Windows Client Hardening
Disable Office Macros
Malicious Office macros are one of the more popular attacks on End Users currently. The malicious documents can come from several different sources, email being the most prevalent. To better protect our systems we can forcibly disable Office programs from allowing macros to run. This will make sure even if we open a malicious Office document it will not be able to run the embedded code that infects the systems.
To block macros from running we need to add registry keys settings that will restrict Office from running embedded macros. Below are the registry keys to disable Office document macros. Different registry keys need to be changed based on the version you are using. Confirm the Office version you are using by running the following command.
wmic product where "Name like '%Office%'" get name,version
Now that we have the version we can move forward with running the correct commands. Open an administrative command prompt and run the command for the versions and products you want to disable macros for.
# Office 2016
# Disable macros in Word 2016/2019/365
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
# Disable macros in Excel 2016/2019/365
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\excel\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
# Disable macros in PowerPoint 2016/2019/365
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
# Office 2013
# Disable macros in Word 2013
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\word\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
# Disable macros in Excel 2013
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\excel\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
# Disable macros in PowerPoint 2013
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\powerpoint\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1
Office 2010
# Disable macros in all Office 2010 programs
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\msproject\security /v VBAWarnings /t REG_DWORD /d 2
Before the new settings take effect you will need to reboot the system. If you change your mind and want to revert you can open “regedit” and simply delete the keys we added.