SOLVED: GPO To Block Macro’s On Local PC But Not File Shares

Macros in Word, Excel and PowerPoint used to be one of the most common attack vectors but they largely died out near 2010.  In 2016 they are being used aggressively in Crypto/Ransomware attacks and you may want to disable them.  Specifically, they are often sent in email attachments.

Word / Excel / PowerPoint 2013 and 2016 block macro’s from untrusted sites but allow users to override this by clicking an ENABLE MACROS button… which they will always do, thereby defeating the security.

The problem is how to allow legitimate macro’s while blocking malware ridden macros.  Macros that show up in Word / Excel / PowerPoint documents received through email (i.e. running from a temp files location the local PC) should almost certainly be blocked, but many documents internal to your company will also be blocked if you simple disable all Macros.  The solution is to ‘trust’ macro’s only in files that reside on your corporate network shares.  If the files are on your file server, they are much less likely to be infected with malware as they were likely created by your own staff.

To make this happen you need to change several Group Policies which boil down to disabling macro’s and exempting files on your network shares.  The GPO’s are as follows:

 

Set Your Servers As Trusted Locations:

Policies/Administrative Templates/Microsoft Office 2016/Security Settings/Trust Center: Trusted Location #1:
Path: \\fileserver\
Note that this DOES work with DFS roots

.

Policies/Administrative Templates/Microsoft Office 2016/Security Settings/Trust Center: Trusted Location #2:
Path: \\different-fileserver\
Note: you can add as many or as few locations as you need to.  This LOCATION 2 is not needed; it just to demonstrate you can add more.

Set Trust Center to Accept Your Trusted Locations:

If you skip this step the notes on Allow Trusted Locations on the network tell you that Office will ignore all of your Trusted Locations.

Policies/Administrative Templates/Microsoft Word 2016/Application Settings/Security/Trust Center/Trusted Locations/Allow Trusted Locations on the network
Enabled

.

Policies/Administrative Templates/Microsoft Excel 2016/Application Settings/Security/Trust Center/Trusted Locations/Allow Trusted Locations on the network
Enabled

.

Policies/Administrative Templates/Microsoft PowerPoint 2016/Application Settings/Security/Trust Center/Trusted Locations/Allow Trusted Locations on the network
Enabled

Set Macro Notifications To Disabled:

Policies/Administrative Templates/Microsoft Excel 2016/Excel Options/Security/Trust Center/VBA Macro notification Settings:
Enabled: Disable all except digitally signed macros

.

Policies/Administrative Templates/Microsoft Word 2016/Excel Options/Security/Trust Center/VBA Macro notification Settings:
Enabled: Disable all except digitally signed macros

.

Policies/Administrative Templates/Microsoft Excel 2016/Excel Options/Security/Trust Center/VBA Macro notification Settings:
Enabled: Disable all except digitally signed macros

I have tested this with Office 2013 as well and found that documents with macros in them will NOT run from local PC but will run if a user launches the file from a network share.

In addition to other sources, I found the following two posts to be useful and you might too:

http://winintro.com/?Category=Office2016&Policy=access16.Office.Microsoft.Policies.Windows%3A%3AL_AllowTrustedLocationsOnTheNetwork

https://www.experts-exchange.com/questions/28936612/Using-GPO-to-disable-Macros-on-Office-files-except-from-File-Servers.html

 

This website uses cookies.