Calibre 1 Essential 8 Series: Microsoft Office Macro Settings
This blog is part of a series of blogs on the essential 8 and how you can implement each in a cost-effective way.
Office macros are both a fantastic tool, and a terrible curse. For those that do develop or use them, they are a major time saver, giving scaling returns that mitigate the time invested in short order. For a lot of people however, the way macro’s work is something arcane, and best left to the excel gods, lest we be struck down by a vengeful Bill. It’s no secret that I’m a lover of the Office Suite, with, a firm belief that Excel is the greatest software ever written. With that said, a continued vector of attack and misuse, is the ultra-powerful macro language that’s buried just beneath the surface of all your favourite office apps. Today’s blog will focus on the humble office macro, and what configuration changes need to be made to facilitate the requirements.
Who’s that macro-mon (Maturity 1)?
A lot of these elements of the essential 8 when said out loud seem like common sense, even the implantation of the controls is relatively straight forward. First up, users that don’t need macro’s have their ability to use macro’s disabled and their ability to change the security settings removed. This can be implemented via policy using Group Policy or Microsoft Endpoint Manager.
Office Macros in files originating from the internet are blocked – it’s like eating off the floor, you don’t want to put that in your mouth, so don’t put Internet macros in your mouth either! This can be achieved via policy, but an added step would be using Airlock Digital – an application control software to capture and prevent these from running. The power of that system in being able to use hash identified or named files as an allow list.
Office Macro Antivirus scanning is enabled – Traditional Antivirus does this by default, including the in-built Microsoft Defender, which is even better on Windows 11. That doesn’t mean there hasn’t been exceptions added to allow the macros to run unhindered on a system, and as such, systems that run macros need antivirus or better Endpoint Detect and Respond (Microsoft Defender P2) should verify that they’re scanning the macro enabled office files (docm, xlsm, etc).
Oh me, oh my let’s block and log (Blog?) that WIN32 API! (Maturity 2)
An API is an Application Programming Interface that powers how programs interact with each other and other systems, this legacy macro option allows office documents to call Windows system functions allowing files to be written to disk and call other processes – the insidious calc.exe (calculator) lurking just around the corner, waiting to pounce on your number crunching needs. Understandably this is to be disabled, this can be rolled out via Group Policy or MEM, or manually adjusted in the registry by a local administrator. Any allowed OR blocked Office Macro Executions are logged. Going beyond the Essential 8 (Maturity 2), the Logging should be stored in a Bastion host or service – I would recommend using a Azure Log Analytics Workspace (ALAW) – in the event of a security incident, you can quickly ingest into Sentinel for SIEM monitoring solution which can help pinpoint issues.
Everybody puts Macros in the corner (Maturity 3)
The final maturity level for Macros, and we have a requirement to create a Trusted Location that only privileged users can access, being used to store, and allow execution of those macro files. Failing that, those macros that are allowed to run are digitally signed, and failing that, are run within a specific virtual machine or sandbox environment to avoid crossing the streams between production and macrotown. Any macro signed by an untrusted publisher is blocked from being enabled via backstage or Message bar, and finally those logs that we have going to our ALAW is ingested into a SIEM solution, like Azure Sentinel and monitored by your friendly neighbourhood security team.
The crazy part of this, is that Microsoft Office, a critical productivity suite in today’s business warrants an entire section of the essential 8. Microsoft is starting to wise up and disabling this function moving forwards. Perhaps this illustrates why a security first mindset is the best approach to modern IT. As getting the toothpaste back in the tube is such a monumentally hard task. In any case, the function of the Essential 8 leans heavily on deployment of group policy, or MEM, and an implementation of Application Control software, like Airlock Digital and Windows Defender Application Control. A smattering of EDR via tools like Defender P2, Crowdstrike or FortiEDR will also best assist in ensuring the nasty macros are kept at bay, with a lesser shout out to traditional antivirus platforms.
With all of that said – hoping you all stay safe out there, until we meet again!
Previous Blogs in the Series
MultiFactor Authentication (MFA) Maturity 1
MultiFactor Authentication (MFA) Maturity 2
MultiFactor Authentication (MFA) Maturity 3
Patch Operating Systems
Restrict Administrative Privileges
User Application Hardening