- Allow non-admins to access Remote Desktop - Thu, Sep 28 2023
- Which WSUS products to select for Windows 11? - Tue, Sep 26 2023
- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
Excel and Word macros are among the most popular applications. With VBA, even experienced users can quickly create tailor-made solutions for their needs. For this reason, disabling macros completely is not an option for most companies.
Harmful macros continue to be a threat
Malignant code has countered the benefit of macros for years. Although Microsoft has developed various defense mechanisms over the years, they've never completely eliminated this threat. The recent spread of Emotet, which infects computers via macros, shows that many systems and users are still vulnerable to such attacks.
One lesson learned from this epidemic is that virus scanners alone do not provide sufficient protection. Instead, admins should take several preventive measures, such as whitelisting of applications. Effective control of Office macros is a must as well.
Central policies for Office macros
In general, users can use Office's Trust Center for this purpose. Here you can define rules for the execution of active content such as ActiveX controls, add-ins, and VBA code.
In the Trust Center, users can change the settings for macros themselves
However, given the importance of protecting against malware, admins should not leave this task to the end users. A central solution based on group policies is preferable. Since Office 2016, Microsoft has offered additional settings for managing macros.
Installing administrative templates
If you haven't yet installed the administrative templates for Office, you can download them from Microsoft's website here.
The administrative templates (ADMX) are available separately for the 32 and 64 bit versions of Office
Then unzip them to %SystemRoot%\PolicyDefinitions on the admin workstation or to the central store on a domain controller. The ADMX files are identical for Office 2016 and 2019; GPOs for 2016 also work for version 2019.
Deactivating VBA completely
A radical measure, but one that probably goes too far for most companies, is to disable VBA completely. You can configure the respective setting ("Disable VBA for Office applications") for both computers and users. It can be found under Computer or User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings.
GPO setting to disable VBA on each computer
However, if you need VBA macros and want to protect against malicious code, you can specifically restrict their execution. Here it makes sense to allow only digitally signed macros. But you have to do this per application. The respective option is VBA Macro Notification Settings. For Word, you can find it under User configuration > Policies > Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
The macro notification setting offers four options; one of them allows only digitally signed macros
This option offers four choices; "Enable all macros" does not make sense if you want to increase security. The same is true for "Disable all macros without notification" because it will have a similar effect as disabling VBA. The two remaining options are "Disable all macros with notification" and "Disable all except digitally signed macros."
The first of the two options is Office's default setting and blocks all macros. However, in the notification bar, the user receives a message to this effect as well as the option to execute the code by clicking Enable Content.
The default setting allows users to release all macros for execution
But for added security, you only allow digitally signed macros. Then this simply suppresses unsigned code while the user must explicitly start digitally signed macros. This reduces the risk of user mistakes in targeted attacks because the users cannot allow code from unknown sources. However, such a restriction can be a hindrance if, for example, there are many proven good yet digitally unsigned macros available in the company.
Do not run macros from the internet
A new addition to Office 2016 is the ability to block only code in documents that originate from the internet. You can configure it separately for each application and can also find it under Security > Trust Center ("Block macros from running in Office files from the Internet").
The Trust Center section also contains a setting for blocking macros from the internet
This means you can still use digitally unsigned macros from internal sources whereas even digitally signed macros from the internet cannot run (after all, one could also digitally sign malware). However, the combination of both settings ensures that no macros from the internet and only digitally signed ones from other sources will run.
Office recognizes the internet origin of files from the zone information the Attachment Execution Service (AES) adds. This happens whenever downloading documents from Outlook, Internet Explorer, or similar applications.
By default, documents from the internet open in the protected view that does not run macros
By default, Office programs show such documents in the protected view. If you click on "Enable Editing," one of the measures you've taken against the uncontrolled execution of macros will take effect in the next step. This can cause digitally unsigned macros or simply those that originate from the internet to be blocked.
You can block macros in documents that originate from the internet
Trusted locations
Allowing only the execution of digitally signed code can be too restrictive. To start proven secure but unsigned macros, you can store the documents containing the code in a directory you declare trustworthy.
However, one should exercise caution with this mechanism since it overrides the malicious macro protection measures described above. This also applies to internet documents, which then execute all macros despite a GPO blocking them. If, for example, a user comes up with the idea of marking his Downloads directory in the Trust Center as trustworthy, he could run all macros in downloaded documents without any restrictions.
Users can enter their own trusted locations in the Trust Center without group policies restricting them
Therefore you should make sure only GPOs define such locations and not the user. To do this, deactivate the "Allow mix of policy and user locations" setting. Find it under User configuration > Policies > Administrative templates > Microsoft Office 2016 > Security settings > Trust Center. It applies to all applications.
Use GPOs to prevent users from defining their own trusted directories
There you can add the directories to consider trustworthy for all applications. However, you can also define these for each individual application under their Trust Center.
Force verification by virus scanner
Finally, there are two settings less intended for the interactive use of Office. The first setting is a protection against macros when automating Office using external programs ("Automation Security" under Trust Center of Microsoft Office 2016).
Subscribe to 4sysops newsletter!
The Automation Security setting applies to all Office applications
The second setting allows you to force a virus scanner to check encrypted macros before execution. If such a virus scanner is not available, you can prevent such macros from starting here.
I think two screenshots are the wrong way around in this post.
For the following two captions, the images need to be swapped:
1) The Trust Center section also contains a setting for blocking macros from the internet
2) Use GPOs to prevent users from defining their own trusted directories
Good catch! That was my bad. I corrected this now. Thanks!
Hello,
what is the point with Office 365 ? Does the macros coming from OneDrive or MS Project Global Template (server side) are considered as "from Internet" ?
Thank you for your help.
zigune
We provide unsigned, macro-enabled excel template to our customers via an internet download, but they have recently run into this issue. Is it possible for their IT department to 'whitelist' our website?
Any guidance would be appreciated.
Can a group policy implement the following:
– if macro is digitally signed by our certificate (issued from internal CA), the macros are enabled automatically
– all others it asks users if they want to enable instead of block
Hi Wolfgang,
Which version of office have you used?
It seems it should only work for O365 Proplus or volume license, can you confirm it.
I am trying to configure the GPO to disable Macros for Microsoft Office 365 Business premium.
I followed your guide but I could not make it work.
Regards,
Tom
Hi Tom,
Office 365 Business neither supports group policies nor Office Cloud Policies. That's amazing since these subscriptions are meant for companies with up to 300 users.
Wolfgang
Same question here
Is there any way to disable or block the Macro settings without GPO?
Business Premium does not support GPO.
Hi ..I Have configured the setting to Disable all macros except degitally signed Macros and it is reflecting in gp report but then too user is able to change it.. any idea what is causing this?
zeeshan, which version of Office do you use?
Hi Zeeshan hear….we use 0365 and office 2016
So there is a way to unblock this by setting permissions on the file from outside of the application. Are you aware of a way to restrict this option from appearing to the end user unless they have a certain local permission level / are in a particular AD Security Group?
I didnt see a response to this question above:
if macro is digitally signed by our certificate (issued from internal CA), the macros are enabled automatically.
Also if the above is possible can all the rest macros be disabled except digitally signed (issued from internal CA)?