ASD Office hardening - macros enabled for trusted publishers
This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.
Estimated reading time: 5 minutes
Instruction
The below tables outline the as built configuration for ASD’s Blueprint for Secure Cloud (the Blueprint) for the Microsoft Intune portal at the following URL:
https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/configuration
The settings described on these pages provide a baseline implementation for a system configured using the Blueprint. Any implementation implied by these pages should not be considered as prescriptive as to how an organisation must scope, build, document, or assess a system.
Implementation of the guidance provided by the Blueprint will differ depending on an organisation’s operating context and organisational culture. Organisations should implement the Blueprint in alignment with their existing change management, business processes and frameworks.
Placeholders such as <ORGANISATION.GOV.AU>, <BLUEPRINT.GOV.AU> and <TENANT-NAME> should be replaced with the relevant details as required.
Policy import
This configuration policy can be imported.
Download the Macros Enabled for Trusted Publishers .txt file and change the extension to .json, then select Create > Import Policy.
Basics
| Item | Value |
|---|---|
| Name | ASD Office hardening - macros enabled for trusted publishers |
| Description | |
| Platform | Windows 10 and later |
Assignments
Included groups
| Item | Value |
|---|---|
| Groups | All devices |
Excluded groups
| Item | Value |
|---|---|
| Groups | No groups selected |
Scope tags
| Item | Value |
|---|---|
| Scope tags | Default |
Configuration settings
Administrative Templates
| Item | Value |
|---|---|
| Windows Components > Microsoft Management Console | |
| Restrict users to the explicitly permitted list of snap-ins (User) | Enabled |
Microsoft Access 2016
| Item | Value |
|---|---|
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
| Application Settings > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Application Settings > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
Microsoft Excel 2016
| Item | Value |
|---|---|
| Excel Options>Security | |
| Scan encrypted macros in Excel Open XML workbooks (User) | Enabled Scan encrypted macros (disabled) |
| Excel Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Excel Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Office 2016
| Item | Value |
|---|---|
| Security Settings | |
| Automation Security (User) | Enabled |
| - Set the Automation Security level (User) | Use application macro security level |
| Disable all Trust Bar notifications for security issues (User) | Enabled |
| Disable VBA for Office applications (User) | Disabled |
| Macro Runtime Scan Scope (User) | Enabled Enable for all documents |
| Security Settings > Trust Center | |
| Allow mix of policy and user locations (User) | Disabled |
Microsoft PowerPoint 2016
| Item | Value |
|---|---|
| Excel Options>Security | |
| Scan encrypted macros in Excel Open XML workbooks (User) | Enabled Scan encrypted macros (disabled) |
| PowerPoint Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| PowerPoint Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Project 2016
| Item | Value |
|---|---|
| Project Options > Security > Trust Center | Disable all except digitally signed macros |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
Microsoft Publisher 2016
| Item | Value |
|---|---|
| Security | |
| Publisher Automation Security Level (User) | Enabled By UI (prompted) |
| Security > Trust Center | Disable all except digitally signed macros |
| VBA Macro Notification Settings (User) | Enabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Visio 2016
| Item | Value |
|---|---|
| Visio Options > Security > Trust Center | Disable all except digitally signed macros |
| Allow Trusted Locations on the network (User) | Disabled |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Disable all trusted locations (User) | Enabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Visio Options > Security > Macro Security | |
| Enable Microsoft Visual Basic for Applications project creation (User) | Disabled |
| Load Microsoft Visual Basic for Applications projects from text (User) | Disabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Microsoft Word 2016
| Item | Value |
|---|---|
| Word Options > Security > Trust Center | Disable all except digitally signed macros |
| Block macros from running in Office files from the Internet (User) | Enabled |
| Scan encrypted macros in Word Open XML documents (User) | Enabled Scan encrypted macros (default) |
| Trust access to Visual Basic Project (User) | Disabled |
| Turn off trusted documents (User) | Enabled |
| Turn off Trusted Documents on the network (User) | Enabled |
| VBA Macro Notification Settings (User) | Enabled |
| Word Options > Security > Trust Center > Trusted Locations | |
| Allow Trusted Locations on the network (User) | Disabled |
| Disable all trusted locations (User) | Enabled |
| Disable Items in User Interface > Custom | |
| Enter a command bar ID to disable (User) | 19092 |
| Disable commands (User) | Enabled |
Related information
Security and governance
- Operating system hardening
- User application hardening
- Essential Eight - Restrict Microsoft Office macros
- Essential Eight - Patch applications
- Essential Eight - Regular backups
- System management
- System monitoring
- Enterprise mobility
- Essential Eight - Application control
Design
- None identified
Configuration
References
- None identified