Configuring secure defaults for macros
Disabling macros by default and allowing access on an as-need basis will help your organisation prevent malicious macros from running.
Below are steps you can follow to configure secure defaults for macros within your organisation.
Understand if macros are used
Before you make configuration changes, you need to understand how your organisation uses macros. They can have a valid business use and you want to reduce the impact to the organisation while also keeping the security high. This includes:
- Understand who uses macro-supported files. This could involve asking people in the organisation or reviewing logs. You can enable logs so you can find out each time a macro-supported file type is executed.
- Understand if those files are necessary. Sometimes a user might accidently save a file as a macro-supported file type, or they might be using macros to solve a problem that can be solved using other software. You need to investigate each use case to make sure macros are the only solution. Your goal should be to reduce the amount of macros so disabling them does not impact that part of the organisation.
- Understand how the files are shared and stored. If macro-supported files must be used, you need to understand how they are used. There are additional configurations you can set to protect your organisation even if macros are enabled. This includes restricting macros from executing from specific locations or signed by trusted publishers. Your goal should be to modify the use of macros so you can avoid giving the user the ability to run any unsigned macro they come across.
Set central configurations to disable macos
Once you understand how macros are used and who uses them, you can start setting configurations. You will want to set these configurations from a central point, such as at a group level policy or central management system for your domain. This will prevent you from making the change across multiple computers and will prevent users from reverting the configurations.
You need to set the default configuration across the domain to ‘disable macros’ in any office productivity software your organisation has. The users should not have the ability to enable macros themselves and bypass any warnings. Most office productivity and central domain management software will have guides online to help you with these configurations.
If you are using Windows Active Directory and Microsoft Office, you can check out ACSC’s guide for configuring your group policy.
Set secure limitations for macro users
If there are users within your organisation that need to use macros, they will need to be added to a domain group that allows them to bypass the default ‘disable’ configuration. This group should not have access to run any macro, and instead there should be central configurations set to make sure they use macros safely.
The configurations you set will depend on how your users use macros. Appropriate configurations and use cases include:
- Macro-enabled documents that are used internally by a small team - Users use a macro-enabled document for internal use only. This document might be shared with others on the team. In this case, you can set configurations that only allow macros to run from locations they use. These trusted locations should have access restricted so only the users who need access to the macro-supported document have access. This limits the likelihood that an attacker tricks a user into downloading a malicious macro file to this location.
- Macro-enabled documents that are used across the organisation - Users internally to an organisation use macro-enabled documents across the business. This means the document may not be stored in one central location. In this case, you can set configurations that only digitally signed macros that are signed by your organisation to run. This requires your organisation to have the systems to sign these documents, such as public key infrastructure, and configuring that system as a trusted publisher within your organisation.
- Macro-enabled documents that are shared with known external parties - Users use a macro-enabled document and share the file with people outside the organisation. This means the document may be edited by others before being returned and re-run within your organisation’s domain. In this case, you can set configurations that only digitally signed macros from trusted publishers can be run. This does require work to test and configure the trusted publishers, however this will keep your organisation protected.
When enabling macros for this group, be sure to only enable it for the office productivity software needed. For example, if your users need the ability to run macros in spreadsheet software, it should be still disabled for all other software like word processing and slides.
Access to this domain group should follow the principle of least privilege - meaning only users who need to run macros have access. Access to this group should be reviewed periodically to make sure they still require the access.
All users in this domain group should be trained on using macro-supported documents safely. They should understand that malicious programs can be hidden in these type of files and if they get an unexpected macro file, they should report it. Aside from training, application whitelisting can help prevent users from further damage if they manage to run a malicious macro. Application whitelists will prevent the malware from downloading additional files and stop the infection from getting worse.
Logs should be configured to record each time a user executes a macro-supported file type (such as .docx or xlsm). These logs should be sent to a central place so they can be analysed. You can check to make sure that the macros being run are the ones that are expected and your controls have not been bypassed.