Applications based on Office can be developed quickly and easily using VBA macros. However, malware programmers often misuse such macros. With the help of Group Policy Objects (GPOs), you can protect yourself against this. There are multiple settings for all applications or individual ones.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Excel and Word macros are among the most popular applications. With VBA, even experienced users can quickly create tailor-made solutions for their needs. For this reason, disabling macros completely is not an option for most companies.

Harmful macros continue to be a threat ^

Malignant code has countered the benefit of macros for years. Although Microsoft has developed various defense mechanisms over the years, they've never completely eliminated this threat. The recent spread of Emotet, which infects computers via macros, shows that many systems and users are still vulnerable to such attacks.

One lesson learned from this epidemic is that virus scanners alone do not provide sufficient protection. Instead, admins should take several preventive measures, such as whitelisting of applications. Effective control of Office macros is a must as well.

Central policies for Office macros ^

In general, users can use Office's Trust Center for this purpose. Here you can define rules for the execution of active content such as ActiveX controls, add-ins, and VBA code.

In the Trust Center, users can change the settings for macros themselves

In the Trust Center, users can change the settings for macros themselves

However, given the importance of protecting against malware, admins should not leave this task to the end users. A central solution based on group policies is preferable. Since Office 2016, Microsoft has offered additional settings for managing macros.

Installing administrative templates ^

If you haven't yet installed the administrative templates for Office, you can download them from Microsoft's website here.

The administrative templates (ADMX) are available separately for the 32 and 64 bit versions of Office

The administrative templates (ADMX) are available separately for the 32 and 64 bit versions of Office

Then unzip them to %SystemRoot%\PolicyDefinitions on the admin workstation or to the central store on a domain controller. The ADMX files are identical for Office 2016 and 2019; GPOs for 2016 also work for version 2019.

Deactivating VBA completely ^

A radical measure, but one that probably goes too far for most companies, is to disable VBA completely. You can configure the respective setting ("Disable VBA for Office applications") for both computers and users. It can be found under Computer or User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings.

GPO setting to disable VBA on each computer

GPO setting to disable VBA on each computer

However, if you need VBA macros and want to protect against malicious code, you can specifically restrict their execution. Here it makes sense to allow only digitally signed macros. But you have to do this per application. The respective option is VBA Macro Notification Settings. For Word, you can find it under User configuration > Policies > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.

The macro notification setting offers four options; one of them allows only digitally signed macros

The macro notification setting offers four options; one of them allows only digitally signed macros

This option offers four choices; "Enable all macros" does not make sense if you want to increase security. The same is true for "Disable all macros without notification" because it will have a similar effect as disabling VBA. The two remaining options are "Disable all macros with notification" and "Disable all except digitally signed macros."

The first of the two options is Office's default setting and blocks all macros. However, in the notification bar, the user receives a message to this effect as well as the option to execute the code by clicking Enable Content.

The default setting allows users to release all macros for execution

The default setting allows users to release all macros for execution

But for added security, you only allow digitally signed macros. Then this simply suppresses unsigned code while the user must explicitly start digitally signed macros. This reduces the risk of user mistakes in targeted attacks because the users cannot allow code from unknown sources. However, such a restriction can be a hindrance if, for example, there are many proven good yet digitally unsigned macros available in the company.

Do not run macros from the internet ^

A new addition to Office 2016 is the ability to block only code in documents that originate from the internet. You can configure it separately for each application and can also find it under Security > Trust Center ("Block macros from running in Office files from the Internet").

The Trust Center section also contains a setting for blocking macros from the internet

The Trust Center section also contains a setting for blocking macros from the internet

This means you can still use digitally unsigned macros from internal sources whereas even digitally signed macros from the internet cannot run (after all, one could also digitally sign malware). However, the combination of both settings ensures that no macros from the internet and only digitally signed ones from other sources will run.

Office recognizes the internet origin of files from the zone information the Attachment Execution Service (AES) adds. This happens whenever downloading documents from Outlook, Internet Explorer, or similar applications.

By default, documents from the internet open in the protected view that does not run macros

By default, documents from the internet open in the protected view that does not run macros

By default, Office programs show such documents in the protected view. If you click on "Enable Editing," one of the measures you've taken against the uncontrolled execution of macros will take effect in the next step. This can cause digitally unsigned macros or simply those that originate from the internet to be blocked.

You can block macros in documents that originate from the internet

You can block macros in documents that originate from the internet

Trusted locations ^

Allowing only the execution of digitally signed code can be too restrictive. To start proven secure but unsigned macros, you can store the documents containing the code in a directory you declare trustworthy.

However, one should exercise caution with this mechanism since it overrides the malicious macro protection measures described above. This also applies to internet documents, which then execute all macros despite a GPO blocking them. If, for example, a user comes up with the idea of marking his Downloads directory in the Trust Center as trustworthy, he could run all macros in downloaded documents without any restrictions.

Users can enter their own trusted locations in the Trust Center without group policies restricting them

Users can enter their own trusted locations in the Trust Center without group policies restricting them

Therefore you should make sure only GPOs define such locations and not the user. To do this, deactivate the "Allow mix of policy and user locations" setting. Find it under User configuration > Policies > Administrative templates > Microsoft Office 2016 > Security settings > Trust Center. It applies to all applications.

Use GPOs to prevent users from defining their own trusted directories

Use GPOs to prevent users from defining their own trusted directories

There you can add the directories to consider trustworthy for all applications. However, you can also define these for each individual application under their Trust Center.

Force verification by virus scanner ^

Finally, there are two settings less intended for the interactive use of Office. The first setting is a protection against macros when automating Office using external programs ("Automation Security" under Trust Center of Microsoft Office 2016).

The Automation Security setting applies to all Office applications

The Automation Security setting applies to all Office applications

The second setting allows you to force a virus scanner to check encrypted macros before execution. If such a virus scanner is not available, you can prevent such macros from starting here.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+

Users who have LIKED this post:

  • avatar
Share
3 Comments
  1. Christopher Bailiss 1 month ago

    I think two screenshots are the wrong way around in this post.

    For the following two captions, the images need to be swapped:

    1) The Trust Center section also contains a setting for blocking macros from the internet

    2) Use GPOs to prevent users from defining their own trusted directories

    0

  2. zigune 1 month ago

    Hello,

    what is the point with Office 365 ? Does the macros coming from OneDrive or MS Project Global Template (server side) are considered as "from Internet" ?

    Thank you for your help.

    zigune

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account