2.6.6.6.2.8 Ensure 'VBA Macro Notification Settings' is set to 'Enabled: Disable all except digitally signed macros'

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.

The recommended state for this setting is: Enabled: Disable all except digitally signed macros.

Rationale:

By default, when a user opens a file that contains VBA macros, the macros are disabled, and a warning is displayed on the Trust Bar that the macro has been disabled. Users may then enable these macros by clicking options on the Trust Bar and selecting to enable the macro which could execute malicious code and cause a virus to load undetected.

Note: Microsoft Office stores certificates for trusted publishers in the trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Microsoft Office still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store.

Therefore, if a list of trusted publishers is created in a previous version of Microsoft Office and is upgraded, the trusted publisher list will still be recognized. However, any trusted publisher certificates that are added to the list will be stored in the trusted publisher store.

Impact:

This configuration causes documents and templates that contain unsigned macros to lose all functionality supplied by the macro. To prevent this loss of functionality, users can install the macro in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will not allow the user to add to the trusted location.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Disable all except digitally signed macros.

User Configuration\Administrative Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\VBA Macro Notification Settings

Default Value:

Enabled: Disable all with notification (Trust Bar displays warning but users can Enable Content regardless of macro signatures.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: 03eb7b59e400b8ff31f6c5821681ca05e339d229f85649353a6b9ee52d9813e8