1.4.7.2.7 Ensure 'VBA Macro Notification Settings' is set to Enabled (Disable all Except Digitally Signed Macros)

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. The recommended state for this setting is: Enabled. (Disable all Except Digitally Signed Macros) By default, when users open files in Excel that contain VBA macros, Excel opens the files with the macros disabled, and displays the Trust Bar with a warning that macros are present and have been disabled. Users may then enable these macros by clicking Options on the Trust Bar and selecting the option to enable them. Disabling or not configuring this setting may allow dangerous macros to become active on user computers or the network.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\VBA Macro Notification Settings Impact: This configuration causes documents and templates that contain unsigned macros to lose any functionality supplied by those macros. To prevent this loss of functionality, users can install the macros in a trusted location, unless the Disable all trusted locations setting is configured to Enabled, which will block them from doing so. If your organization does not use any officially sanctioned macros, consider choosing No Warnings for all macros but disable all macros for even stronger security.

See Also

https://workbench.cisecurity.org/files/569

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: d0e78b37f27ce505132f38b760e328c5dedcfde4ff0456c404e23baaabb64b4a