ASD's Blueprint for Secure Cloud

Restrict Microsoft Office Macros

This page provides a template and guidance to assist organisations in documenting their approach to restricting Microsoft Office macros, as per the Essential Eight Maturity Model, associated with their system(s) built on ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Applicability

The Restrict Microsoft Office Macros mitigation strategy is applicable to restricting the execution of Microsoft Office Macros on all <SYSTEM-NAME> workstations and servers.

Maturity Level

Targeted:<TARGET-LEVEL>
Currently Assessed:<ASSESSED-LEVEL>

Implementation

Windows endpoints

<SYSTEM-NAME> restricts macro execution to only those signed by a trusted digital certificate in accordance with ASD’s Microsoft Office Macro Security guidance. This includes blocking Microsoft Office macros originating from the internet and preventing standard users from modifying macro security settings in all Microsoft Office applications.

Microsoft Defender Antivirus and Defender for Endpoint provide antivirus scanning of all Microsoft Office file types, including embedded macros. This leverages the Antimalware Scan Interface (AMSI) to enable inspecting macros at runtime.

Microsoft Office macros are blocked from making Win32 API calls using Attack Surface Reduction (ASR) rules as per ASD’s Hardening Microsoft Windows 10 version 21H1 Workstations and Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 hardening guides.

<SYSTEM-NAME> uses Defender for Endpoint to centrally store Endpoint Detection & Response (EDR) logs for all Windows endpoints, which includes the execution of macro-enabled documents and resulting behaviours (such as attempts to make Win32 API calls).

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Hybrid servers

Office productivity suites are not installed on <SYSTEM-NAME> servers.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Security & Governance

Design

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra