Solved

Any way to stop Office creating new macro-enabled documents?

Posted on 2016-09-06
12
67 Views
Last Modified: 2016-09-12
I realise that group policy can be used to stop users from opening macro-enabled Office files such as .docm, .xlsm and .pptm - but what I need is to stop users from being able to create any new ones.  Is that possible?

When users go to Save As, I want the macro-enabled file type (and the macro-enabled template file type) to either be greyed out or removed completely from the list.

We are on Office 2010 SP2, although beginning to plan the migration over to Office 2016.

Thanks.
0
Comment
Question by:meirionwyllt
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 14

Expert Comment

by:DrTribos
ID: 41787195
Ok - I'll bite... Why do you want to do this?

Wouldn't it suffice to just force the following settings?
- Disable All Macros Without Notification
- Disable All Trusted Locations
0
 
LVL 17

Assisted Solution

by:Roy_Cox
Roy_Cox earned 100 total points
ID: 41787235
You would also have to prevent the use of xlsb files because they can also support macros. The only way would be to use the suggestion above, although  that can be reversed easily enough.

This new feature may help but you would need to upgrade to Office 2016

Block Macros
0
 
LVL 14

Assisted Solution

by:DrTribos
DrTribos earned 400 total points
ID: 41787249
@Roy I was at a client site last week and saw that (A) all options for Macro Security were grayed out and macros were set to "Disable All...", but (B) it was still possible for the user to set trusted locations (including on networks) so 'part-A' was kind of useless.

Anyway, the link you provided doesn't seem to address the issue of a user creating their own macros and saving...  perhaps it's just me - the article was a bit too long for my short attention span.

The other thing, I think that if a user creates a document and saves it then that document is automatically 'trusted'.  So, unless I'm mistaken, even with all the macro security settings in the world you can still run it if you are the author and on the same PC that was used to save the document (because it is known as a Trusted Document).

Also worth noting: there are tools available that can bypass ALL macro security, but require the user to open the document from an exe.

But for the OP... why bother?  What is the end goal here?
0
 

Author Comment

by:meirionwyllt
ID: 41787442
OK, some background here...

Last month we had an infection of a 'Zepto' ransomware virus, which came from a maco-enabled Word document attached to a spam email.  Of course we are looking at tightening up on all aspects of security, AV, anti-spam, firewall, user education, etc, but we are also looking at macros.

On the day that the virus broke, as somewhat of a knee-jerk reaction, we disabled macros across the board for all Office apps on 2500 machines, using Group Policy.  However the phones went red-hot, as users were no longer able to open the genuine macro-enabled documents that they open as part of their jobs.  We had to switch macros back on, because at the time we had had a shitstorm to mop up after.  Now it's time to look at this again, but one thing that's certain is that we have no idea what macro-enabled documents our users use, and what 3rd party apps might stop working as a result of this.

Last week I contacted the users who phoned on the virus day, to see what it was that stopped working in that hour or so that we disabled macros.  There was a range of stuff, from Word docs to Access .ade front-end files, and one 3rd party app which, I presume, exports its data as Word docs.  The reality is that there will be many, many more.  So the end goal is to create a 'can open Word macros' AD group, and the same for Excel and PowerPoint.

But we have a lot to learn before switching that on, to try to figure out what our users need macros for.  I thought a good place to start with this was to stop users from creating any new macros, and wait until they phone us - because most of the time a macro is overkill for what they need, and other times an access database would be more suitable, for collaboration etc.  Using this less intrusive method we could then build a list of users who use macros, so when the switch-on happens, it won't break so many things.
1
 
LVL 14

Assisted Solution

by:DrTribos
DrTribos earned 400 total points
ID: 41787629
Ouch!  Well it sounds like you'd understand my adversion to blocking everything... might as well just unplug all the PCs ;-)

Don't worry about the SaveAs aspect.  Let users create their own macros - it you feel the need to protect against that then you have bigger issues than macros.

