How to Secure the Excel AddIn

Question

I have got a question to Excel Community here :

I have prepared an AddIn and it is ready to install for all the users on the machine. I fear that a malicious user can disable the addin through Excel Office Button =>AddIn.

what I need is that no one should be able to disable my addin? My Questions are :

1.Is it possible? 2. If so, how can this be achieved? 3. Would signing code digitally or creating a root certificate for the addin before deploying, helps Excel to load it successfully and stopping a malicious user from disable the addin ?

any type of inputs are highly appreciated??

Thanks.

Answer 1

The enabled/disabled behavior of an add-in is controlled by a registry key. Excel deactivates your addin by updating the "LoadBehavior" value in this key:

Software\Microsoft\Office\Excel\Addins\[youraddin] .

Although it might be not a good idea (you need to consider carefully), you could "secure" the add-in by setting permissions on it's registry key (allow write access to this key only for a specific user, or disable write access for everybody).

You can modify permissions for a registry key by hand (i.e. by registry editor), by installer, or by group policies.

Note that normally if a user disables some add-in, it is disabled for that user only, and not for all users (value in user's HKCU key is updated) - assuming that user is not admin or UAC is activated. To disable an add-in for all users, the "malicious" user must have admin rights and must start office application as admin.

If don't want allow users to disable the add-in even for themselves only, you might need to do some extra job of securing their user's registry.