If you're lucky enough to be in an environment where Macro's aren't used much for business purposes, it's a good idea to block them altogether. Using Dave Kennedy's Unicorn tool, Social Engineer Toolkit, or other tools it is trivial to create an Office doc that contains a macro that sends a shell back to the attacker. With Macros enabled, users are sitting ducks. Also, there is quite a media storm lately around Ransomware and some variants are delivered via Office macros.
I recently worked on a project where the client had mostly Office 2010 installed with a few Office 2007 stragglers. They wanted to block Macros altogether, but still allow a handful of employees to run trusted macro documents.
The first thing we did was create a new policy called Macros - Disable VBA for Office with the following settings:
The policy settings above seem to nullify any Trusted Locations within the Office applications. This will be a problem for the handful of users that need to use some trusted macro documents.
To workaround this - you can create a new AD group (Macros - Exempt Users) and add the users that need to open trusted Macros. Then from the Macros - Disable VBA for Office GPO select the Delegation tab -> Advanced -> Add the "Macros - Exempt Users" group -> Check the Deny box for the "Apply group policy" permission.
Now this isn't ideal because now that handful of users has unrestricted access to open whatever malicious macro they want. To restrict this further, you can create another GPO called "Macros - Trusted Locations for Exempt Users" in this example with the following settings:
These setting disable all Macros, but adds a Trusted Location on the network where macros are allowed to run for the users in the "Macros - Exempt Users" group.
There are other ways to accomplish this and this method doesn't scale very well, but it works great in small environments and could be tweaked to work better in larger environments.
Office 2016
Microsoft also recently released a new feature for Office 2016 called Block macros from running in Office files from the Internet that looks interesting.
KB2871997 was released almost two years ago. I'm a bit ashamed it took me so long to realize all the awesomeness packed inside. Microsoft has really gone above and beyond to backport some of these security features into Windows 7. I talked about one of the features enabled by this update in my previous post.
Below is a quick overview of the features enabled by the update. Below that is a resources sections with all the nitty gritty details.
Update - for an even better overview check out Sean Metcalf's post at adsecurity.org.
KB2871997 Quick Overview
- Protected Users group
- Works well with “Authentication Policies and Silos”
- Blocks everything besides Kerberos authentication and applies hardening
to the Kerberos authentication used (enforces AES encryption).
- Restricted Admin RDP mode
- Can only make Restricted Admin connects to a Win8.1+/2012R2 system
- Seems to be a debate regarding the efficacy of this control
- Some argue it opens RDP up to pass the hash attacks
- I'd love to hear people's thoughts on this in the comments
- LOCAL_ACCOUNT & LOCAL_ACCOUNT_AND_MEMBER_OF_ADMINISTRATORS_GROUP
- Allows blocking local users from logging in remotely
- If you haven't heard about this yet, drop everything and see previous post on implementing it
- Features to help mitigate Mimikatz / WCE type tools
- Cached LSASS credentials removed from memory when user logs off (Mimikatz mitigation)
- Clear-text password, the users NT/LM password hash, and the users Kerberos TGT/Session key
- Removal of clear-text credentials from LSASS
- Prevents every Microsoft SSP in LSASS, besides WDigest, from storing the user’s clear-text password
- Wdigest can be disabled with regedit
- NT hash and Kerberos TGT/Session key still be stored in memory
- Without these, SSO impossible
Resources
Restricted Admin - https://www.petri.com/should-i-use-rdp-restricted-admin-mode
How to Enable Restricted Admin - http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx
Good video from Microsoft with demos of Mimikatz, Windows Credential Editor (WCE), Authentication Policies and Silos -
https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B359?format=html5#fbid=
Excellent Overview and Explanation of KB2871997 - https://adsecurity.org/?p=559