Do ramp up the macro security (at least require a digital Cert) and perhaps disable all trusted locations.  

BUT Beware... this little utility called WordFree will actually bypass every single macro security setting you have.  You might call it a shitstormbrewing....

Anyway, there are a ton of legitimate uses of Macros and if you take a sensible approach they can still be used.

There are tools available for scanning Macros, the best I've found: https://bitbucket.org/decalage/oletools/wiki/olevba and this will look for signs that something bad is happening... but at the same time it could (most likely would generate a few false positives).

Basically I'd suggest:
- prevent downloading of macro enabled files
- block them in emails

But beware, they can be renamed zip and often pass through file blockers... but this requires a somewhat more deliberate action on the part of your users....
0
 

Author Comment

by:meirionwyllt
ID: 41788049
OK I guess the answer to my original question is a No.

I think I'll just have to deploy the locked down settings to a few teams at a time and see what happens.

As for digitally signing, this is an area that I've been scared away from for some time now, but I think this is the time to tackle it.  All guides I've seen on how to do this are really long-winded.

Do you know of any guides that are simplified?  We have an SSL certification server (Microsoft) on our domain, if that helps at all.

Thanks.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 34

Expert Comment

by:PatHartman
ID: 41788401
I understand your pain but preventing users from creating macros to make your work easier and theirs harder is rather draconian.   Better to concentrate on education first, then malicious software prevention tools and registry settings that prevent software installation.

One thing that comes to mind is to run the email and internet programs in a virtual partition to add yet another fence between the bad guys and your hard drive and server.  It is a little inconvenient to move files but if that isn't a big part of their job then it won't get in the way.  Then if they trash their virtual computer, you can delete the image and give them a clean one.
0
 
LVL 14

Expert Comment

by:DrTribos
ID: 41788666
Digital certificate is something that you insist on from software products. DigiCert have a click and go Cert that just works if you want to sign your own macros
0
 

Author Comment

by:meirionwyllt
ID: 41789197
PatHartman - the idea wasn't to blanket block all macros permanently, it was only to do so initially, find out who needs it, then give those people permissions to open/save macros.  95% of our staff don't even know what a macro is, let alone know how to create one, so who why would you want to give everyone permission to something that can be so damaging when they don't need it for their work?
Also, I'd say that our system is pretty well locked down already, but this got through.  We are looking at all aspects of security, but I still need to do something about macros now, as leaving macros as they are is not an option.

DrTribos - could you please elaborate on that?  If an user has created a genuine macro, how do I digitally sign it?

Thanks.
0
 
LVL 14

Accepted Solution

by:
DrTribos earned 400 total points
ID: 41789212
If a user created a macro they would be able to use it, I think, because it would be trusted.... but, you can purchase a digital signature from the likes of digiCert and when you download it you will be able to add it to the Cert Store (using a tool they provide) and from there you can sign it from the VBA IDE thusly: Tools > Digital Signature > Select the Signature and sign away > Save.  

Or if you want a headache you can create your own Cert.  Or use one of the Community provided Certs.  

NOTE: These are code signing certs and are entirely different from SSL certs for websites.
https://www.experts-exchange.com/questions/28951575
0
 

Author Comment

by:meirionwyllt
ID: 41794347
OK, I've done a bit of research into code signing digital certs.  Paying for one is not an option for us, especially not a revenues-based expenditure, and especially since we have a Microsoft certification server here that can be used for this.  So, I've created a test cert, which appear on PCs via auto-enrollment, but not on our Citrix published desktop.  But this is going beyond the scope of the original question, so I will open another question about that.  Thanks for your help.  Will close this question shortly.
0
 
LVL 17

Expert Comment

by:Roy_Cox
ID: 41794573
Pleased to help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article will show you how to use shortcut menus in the Access run-time environment.
Resolve DNS query failed errors for Exchange
The viewer will learn how to use a discrete random variable to simulate the return on an investment over a period of years, create a Monte Carlo simulation using the discrete random variable, and create a graph to represent the possible returns over…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now