Hi everyone, and welcome to this week’s episode of eight weeks of the essential eight. In this episode we’re going to discuss the essential eight mitigation strategy ‘configure Microsoft Office macros’, why it’s considered essential, and how to implement maturity level one requirements. Let’s begin!
The ACSC defines this strategy as:
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
What are Macros?
Macros are microprograms designed to make repetitive tasks easier in programs, such as Word or Excel. By recording input sequences like mouse strokes and keyboard presses, it is possible to create an automated set of instructions for a program to follow. Users can then run the macro instead of repetitively creating the same list of instructions.
However, it is easy for malicious macros to run in the same way. These malicious macros can open and automatically run instructions a cyber attacker has developed, causing your computer to embed the malicious macros into your computer files, send emails with malicious codes to your contacts, or run ransomware or malware.
Macros, whether trusted or malicious, can only run if they are opened in associated programs (e.g., Excel or Word). Thus, it is vital that you secure macros in order to reduce the risk of running malicious macros.
Macro configuration best practices
Most productivity suites like Microsoft Office have improved their security surrounding macros by asking users if they are sure they want to run macros when opening a document. However, this simply isn’t enough to protect your business against macros viruses, as the safety of the document or macros are left up to your users to decide, and generally speaking, they are more concerned with getting a task done than checking if the document or macros they’re running are secure.
The level of securing macros depends on your business. For some businesses that rarely use Excel or Word, or have no use for macros, it may be best to simply disable all macros from running and blocking new macros from starting. This however may not be a viable option for businesses that utilise macros to enable efficient daily processes. If this is the case for your business, you must configure Office Macro settings to manage appropriate macros. This means that only approved users should be allowed to execute macros from a trusted location via a secure network path. It is possible to set these controls in the Office Trust Centre interface or in Group Policy settings.
Maturity Level One Requirements:
Requirement 1:
Microsoft Office macros are disabled for users that do not have a demonstrated business requirement
Which basically translates to ‘if you don’t need it, don’t use it’. Operating by the principle of least privilege, use Group Policy Objects in your Active Directory to define macro privileges and only assign those privileges to users who absolutely need macros to complete their jobs.
Requirement 2:
Microsoft Office macros in files originating from the internet are blocked
By default, macros in Word, Excel and PowerPoint files are enabled according to the macro warning setting. Files are identified as coming from the Internet based on the zone information added to the file by the Attachment Execution Service (AES). AES adds zone information to files that are downloaded by Outlook, Internet Explorer, and some other applications. Office provides a Group Policy setting that enables you to block macros from running in Word, Excel and PowerPoint files from the Internet, so make use of that when implementing this requirement.
Requirement 3:
Microsoft office macro antivirus scanning is enabled
Most antivirus vendors are capable of scanning for script-based threats (such as Macro viruses), so you should be using your endpoint protection/antivirus vendor or software to scan for these malicious macros, along with most applications and files on your network.
Requirement 4:
Microsoft office macro security settings cannot be changed by users
There’s no point in setting up solid macro security settings if your users can easily disable or get around them. Be 100% sure that your controls for macros are placed in the hands of trusted admins, and that these admins are the only ones capable of making changes.
How do I set up macro security settings?
As I mentioned earlier, you can apply macro security settings with Group Policy Objects in Active Directory. I’ve included a link in this blog post so you can find out more, or you can just type into Google ‘configure ms macro settings in group policies’ for a number of tutorials.
Restrict or block macros: https://4sysops.com/archives/restricting-or-blocking-office-2016-2019-macros-with-group-policy/
Or you can get your Managed Service Provider to assist you, if you have one!
And that’s it for MS Office Macros. As usual, if you have any questions please don’t hesitate to send through an email.
