Latest posts by Wolfgang Sommergut (see all)
- setupconfig.ini: Customizing the installation of Windows 10 feature updates - Wed, Feb 19 2020
- Group Policy settings reference for Windows 10 1909 - Thu, Feb 6 2020
- Deploy and manage Microsoft Edge using WSUS and GPOs - Mon, Feb 3 2020
Excel and Word macros are among the most popular applications. With VBA, even experienced users can quickly create tailor-made solutions for their needs. For this reason, disabling macros completely is not an option for most companies.
Harmful macros continue to be a threat ^
Malignant code has countered the benefit of macros for years. Although Microsoft has developed various defense mechanisms over the years, they've never completely eliminated this threat. The recent spread of Emotet, which infects computers via macros, shows that many systems and users are still vulnerable to such attacks.
One lesson learned from this epidemic is that virus scanners alone do not provide sufficient protection. Instead, admins should take several preventive measures, such as whitelisting of applications. Effective control of Office macros is a must as well.
Central policies for Office macros ^
In general, users can use Office's Trust Center for this purpose. Here you can define rules for the execution of active content such as ActiveX controls, add-ins, and VBA code.
However, given the importance of protecting against malware, admins should not leave this task to the end users. A central solution based on group policies is preferable. Since Office 2016, Microsoft has offered additional settings for managing macros.
Installing administrative templates ^
If you haven't yet installed the administrative templates for Office, you can download them from Microsoft's website here.
Then unzip them to %SystemRoot%\PolicyDefinitions on the admin workstation or to the central store on a domain controller. The ADMX files are identical for Office 2016 and 2019; GPOs for 2016 also work for version 2019.
Deactivating VBA completely ^
A radical measure, but one that probably goes too far for most companies, is to disable VBA completely. You can configure the respective setting ("Disable VBA for Office applications") for both computers and users. It can be found under Computer or User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings.
However, if you need VBA macros and want to protect against malicious code, you can specifically restrict their execution. Here it makes sense to allow only digitally signed macros. But you have to do this per application. The respective option is VBA Macro Notification Settings. For Word, you can find it under User configuration > Policies > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
This option offers four choices; "Enable all macros" does not make sense if you want to increase security. The same is true for "Disable all macros without notification" because it will have a similar effect as disabling VBA. The two remaining options are "Disable all macros with notification" and "Disable all except digitally signed macros."
The first of the two options is Office's default setting and blocks all macros. However, in the notification bar, the user receives a message to this effect as well as the option to execute the code by clicking Enable Content.
But for added security, you only allow digitally signed macros. Then this simply suppresses unsigned code while the user must explicitly start digitally signed macros. This reduces the risk of user mistakes in targeted attacks because the users cannot allow code from unknown sources. However, such a restriction can be a hindrance if, for example, there are many proven good yet digitally unsigned macros available in the company.
Do not run macros from the internet ^
A new addition to Office 2016 is the ability to block only code in documents that originate from the internet. You can configure it separately for each application and can also find it under Security > Trust Center ("Block macros from running in Office files from the Internet").
This means you can still use digitally unsigned macros from internal sources whereas even digitally signed macros from the internet cannot run (after all, one could also digitally sign malware). However, the combination of both settings ensures that no macros from the internet and only digitally signed ones from other sources will run.
Office recognizes the internet origin of files from the zone information the Attachment Execution Service (AES) adds. This happens whenever downloading documents from Outlook, Internet Explorer, or similar applications.
By default, Office programs show such documents in the protected view. If you click on "Enable Editing," one of the measures you've taken against the uncontrolled execution of macros will take effect in the next step. This can cause digitally unsigned macros or simply those that originate from the internet to be blocked.
Trusted locations ^
Allowing only the execution of digitally signed code can be too restrictive. To start proven secure but unsigned macros, you can store the documents containing the code in a directory you declare trustworthy.
However, one should exercise caution with this mechanism since it overrides the malicious macro protection measures described above. This also applies to internet documents, which then execute all macros despite a GPO blocking them. If, for example, a user comes up with the idea of marking his Downloads directory in the Trust Center as trustworthy, he could run all macros in downloaded documents without any restrictions.
Therefore you should make sure only GPOs define such locations and not the user. To do this, deactivate the "Allow mix of policy and user locations" setting. Find it under User configuration > Policies > Administrative templates > Microsoft Office 2016 > Security settings > Trust Center. It applies to all applications.
There you can add the directories to consider trustworthy for all applications. However, you can also define these for each individual application under their Trust Center.
Force verification by virus scanner ^
Finally, there are two settings less intended for the interactive use of Office. The first setting is a protection against macros when automating Office using external programs ("Automation Security" under Trust Center of Microsoft Office 2016).
The second setting allows you to force a virus scanner to check encrypted macros before execution. If such a virus scanner is not available, you can prevent such macros from starting here.