Block Office macros with Group Policy
A very common way users get infected with ransomware is through Word macros. Microsoft disabled them by default, but they let users easily turn them back on, and users will always do it.
Luckily, most users do not use macros. You can safely turn them off after testing.
Below is how to turn macros off in Office 2007 through Office 2016. This includes the Office365 Click-to-Run versions. You can also do this through Administrative Templates, but using the registry gives you flexibility in how you target users.
Macro security: Office 2007
This disables macros in Word and Publisher. You can add Excel, but Word is the primary target.
- HKCU\Software\Policies\Microsoft\Office\12.0\Publisher\Security\vbawarnings = 4
- HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\vbawarnings = 4
Macro security: Office 2010
This disables macros in Word and Publisher. You can add Excel, but Word is the primary target.
- HKCU\Software\Policies\Microsoft\Office\14.0\Publisher\Security\vbawarnings = 4
- HKCU\Software\Policies\Microsoft\Office\14.0\Word\Security\vbawarnings = 4
Macro security: Office 2013
This disables Protected View for emails sent within the same Exchange server, blocks macros on Word, blocks macros on Publisher, and blocks Excel and PowerShell and Word files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\Security\markinternalasunsafe = 0
- Disables Protected View for emails sent within the same Exchange server. This can make users more receptive to leaving Protected View on.
- HKCU\Software\Policies\Microsoft\Office\15.0\Excel\Security\blockcontentexecutionfrominternet = 1
- Blocks Excel files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\15.0\PowerPoint\Security\blockcontentexecutionfrominternet = 1
- Blocks PowerPoint files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\15.0\Publisher\Security\vbawarnings = 4
- Block Publisher from executing macros.
- HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security\blockcontentexecutionfrominternet = 1
- Blocks Word files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\15.0\Word\Security\vbawarnings = 4
- Block Word from executing macros.
Macro security: Office 2016
This disables Protected View for emails sent within the same Exchange server, blocks macros on Word, blocks macros on Publisher, and blocks Excel and PowerShell and Word files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\Security\markinternalasunsafe = 0
- Disables Protected View for emails sent within the same Exchange server. This can make users more receptive to leaving Protected View on.
- HKCU\Software\Policies\Microsoft\Office\16.0\Excel\Security\blockcontentexecutionfrominternet = 1
- Blocks Excel files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\16.0\PowerPoint\Security\blockcontentexecutionfrominternet = 1
- Blocks PowerPoint files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\16.0\Publisher\Security\vbawarnings = 4
- Block Publisher from executing macros.
- HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\blockcontentexecutionfrominternet = 1
- Blocks Word files marked as from the web from executing macros.
- HKCU\Software\Policies\Microsoft\Office\16.0\Word\Security\vbawarnings = 4
- Block Word from executing macros.