Discover how to successfully implement the Australian Government’s Essential Eight Framework with simple articles and guides that you can work through to achieve level 3 maturity in your organisation

Download the Framework Now

This article will cover Maturity 1 Control 3: Configure Microsoft Office macro settings.

View the full series here

What does “Configure Microsoft Office macro settings” seek to achieve?

“Configure Microsoft Office macro settings to block macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.

Why: Microsoft Office macros can be used to deliver and execute malicious code on systems.”

Maturity level 1 of this control aims for the following level of security:

  1. Microsoft Office macros are allowed to execute, but only after prompting users for approval.
  1. Microsoft Office macro security settings cannot be changed by users.


How to Configure Microsoft Office Macro Settings

Firstly, we’d normally recommend doing this using tools like Group Policy, InTune or Powershell to block macros completely, and disable user access to the macro settings in Microsoft Office.

But since this series is all about DIY, we’re going to show you the manual way of doing it. This is a way for you to apply the controls to your own machines, or test the settings out.

You will need to disable macros for each Microsoft Office program you use (Excel, Powerpoint, Word, Outlook). This is because when you change macro settings, they are only changed for the Office program you are using.

Macro settings are located in the Office Trust Center, and as long as your account has access to these settings, you can follow the steps below.

Open the respective Office program then follow these instructions for each:

  1. Click the File tab.
  2. Click Options.
  3. Click Trust Center, and then click Trust Center Settings.
  4. In the Trust Center, click Macro Settings.
  5. Select Disable all macros with notification (This is to reach maturity level 1 of this control); Macros are disabled, but security alerts appear if there are macros present. Enable macros on a case-by-case basis.
  6. Click OK.

The following image is the Macro Settings area of the Trust Center.

This takes care of the first part of the control.

The next part of the control says to make it so “Microsoft Office macro security settings cannot be changed by users.” Unfortunately, this is a bit of a contradiction.

If you were already able to do the previous step, then you likely have no restrictions applied to your Office settings, and it’s likely your account has administrator privileges anyway. Blocking the Office macro settings could be easily overridden.

In fact, Control 5 of the Essential Eight framework titled “Restrict admin privileges” covers this whole point. To keep things simple, we will cover this point in that article. You can find that article by navigating back to our guide page here:

https://elasticit.com.au/2020/10/07/the-ultimate-guide-to-implementing-the-australian-governments-essential-eight-cybersecurity-framework/

Up next in our Essential Eight series will be Maturity 1 Control 4: User application hardening.

In the meantime, if you’ve reached the point where you want to call in the pro’s we’re right here 😉