Microsoft has updated the available Office 2016 Administrative Templates for Group Policy configuration. The updated admx files include new settings to block macros from running in Word documents, Excel spreadsheets, or PowerPoint presentations that originated from the Internet. Microsoft has provided this updated mitigation to provide control to a popular vector that malware, in particularly ransomware, is taking advantage. If you do not use macros, you can disable them completely through the ‘VBA Macro Notification Settings’ setting. If you use macros, you can use the new setting to selectively block their execution in documents that were downloaded from file-sharing sites or storage providers as well as emails.
To find the settings, download the latest Administrative Templates for Office 2016 and extract them to your central store. Once copied to your central store, you will find the ‘Block macros from running in Office files from the Internet’ setting in the following paths:
- User Configuration, Administrative Templates, Microsoft Excel 2016, Excel Options, Security, Trust Center
- User Configuration, Administrative Templates, Microsoft PowerPoint 2016, PowerPoint Options, Security, Trust Center
- User Configuration, Administrative Templates, Microsoft Word 2016, Word Options, Security, Trust Center
The setting can be enabled or disabled. If a document is opened with a macro that is legitimate and needs to be run, users will need to move it to a trusted location in order to allow the macro.
Microsoft’s previous level of protection was the Protected View. It warned the user and required elevation to ‘enable editing’ for the restricted content in external files.
Microsoft has put the power in the hands of the enterprise as it was too easy for an end-user to click ‘enable editing’ and run a suspicious file just to make the notice disappear. The user will now receive an alert saying:
“Blocked Content – Macros in this document have been disabled by your enterprise administrator for security reasons.”
With ransomware the latest and most profitable route for malicious actors to take, it is recommended to shut the door to macro-based malware by enabling this setting.
For more information, you can see this article from the Microsoft Malware Protection Center and the TechNet article to ‘Plan security settings for VBA macros in Office 2016‘.