2.2.4.7.2.9 Ensure 'Macro Notification Settings' is set to 'Require macros to be signed by a trusted publisher'

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros or Excel 4.0 (XLM) macros are present. Multiple Office apps support VBA macros, but XLM macros are only supported by Excel.

Disable VBA macros except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified. Requiring macros to be signed by a trusted publisher will block any macro signatures not added to the trusted publisher list.

The recommended state for this setting is: Require macros to be signed by a trusted publisher (checked).

Rationale:

When users open files in Excel that contain VBA macros, Excel opens the files with the macros disabled, and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them.

This can allow dangerous macros to become active on users computer or the network.

Impact:

This configuration causes documents and templates that contain unsigned macros to lose any functionality supplied by those macros. To prevent this loss of functionality, users can install the macros in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will block them from doing so. If your organization does not use any officially sanctioned macros, consider choosing No Warnings for all macros but disable all macros for even stronger security.

Solution

To establish the recommended configuration via GP, set the following UI path to Require macros to be signed by a trusted publisher.

User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Macro Notification Settings

Default Value:

Disable VBA macros with notification. Enable Excel 4.0 macros when VBA macros are enabled.

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: a1c0ef73a27382ea76fd52b84e2439c7d500307b7c7895d7514bd57f1549fd20