2.8.4.2 Ensure 'Publisher Automation Security Level' is set to 'Enabled: By UI (prompted)'

Information

This policy setting controls whether macros opened programmatically by another application can run in Publisher and how those macros will run.

The recommended state for this setting is: By UI (prompted).

Note: With the above macro functionality configuration selected, macro behavior will be determined by the setting VBA Macro Notification Settings in the Trust Center.

Rationale:

Users may enable macros which could execute malicious code and cause a virus to load undetected.

Impact:

This configuration causes documents and templates that contain unsigned macros to lose all functionality supplied by the macro. To prevent this loss of functionality, users can install the macro in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will not allow the user to add to the trusted location.

Warning: With the Disable all except digitally signed macros option selected, users will not be able to open unsigned Access databases.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: By UI (prompted):

User Configuration\Administrative Templates\Microsoft Publisher 2016\Security\Publisher Automation Security Level

Default Value:

Disabled. (Publisher will use the default Macro setting in Trust Center.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: 0cd91e7d8624507489fab2b1bad26cd987ef8e03bc98ea029a936ba370fe84f1