Bret Staton

Cybersecurity Expert

Incident Responcer

Penitration Tester

Linux & Windows Systems Engineer

Freelance Writer

Bret Staton

Cybersecurity Expert

Incident Responcer

Penitration Tester

Linux & Windows Systems Engineer

Freelance Writer

Blog Post

Windows Client Hardening

March 13, 2021 Blue Team

Disable Office Macros

     Malicious Office macros are one of the more popular attacks on End Users currently. The malicious documents can come from several different sources, email being the most prevalent. To better protect our systems we can forcibly disable Office programs from allowing macros to run. This will make sure even if we open a malicious Office document it will not be able to run the embedded code that infects the systems.

      To block macros from running we need to add registry keys settings that will restrict Office from running embedded macros. Below are the registry keys to disable Office document macros. Different registry keys need to be changed based on the version you are using. Confirm the Office version you are using by running the following command.

 wmic product where "Name like '%Office%'" get name,version 

Now that we have the version we can move forward with running the correct commands. Open an administrative command prompt and run the command for the versions and products you want to disable macros for.

 # Office 2016 
# Disable macros in Word 2016/2019/365 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\word\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
# Disable macros in Excel 2016/2019/365 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\excel\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
# Disable macros in PowerPoint 2016/2019/365 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\16.0\powerpoint\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
 
 
# Office 2013 
# Disable macros in Word 2013 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\word\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
# Disable macros in Excel 2013 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\excel\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
# Disable macros in PowerPoint 2013 
reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\office\15.0\powerpoint\security /v blockcontentexecutionfrominternet /t REG_DWORD /d 1 
 
Office 2010 
# Disable macros in all Office 2010 programs  
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\msproject\security /v VBAWarnings /t REG_DWORD /d 2 

Before the new settings take effect you will need to reboot the system. If you change your mind and want to revert you can open “regedit” and simply delete the keys we added.


Taggs:
Write a comment