Macros have several advantages, including their power, their flexibility, and their ability to run automatically, even without your knowledge. These advantages have a dark side, however, and poorly written or malicious macros can do significant damage to an Outlook 2007 message store. Because of the potential danger that macros pose, the Outlook 2007 Tools menu offers four security levels for Outlook 2007 macros:
No Warnings and Disable All Macros. Macros are totally disabled, and Outlook 2007 does not display any warning that a macro is attempting to run.
Warnings For Signed Macros; All Unsigned Macros Are Disabled. Your system can run only macros that are digitally signed. This means that some macros—even benign and potentially useful ones—are not available.
Warnings For All Macros. You will be prompted as to whether you want to run any macros.
No Security Check For Macros (Not Recommended). Macros run automatically, regardless of their signature. This is the most dangerous setting.
For information about digital signatures, see "Protecting Messages with Digital Signatures" in Chapter 14.
To view or change the security level, choose Tools, Macro, Security to open the Trust Center, and then click Macro Security, as shown in Figure 29-8. (You can also access the Trust Center by opening an Outlook 2007 item and, on the Developer tab, in the Code group, clicking Macro Security.) The default setting is Warnings For Signed Macros; All Unsigned Macros Are Disabled, which is probably the best choice for most users.
Inside Out: Security and user-created macros
When you create your own macros, they are not controlled by the security settings. User-created macros do not need to be signed and will run regardless of the security setting you have selected—even if you choose no warnings and disable all macros! This is nice for purposes of design and editing, but it assumes that you realize exactly what a macro will do. Moreover, it means that when you want to test macro security settings, you must run Outlook 2007 under a different user account.
To reduce the number of times you’re prompted about whether to run a macro (if you’ve set the security level to Warnings For Signed Macros; All Unsigned Macros Are Disabled) or to be able to run macros at all (if you’ve set the security level to Warnings For All Macros), you can specify a trusted source.
When a digitally signed macro runs, Outlook 2007 displays the certificate attached to the macro. In addition to choosing whether to run the macro, you’re also given the choice of adding the certificate holder (the organization or individual who created the macro) to your list of trusted sources. Once the holder of the certificate is trusted, any macros signed with that certificate run without prompting at the Warnings For Signed Macros; All Unsigned Macros Are Disabled security setting. To view the list of trusted certificates or to remove a trusted source, choose Tools, Trust Center. Click Trusted Publishers to view the sources. To remove a trusted source, select the source, and then click Remove.