ISM-1488 – Technical Resolution Guidance

What is ISM-1488?

Microsoft Office macros in files originating from the internet are blocked.

Background

Blocking macros in files from the internet prevents potentially harmful macros from running automatically in untrusted documents sources. Instead, users are prompted to enable or disable these macros, reducing the risk of malware.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectiveMicrosoft Office Product is installed and policy is present and set correctly.
IneffectiveMicrosoft Office Product is installed and the policy is not enabled.
Not ApplicableMicrosoft Office is not installed or not applicable to this device.

Testing Parameters

The following is a list of Microsoft Office products:

  • Microsoft Access 2016 or greater
  • Microsoft Excel 2016 or greater
  • Microsoft PowerPoint 2016 or greater
  • Microsoft Visio 2016 or greater
  • Microsoft Word 2016 or greater
All office versions including 2016, 2019 and 365 are considered 2016. Outlook does not utilise macros and is except.
Technology Registry Key Value
Group Policy or IntuneHKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[OfficeVersion]\[Product]\securityblockcontentexecutionfrominternet = 1
Group Policy Preferences or ScriptsHKEY_CURRENT_USER\SOFTWARE \microsoft\office\[OfficeVersion]\[ Product]\securityblockcontentexecutionfrominternet = 1

Remediation Steps

Using group policy and set the following policies to Enabled:

For Access 2016:
 User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\Block macros from running in Office files from the Internet
All other Office products:
 User Configuration\Policies\Administration Templates\[Application Name]\ Options\Security\Trust Center\Block macros from running in Office files from the Internet

Validation Process

Validation that the policy is correctly being applied on the end device.

Risk Consideration

Blocking macros in files downloaded from the internet significantly reduces the risk of executing malicious code, helping to prevent malware distribution, macro-based attacks, and phishing attempts. This control aligns with security best practices, strengthens defense against zero-day exploits, reduces reliance on user discretion, and enhances overall security for an organization's Microsoft Office environment.