Hey /g/,
My user base mostly consists of people who can't seem to grasp the concept of "If it's unsolicited, and asks you to turn on macros... It's probably bad". I'm looking for a way to straight up disable the auto run feature for word macros.
Thoughts:
-Any way (across the domain via gpo or something) I can disable the auto_open and/or workbook_open functions?
Limitations:
-Already have decent user training in place so can't touch this, they ignore it anyways.
-Can't just block word docs...
-Email filter can't detect macros
-Legit uses for macros in the company
-Application whitelisting is already in the works for 2016, looking for a temporary safety net
-Our AV seems to have issue with catching macros (Symantec)
thoughts /g/?
This sounds like actual work
/g/ just knows how to fight and masturbate about video cards.
>>51650310
If I were to phrase it:
My users are masturbating to pictures of AMD drivers. The pictures are opened by word macros, how do I stop these idiots?
>>51650258
https://technet.microsoft.com/en-us/library/ee857085.aspx
I'm guessing if there's an answer it's somewhere in here
>>51650378
That's got a much higher chance of working.
>>51650520 >>51650258
Looks like setting "VBA Macro Notification Settings" to "Disable all except digitally signed macros" might do what you want, looks like macros are unrestricted from trusted locations
>>51650537
My only concern is blocking legit uses since teaching users to sign their macros might be tricky.
If I understand you correctly, would setting my domain as a trusted location get around that?
>>51650560
No experience with this personally, but
"Impact: If you enable this setting and select the Disable all except digitally signed macros option, documents and templates that contain unsigned macros lose all functionality supplied by those macros. To prevent this loss of functionality, users can put files that contain macros in a trusted location."
seems to imply that yeah, having internal documents stored in a trusted location would let them work fine. Of course then you'd still have to worry if an untrusted document got into that trusted location, but I have no idea how trusted locations work.
>>51650606
Ya I've got 0 experience with it as well. Thanks for the info.
Also this may be helpful:
http://www.asd.gov.au/publications/protect/Hardening_MS_Office_2013.pdf
>>51650606
you literally just define the file paths that should be trusted and exclude all others. This plus digitally signing all the internal macros and change the trust center to only run signed macros should work.
>>51650258
Of course you can do it via GPO... get the Office ADMX files and play around with the trust center settings. What did you try? Nothing?
>>51652000
After installing the Office admx files; navigate to...
User Configuration > Policies > Admin Templates > Microsoft Word 2013 > Word Settings > Security > Trust Center
and set the desired option for the entry "VBA Macro Notification Settings"
(cont)
>>51652090
>This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
>If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
>- Disable all with notification: The application displays the Trust Bar for all macros, whether signed or unsigned. This option enforces the default configuration in Office.
>- Disable all except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified.
(cont)
>>51652114
>- Disable all without notification: The application disables all macros, whether signed or unsigned, and does not notify users.
>- Enable all macros (not recommended): All macros are enabled, whether signed or unsigned. This option can significantly reduce security by allowing dangerous code to run undetected.
>If you disable this policy setting, "Disable all with notification" will be the default setting.
>If you do not configure this policy setting, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking "Enable Content" on the Trust Bar. If the user clicks "Enable Content", then the document is added as a trusted document.
>Important: If "Disable all except digitally signed macros" is selected, users will not be able to open unsigned Access databases.
>Also, note that Microsoft Office stores certificates for trusted publishers in the Internet Explorer trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Microsoft Office still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store.
>Therefore, if you created a list of trusted publishers in a previous version of Microsoft Office and you upgrade to Office, your trusted publisher list will still be recognized. However, any trusted publisher certificates that you add to the list will be stored in the Internet Explorer trusted publisher store.
Did you even fucking google "disable macros word gpo"? Come the fuck on.
>>51650560
jesus fuck no. that eliminate the warning alright but give your users free reign to run any malware ridden macro that gets emailed to them. it's all or nothing. either you have a legitimate business use for macros and train your users accordingly or shut that shit down.
>>51650560
I did this once before. Set your common drive as a trusted location, everywhere else as untrusted, then bump up your security settings. Macro-enabled stuff received via email is unable to run, stuff in your common drive is unaffected.
