Checked by default. When checked, add-ins are allowed to load in Visual Studio. When unchecked, add-ins are prohibited from loading in Visual Studio.
Allow add-in components to load from a URL. Unchecked by default. When checked, add-ins are allowed to be loaded from external Web sites. When unchecked, remote add-ins are prohibited from loading in Visual Studio. If an add-in cannot load for some reason, then it cannot be loaded from the web. This setting controls only the loading the add-in DLL. The .Addin registration files must always be located on the local system.
In addition to the security settings, the options page has a list containing folders in which to search for .Addin registration files. By default, the following tokens are included:
When Visual Studio begins searching for .AddIn files, it replaces these tokens with the following path strings:
%ALLUSERSPROFILE% (defined by OS)
<My Documents>\Visual Studio 2008
Some of the default paths may resolve to targets that do not exist on your system.
You can remove these predefined tokens from the list by highlighting the token and clicking Remove. To add other folders to the search list, click Add and specify a folder in the Browse for Folder dialog box. For more information, see Add-in Registration.
To prevent users from modifying the settings in the Add-in/Macros Security options page, an administrator can set a value in the system registry. This value is named AllowUserToModifySecuritySettings and is stored under the HKLM\Software\Microsoft\VisualStudio\8.0\AutomationProperties key. If the key value is not present or is set to 0, then all options in the Add-in/Macros Security page are disabled. (That is, the settings on the page cannot be changed.) The same setting applies to the Macros integrated development environment (Macros IDE), but the registry key location is: HKLM\Software\Microsoft\VSA\8.0\AutomationProperties.
The settings for the Add-in/Macros Security page are stored in the registry under the HKLM\Software\Microsoft\VisualStudio\8.0\AutomationProperties and HKCU\Software\Microsoft\VisualStudio\8.0\AutomationProperties keys. The security buttons receive their values by first looking at the key under HKEY_LOCAL_MACHINE. If that key does not exist, then the HKEY_CURRENT_USER value is used. This allows an administrator to, for example, enable the loading of add-ins and macros, but it allows a user to disable loading these components if they choose. If an administrator has disabled loading add-ins or macros, however, then a user without administrative permissions cannot enable them. If the setting to load add-ins is checked, then the folders specified under the HKLM\SOFTWARE\Microsoft\VisualStudio\8.0\AutomationOptions\LookInFolders and HKCU\SOFTWARE\Microsoft\VisualStudio\8.0\AutomationOptions\LookInFolders keys are searched for possible .Addin files.
An administrator who changes the options on this page can write values to any key under the HKEY_LOCAL_MACHINE registry hive, which modifies those settings for all users of that computer.