2.6.6.6.2.9 Ensure 'VBA Macro Notification Settings' is set to 'Require macros to be signed by a trusted publisher'

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.

If the 'Require macros to be signed by a trusted publisher' check box is selected, users opening files with digitally signed macros but not by a Trusted Publisher will receive a notification that macros are blocked from running.

The recommended state for this setting is: Require macros to be signed by a trusted publisher.

Rationale:

By default, when a user opens a file that contains VBA macros, the macros are disabled, and a warning is displayed on the Trust Bar that the macro has been disabled. Users may then enable these macros by clicking options on the Trust Bar and selecting to enable the macro which could execute malicious code and cause a virus to load undetected.

Note: Microsoft Office stores certificates for trusted publishers in the trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Microsoft Office still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store.

Therefore, if a list of trusted publishers is created in a previous version of Microsoft Office and is upgraded, the trusted publisher list will still be recognized. However, any trusted publisher certificates that are added to the list will be stored in the trusted publisher store.

Impact:

This configuration causes documents and templates that contain unsigned macros to lose all functionality supplied by the macro. To prevent this loss of functionality, users can install the macro in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will not allow the user to add to the trusted location.

Solution

To establish the recommended configuration via GP, set the following UI path to 'Require macros to be signed by a trusted publisher'.

User Configuration\Administrative Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center\VBA Macro Notification Settings

Default Value:

Unchecked (Macros are not required to be signed by a trusted publisher.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-10(1)

Plugin: Windows

Control ID: 8f65aa7b8c63187adf7a499c560f19cbcc74f3337154f6039fd1cb969cbe982c