O365-EX-000002 - VBA Macros not digitally signed must be blocked in Excel.

Information

This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.

If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:

- Disable all with notification: The application displays the Trust Bar for all macros, whether signed or unsigned. This option enforces the default configuration in Office. This option also allows users to potentially enable unsigned/untrusted macros. If a site requires the use of macros, they must be signed /approved and added to appropriate locations listed in the Trust Center Settings.
- Disable all except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified.
- Disable all without notification: The application disables all macros, whether signed or unsigned, and does not notify users.
- Enable all macros (not recommended): All macros are enabled, whether signed or unsigned. This option can significantly reduce security by allowing dangerous code to run undetected.

Solution

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> 'Macro Notification Settings' is set to 'Enabled' and select 'Disable VBA macros except digitally signed macros' from the Options.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Office_365_ProPlus_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-223311r960963_rule, STIG-ID|O365-EX-000002, STIG-Legacy|SV-108801, STIG-Legacy|V-99697, Vuln-ID|V-223311

Plugin: Windows

Control ID: 141957acf7bdfc8a04b252f161c743f27c5a343f23663028837f79b26fdc06a3