Detections
Analytics

2.5.14.3.28 (L1) Ensure 'Security setting for macros' is set to 'Enabled: Warn for signed, disable unsigned'

Information

This policy setting controls the security level for macros in Outlook. Macros are a single instruction that expands automatically into a set of instructions to perform a particular task.

Available Policy Options:

Always warn = This option corresponds to the 'Warnings for all macros' option in the 'Macro Security' section of the Outlook Trust Center. Outlook disables all macros that are not opened from a trusted location, even if the macros are signed by a trusted publisher. For each disabled macro, Outlook displays a security alert dialog box with information about the macro and its digital signature (if present), and allows users to enable the macro or leave it disabled.

Never warn, disable all = This option corresponds to the 'No warnings and disable all macros' option in the Trust Center. Outlook disables all macros that are not opened from trusted locations, and does not notify users.

Warning for signed, disable unsigned = This option corresponds to the 'Warnings for signed macros; all unsigned macros are disabled' option in the Trust Center. Outlook handles macros as follows:

 - If a macro is digitally signed by a trusted publisher, the macro can run if the user has already trusted thepublisher.
 - If a macro has a valid signature from a publisher that the user has not trusted, the security alert dialog boxfor the macro lets the user choose whether to enable the macro for the current session, disable the macro forthe current session, or to add the publisher to the Trusted Publishers list so that it will run withoutprompting the user in the future.
 - If a macro does not have a valid signature, Outlook disables it without prompting the user, unless it isopened from a trusted location.

No security check = This option corresponds to the 'No security check for macros (Not recommended)' option in the Trust Center. Outlook runs all macros without prompting users. This configuration makes users' computers vulnerable to potentially malicious code and is not recommended.

The recommended state for this setting is: Enabled: Warn for signed, disable unsigned

To protect users from dangerous code, the disabling of macros that are not trusted, including unsigned macros, macros with expired or invalid signatures, and macros with valid signatures from publishers who are not on users' Trusted Publishers lists is recommended to help against would allow dangerous code to run.

Solution

To establish the recommended state via configuration profiles, set the following Settings Catalog path to Enabled: Warn for signed, disable unsigned :

Microsoft Outlook 2016\Security\Security Form Settings\Outlook Security Mode > Security setting for macros

Important: For this setting to apply, the

Outlook Security Mode

setting must be enabled in

Microsoft Outlook 2016\Security\Security Form Settings

with Use Outlook Security Group Policy selected, as set in this benchmark.

Impact:

None - this is enforcing the default behavior. Unsigned macros will be disabled.

See Also

https://workbench.cisecurity.org/benchmarks/15808

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: 7760ddcdb897ac479ed37c58ad6007f894afb6370264dc2df2dc19fc6d016cd2