In Vestige, we used a fairly simple macro enabled Word document that downloaded multiple other files from the malicious web server. Yes, Microsoft Word did ask for confirmation before enabling macros, however, you can’t rely on your users not to accidentally or purposefully enable macros when the consequences may be unknown to them. Further, protection from compromise should not solely rely on the “Enable Macros” button. There are multiple options available to attempt to mitigate this portion of the kill chain and it is important to note at this particular stage how true the common refrain, “cyber security is only as strong as the weakest link” is. In many cases and in the demonstration of this research project, the weakest link is the users. In fact, the end users are really the new DMZ.
What to do:
At first glance, the solution may seem simple, do not allow macros to run on any machines in the organization through an implemented group policy, done. However, this will likely impede your employees’ ability to do their jobs and this highlights what one must be cognizant of when implementing security solutions at an organization; you cannot have both convenience and security, it is a sliding scale that you must attempt to figure out the best solutions on the scale that provide the ample security, but do not hinder your users from their work, school, or tasks.
To implement the following settings you will need Office 16 Administrative Templates installed (this only works for Office 2016). For information on that process, Office 16 Administrative Templates.
First, confirm that Protected View is enabled in your environments, it is enabled by default in 2016 versions of Excel, PowerPoint, and Word, and is only bypassed in specific situations. For this specific scenario, we want to implement File Block settings that make it so all Word files first open in Protected View, however, they can still be edited.
To do that, in the Group Policy Management Console, go to User Configuration > Policies > Administrative Templates > Microsoft Word 2016 (or the application of your choice) > Word Options > Security > Trust Center > File Block Settings.
Then in “Set default file block behavior” switch it to “enabled” with the option of “Blocked Files open in Protected View and can be edited”.
Next, macros can be disabled if they come from the Internet, including through an email as in our example. To do this, back at the Trust Center setting, select, “Block macros from running in Office Files from the Internet” and switch it to “Enabled”.
This will prevent the user from enabling macros and also prevent the “Enable Content” option that Protected View provides. Instead, the user will be met with a message about blocked content.
Last, the users still need the ability to write and use trusted macros, because again, stopping all macros while secure, is not convenient and will inhibit your users from what they need to do. Trusted locations need to be created that will enable your users to utilize their macros, and the only action needed is to inform users that all macros needed to be used from the created shared folders. Back at Trust Center settings, selected “Trusted Locations” and add a trusted location, by setting a path for it, the date, whether it can have sub folders, and a description.
Now, there are multiple layers of protection from macro enabled documents from unknown sources, but just as important, the users are not prevented from using macros and the task they are trying to accomplish.
For more information on a plethora of additional settings and configurations for securing Microsoft Office products: