Monday, July 18, 2016

A Discussion About Office Macros

Hey everyone - With the last few posts, we have talked about various host-based defense measures you might want to consider implementing.  Today, I want to talk about something else on the host that is a common vector for malware: Office macros.

You might be thinking that we have covered some things over the past few weeks that seem really basic and that Office macros is just another basic topic.  However, since Office macros are still a viable means for malware authors to spread their work, I feel that it is important to talk about.

What are Macros?

Macros are like miniature programs that automate inputs.  Macros are not specific to Office.  Text editors (like emacs and vi / vim), graphic design programs such as Photoshop, and even games support macros.  Macros allow a user to record a sequence of inputs then play them back to automate various actions.  For example, you could write a macro to format a document a certain way or apply effects to a set of photos.

How Do Macros Enable Malware?

Macros by themselves do not enable malware.  They are simply of means of automating input.  Macros are typically defined in a language.  The specific language depends on the environment that the macro will be used in.  Visual Basic for Applications (VBA) is used to define macros for Office applications.  VBA is surprisingly powerful because it allows a macro author to interact with the Windows Application Program Interface (API).  That includes system calls like GetComputerName that might sound benign, but could allow a malicious person to get details about your computer or execute arbitrary code.  We have talked about how malware authors can use legitimate software for malicious purposes in the past, and this is another example.  VBA provides a good target for malware authors because:

  1. Macros work on Office versions from 2003 to 2016 with little or no modification to the macro for all of those versions.
  2. Office is installed in a lot of places, especially businesses that have information that others want.
  3. The content of Office documents is usually important to the users that write them.  If a malware author infects a box with an Office macro, then that means the the user probably uses Office and might be more inclined to pay in the case of ransomware.
What Can We Do To Stop Macros as a Vector (At Least For Office)?


By default, Office 2007 and on wards disable macros and give you a warning when you open a document containing macros.  Starting with Office 2010, macros are disabled when opening a document in "Protected View."   Protected view is a sandbox that disables and / or confines executable code (like macros) and other features in a document.  Unfortunately, all of this means nothing if the user is tricked into disabling these security features by allowing macros to execute.  Therefore, it is vitally important that users understand the dangers of macros and why they should not enable them.  At a higher level, it is important for users to know when not to click on an e-mail attachment or document, especially if it is from someone they do not know or they were not expecting it.

To verify your macro settings, hit the File or Office button in any Office program such as Outlook or Word.  I used Word for this example.  Then click Options.  On the left side, you should see Trust Center:

Then, click Trust Center Settings:

On the left side, you will see macro settings.  This screenshot was from a default installation of Office 2013.  You can see that all macros are disabled by default.  There is also the idea of Trusted Locations where a document in one of those locations is trusted and most security features are disabled:

Personally, I would be careful modifying any of these settings.  If you do, please understand the possible ramifications of doing so.

Across the Domain

Office 2016 features for new settings that try to stop a user from enabling macros and exiting protected view.  What if you are not using Office 2016?  Macros can still be disabled using Group Policy and Administrative Templates.  We will walk through using these templates to disable macros in Office 2013.  The procedure is similar for Office 2007 and 2010.

To begin, download the Administrative Templates for the version of Office you are using.  I have included a link to the Office 2013 Administrative Templates in the Links section below.  When you install them, make sure to put them in \\<your domain>\SYSVOL\<your domain>\Policies\PolicyDefinitions\.  In our sample domain, this path would be \\windows.local\SYSVOL\windows.local\Policies\PolicyDefinitions:

Now that the templates are installed, we can make a new Group Policy Object (GPO) for workstations in our domain.  If you recall, we made a workstations organizational unit (OU) that we put our workstations in.  To make a new GPO, open the Group Policy Management Console (gpmc.msc) by choosing Start > Run > gpmc.msc or by search for Group Policy Management in the Start Menu.  Then, right click the OU you want to make a new GPO for, and click "Create GPO in this domain, and Link it here"

You will be prompted for a name.  You can choose whatever you like.  I chose "Disable Office Macros."

The options you need to choose depend on what you are trying to accomplish.  There will be policies for Office in general and each Office application.  For Office in general, you will find the relevant Group Policy options under User Configuration > Policies > Administrative Templates > Office 2013 (or whatever version you are using) > Security Settings.  For each application, you will find the relevant security settings under User Configuration > Policies > Administrative Templates > Name of the specific Office application > Options > Security.  Macro settings are usually under Trust Center under Security.  The complete list of locations is available here.

If you want to disable all macros (and VBA in general), you can look under the Microsoft Office folder.  There, you will find the "Disable VBA for Office Applications" policy:

If you double click it, you will see the options you have:

If you want to disable VBA, click Enabled, then click OK.  If you or your organization relies on macros or VBA, then disabling VBA might not be feasible.  There are two ways you could deal with this:
  • Since the settings we are configuring can be applied per user, you could allow macros for users in a given OU with one GPO and disable macros for everyone else with another GPO.
  • You could only allow signed macros and disable all others.
If the macro is signed by a trusted publisher (we will talk about how to define a trusted publisher in a minute), then the macro will be allowed to run, otherwise it will be disabled.  The user will not have the option of enabling an unsigned macro.  To define a trusted publisher, edit your default Domain Policy by right clicking it in the Group Policy Management Console and choosing Edit.  Under Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers, you can import a trusted publisher's public certificate.  To import a certificate, right click on the right pane and choose Import:

We will not walk through the entire process in this post.  Any macro signed by that publisher will be allowed to run.

To force Office to only allow signed macros, the option will have to be configured per application.  We will look at Word in this post, but the process is similar for the other applications.

Under User Configuration > Policies > Administrative Templates > Microsoft Word 2013 (or whatever version you are using) > Word Options > Security > Trust Center, you will see VBA Macro Notification Settings.  If you double click that and then click Enabled, you will have four options explained on the right side:

We will choose Disable all except digitally signed macros.  You could also choose Disable all without notification if you want to disable all macros, but this will cause a problem if you need to use macros for some reason.

Once you click OK, and you force an update for Group Policy either by running gpupdate, rebooting the computers / re-logging in the users affected by the GPO, your new settings will be effective.

Conclusions and Final Thoughts


No comments:

Post a Comment