Disable Macros in Microsoft Office using Group Policy

Disable Macros in Microsoft Office using Group Policy

Macro viruses… if you’ve been in IT for a few years, that term may have you thinking back to the 90’s.  That's when malicious code embedded in Office documents would do annoying, if not destructive, things -- like sending itself to the first 50 people in your address book.

Believe it or not, Microsoft Office macros are still a serious security threat. Several of the recent Cryptolocker-type viruses, such as Locky, spread themselves through malicious Word macros. In those cases, the macro itself isn’t the virus. Once it’s activated, it executes a bit of Javascript that connects to a web server and downloads the virus payload.

By default, MS Word does not run macros automatically, but prompts the user to enable them if the document contains them. But virus writers have developed some sneaky social engineering tricks to get users to disable Protected Mode and run macros. For example, the malicious Word documents that spread the Locky virus appeared to have garbled formatting, strange characters, and gibberish, with a “helpful” note that said “If document is not formatted correctly, enable macros”.

So, unless macros are an important part of your company’s workflow, the safest option is to disable them completely using Group Policy. Disabling Microsoft Office macros is a quick and easy way to beef up your network security against new and emerging threats.

To disable macros in group policy, do the following:

  1. Set Up Group Policy

If you are already managing Office settings using Group Policy, you can skip this step. If not, you’ll need to import the MS Office administrative templates (ADMX files) for the version of Office that you’re using, and then create a new Group Policy Object to hold the macro settings.

Download the Administrative Templates for your version of Office from the Microsoft downloads site (for example, the files for Office 2013 can be found here.) Follow the instructions for importing ADMX templates into your central store here.

Then, open up Group Policy Management. Create a new group policy object in root of your domain. Name it something like “MS Office - Disable Macros”.

  1. Disable Macros

Right-click and edit the GPO you just created (or your existing Office GPO). Navigate to User Configuration > Administrative Templates > Microsoft Word 20xx (where xx is your MS Office version) > Word Options > Security > Trust Center

Double click on VBA Macro Notification Settings. Select “Enabled”, and change the dropdown to the setting you would like -- “Disable All With Notification” is a good choice. Click OK.

Repeat this step for each of the other Microsoft Office products (Excel, PowerPoint, and Outlook).

  1. Test

Once you make these changes, run a gpupdate on a client workstation. Then, open Word, go to File > Options > Trust Center > Trust Center Settings > Macro Settings. You should see the macro setting that you set in the GPO selected, and the other options grayed out:

Macros in Office

If that’s what you see, then you’re all set! You can rest easy knowing that your network is secure from one more potential security threat.