ISM-1489 – Technical Resolution Guidance

What is ISM-1489?

Microsoft Office macro security settings cannot be changed by users.

Background

This control restricts regular users from modifying macro security settings in Microsoft Office, allowing only Privileged Users or administrators to make changes, thereby ensuring consistent protection against macro-based threats.

Applicability

This control is relevant to the following:

  • Maturity Level 1, 2, and 3 Controls

Evaluation Results

StatusDescription
EffectivePolicies are enforced to prevent users from altering the settings.
IneffectivePolicies are applied in a way that allows users to alter the settings

Testing Parameters

SecurE8 checks if the organization's deployed configuration can be modified by a user.
It can be set to following values.
 Not configured
 1 = Disable all macros without notification
 2 = Disable all macros with notification
 3 = Disable all macros except digitally signed macros
 4 = Enable all macros

The following is a list of Microsoft Office products:

  • Microsoft Access 2016 or greater
  • Microsoft Excel 2016 or greater
  • Microsoft PowerPoint 2016 or greater
  • Microsoft Visio 2016 or greater
  • Microsoft Word 2016 or greater
All office versions including 2016, 2019 and 365 are considered 2016.
Technology Registry Key Value
All Office products except OutlookHKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[OfficeVersion]\[Product]\securityvbawarnings is set
OutlookHKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[OfficeVersion]\outlook\securityLevel is set

Remediation Steps

Using group policy set the policies as determined by your requirements:

For Access 2016:
 User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\VBA Macro Notification Settings
All other Office products:
 User Configuration\Policies\Administration Templates\[Application Name]\ Options\Security\Trust Center\VBA Macro Notification Settings
The recommended minimum setting is: 3 = Disable all macros except digitally signed macros

Validation Process

Validation that the policy is correctly being applied on the end device.

Risk Consideration

This control mitigates risks tied to unauthorized changes or misconfigurations that could weaken an organization's security posture, particularly by restricting user access to macro security settings. By centralizing control with Privileged Users, it ensures consistent protection against macro-based threats, aligns with security policies, reduces the attack surface, and strengthens defenses against insider threats, while also supporting a more secure Microsoft Office environment.