ISM-1489 – Technical Resolution Guidance
What is ISM-1489?
Microsoft Office macro security settings cannot be changed by users.
Background
This control restricts regular users from modifying macro security settings in Microsoft Office, allowing only Privileged Users or administrators to make changes, thereby ensuring consistent protection against macro-based threats.
Applicability
This control is relevant to the following:
- Maturity Level 1, 2, and 3 Controls
Evaluation Results
Status | Description |
---|---|
Effective | Policies are enforced to prevent users from altering the settings. |
Ineffective | Policies are applied in a way that allows users to alter the settings |
Testing Parameters
SecurE8 checks if the organization's deployed configuration can be modified by a user.
It can be set to following values.
Not configured
1 = Disable all macros without notification
2 = Disable all macros with notification
3 = Disable all macros except digitally signed macros
4 = Enable all macros
The following is a list of Microsoft Office products:
- Microsoft Access 2016 or greater
- Microsoft Excel 2016 or greater
- Microsoft PowerPoint 2016 or greater
- Microsoft Visio 2016 or greater
- Microsoft Word 2016 or greater
Technology | Registry Key | Value |
---|---|---|
All Office products except Outlook | HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[OfficeVersion]\[Product]\security | vbawarnings is set |
Outlook | HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\[OfficeVersion]\outlook\security | Level is set |
Remediation Steps
Using group policy set the policies as determined by your requirements:For Access 2016:
User Configuration\Policies\Administration Templates\Microsoft Access 2016\Application Settings\Security\Trust Center\VBA Macro Notification Settings
All other Office products:
User Configuration\Policies\Administration Templates\[Application Name]\ Options\Security\Trust Center\VBA Macro Notification Settings
The recommended minimum setting is: 3 = Disable all macros except digitally signed macros
Validation Process
Validation that the policy is correctly being applied on the end device.
Risk Consideration
This control mitigates risks tied to unauthorized changes or misconfigurations that could weaken an organization's security posture, particularly by restricting user access to macro security settings. By centralizing control with Privileged Users, it ensures consistent protection against macro-based threats, aligns with security policies, reduces the attack surface, and strengthens defenses against insider threats, while also supporting a more secure Microsoft Office environment.