Thursday, April 28, 2016

Blocking Office Macros via Group Policy

If you're lucky enough to be in an environment where Macro's aren't used much for business purposes, it's a good idea to block them altogether. Using Dave Kennedy's Unicorn tool, Social Engineer Toolkit, or other tools it is trivial to create an Office doc that contains a macro that sends a shell back to the attacker. With Macros enabled, users are sitting ducks. Also, there is quite a media storm lately around Ransomware and some variants are delivered via Office macros.

I recently worked on a project where the client had mostly Office 2010 installed with a few Office 2007 stragglers. They wanted to block Macros altogether, but still allow a handful of employees to run trusted macro documents.

The first thing we did was create a new policy called Macros - Disable VBA for Office with the following settings:



The policy settings above seem to nullify any Trusted Locations within the Office applications. This will be a problem for the handful of users that need to use some trusted macro documents.

To workaround this - you can create a new AD group (Macros - Exempt Users) and add the users that need to open trusted Macros. Then from the Macros - Disable VBA for Office GPO select the Delegation tab -> Advanced -> Add the "Macros - Exempt Users" group -> Check the Deny box for the "Apply group policy" permission.



 Now this isn't ideal because now that handful of users has unrestricted access to open whatever malicious macro they want. To restrict this further, you can create another GPO called "Macros - Trusted Locations for Exempt Users" in this example with the following settings:



These setting disable all Macros, but adds a Trusted Location on the network where macros are allowed to run for the users in the "Macros - Exempt Users" group.


There are other ways to accomplish this and this method doesn't scale very well, but it works great in small environments and could be tweaked to work better in larger environments.


Office 2016

Microsoft also recently released a new feature for Office 2016 called Block macros from running in Office files from the Internet that looks interesting.




No comments: