What is Restrict Microsoft Office Macros?
Restricting Microsoft Office macros is a critical component of organisational cybersecurity strategies. Macros, written in Visual Basic for Applications (VBA), are embedded scripts within Office documents that automate tasks. While they enhance productivity, they also pose significant security risks when misused. This discussion explores the benefits and challenges of restricting Microsoft Office macros, drawing on guidance from the Australian Cyber Security Centre (ACSC) and other authoritative sources.
Assessment Guidlines
ISM Control | Essential Eight Requirment | Assessment Guidlines |
---|---|---|
ISM-1671 | Microsoft Office macros are disabled for users that do not have a demonstrated business requirement. |
The ‘gpresult’ command can be run on workstations to generate an RSoP report in order to identify Microsoft Office macro settings applied via group policy settings. Within the RSoP report, look for the ‘VBA Macro Notification Settings’ setting at ‘User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\’. It should be enabled. Furthermore, the ‘VBA Macro Notification Settings’ setting should be configured to ‘Disable all macros without notification’ for most users. If this setting is not configured, all Microsoft Office macros will be disabled but users will receive a prompt via the Message Bar asking whether they would like to enable them. For users with a demonstrated business requirement for Microsoft Office macro use, this group policy setting may either not be configured, disabled or enabled and set to any other setting – as long as antivirus scanning is enabled and Microsoft Office macros in files originating from the internet are being blocked. Within each Microsoft Office application, check or request a demonstration showing Trust Center macro settings (File – Options – Trust Center – Trust Center Settings – Macro Settings) for both users that are not allowed to run Microsoft Office macros and for users with a demonstrated business requirement to do so. For users that are allowed to run Microsoft Office macros, request documentation that outlines their business requirement. Consider determining the percentage of the organisation’s user base that have been granted approval to run Microsoft Office macros (to ensure approval for Microsoft Office macro use is not overly permissive). For the assessment of Microsoft Office macro security, identify what setting is selected for ‘macro settings’. For most users, the setting should be ‘Disable all macros without notification’. However, for users with a demonstrated business requirement for Microsoft Office macro use, any other setting is acceptable at this maturity level. In these instances, identify any compensating controls, such as antivirus scanning, and if Microsoft Office macros in files originating from the internet are being blocked. |
ISM-1488 | Microsoft Office macros in files originating from the internet are blocked. |
Within the RSoP report, look for the ‘Block macros from running in Office files from the Internet’ setting at ‘User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\’. It should be enabled. If this setting is not configured, all Microsoft Office macros from the internet will be able to run. In addition, if users have the ability to access a file’s properties, they can remove the Mark of the Web. To prevent this, the ‘Hide mechanisms to remove zone information’ setting at ‘User Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\’ should also be enabled. Users can also remove the Mark of the Web by copying files from NTFS formatted storage media to external FAT/FAT32/exFAT formatted storage media and back again. Unless external storage media (which is typically FAT32/exFAT formatted) is disabled for a system, it will be difficult to prevent users bypassing this control if they know how to – or malicious actors tell them how to (which is more likely at higher maturity levels). |
ISM-1672 | Microsoft Office macro antivirus scanning is enabled. |
Check if the following group policy setting is enabled for each Microsoft Office application. Within the RSoP report, look for the ‘Macro Runtime Scan Scope’ setting at ‘User Configuration\Policies\Administrative Templates\Microsoft Office 2016\Security Settings\Macro Runtime Scan Scope’. It should be enabled with a value of either: 0 – No macro scanning 1 – Macros in files with the MoTW (Default) 2 – Macros in all files (Ideal). Alternatively, a pseudo-malicious Microsoft Office macro that contains an EICAR antivirus test string can be used for testing purposes. ASD’s E8MVT has a benign sample file that can be used for testing without running the tool. If an Antimalware Scan Interface compatible antivirus product is not being used, ask for a screenshot of any Microsoft Office macro scanning configuration settings that might be present. |
ISM-1489 | Microsoft Office macro security settings cannot be changed by users. |
Within the RSoP report, look for the ‘VBA Macro Notification Settings’ setting at ‘User Configuration\Policies\Administration Templates\<Microsoft Office Application>\Application Settings\Security\Trust Center\’. If it is either enabled or disabled, then users will not be able to change their Microsoft Office macro security settings. Using a user account, open each Microsoft Office application and attempt to change Microsoft Office macro security settings in the Trust Centre. If Microsoft Office macro security settings have been configured via group policy settings, they should appear greyed out. |
Understanding Microsoft Office Macros
Macros are sequences of commands that automate repetitive tasks in Microsoft Office applications like Word, Excel, and PowerPoint. They are written in VBA, enabling users to create custom functions, manipulate data, and control various aspects of the Office environment. However, this capability can be exploited by malicious actors to execute harmful code, leading to data breaches, malware infections, and other security incidents.
Benefits of Restricting Microsoft Office Macros
Restricting Microsoft Office macros significantly enhances organisational security by mitigating one of the most exploited attack vectors. Macros, written in Visual Basic for Applications (VBA), automate repetitive tasks, streamlining workflows. However, they also present severe security risks when maliciously used. Cybercriminals often exploit macros embedded in documents to deliver malware or execute harmful code. By restricting macro use to only those with a legitimate business need, organisations can reduce their exposure to such risks. This approach aligns with guidelines from security authorities like the Australian Cyber Security Centre (ACSC), ensuring proactive risk management while safeguarding organisational data and systems.
Challenges and Considerations in Restricting Macros
Balancing security with functionality is a key challenge when implementing macro restrictions. Organisations must ensure that essential business processes relying on macros are not disrupted while mitigating security threats. This involves conducting detailed assessments of user roles to identify those who genuinely require macro access and configuring appropriate exceptions. Additionally, implementing restrictions requires robust technical measures, such as using Group Policy to disable macros for most users without notification. Monitoring these configurations and addressing evolving organisational needs adds to the complexity, requiring ongoing vigilance and updates to security policies.
Strategies for Effectively Restricting Macros
Adopting a comprehensive strategy is essential for effectively restricting macros without hindering productivity. Regular audits, such as using tools like ‘gpresult’ to verify Group Policy configurations, help ensure compliance. Organisations should configure ‘VBA Macro Notification Settings’ to disable all macros without notification for most users while documenting and justifying exceptions for those requiring access. Implementing additional security measures, such as enabling antivirus scanning for macros and blocking macros in files originating from the internet, further reduces risks. Preventing the removal of the ‘Mark of the Web’ ensures files downloaded from the internet remain flagged as potentially unsafe. These steps, combined with continuous reviews and updates, form a robust defence against macro-related threats.
Conclusion
Restricting Microsoft Office macros is a vital aspect of an organisation’s cybersecurity posture. While macros offer significant benefits in automating tasks and enhancing productivity, they also present substantial security risks when misused. By implementing appropriate restrictions and controls, organisations can mitigate these risks, protect their data, and maintain the integrity of their systems. However, it is essential to balance security measures with operational needs, ensuring that restrictions do not unduly hinder business processes. Through careful planning, user education, and adherence to best practices, organisations can effectively manage the challenges associated with macro security.