I was trolling through the readme's for the latest batch of patches from Microsoft, and found this tidbit in the doc for MS16-099 (https://support.microsoft.com/en-us/kb/3177451): Administrator can use the Group Policy to block running any macro in the files that are download from the Internet in Office 2013 applications. This feature is same as in Office 2016 applications. See the following articles for more information: A quick check immediately followed, I don't see any new registry keys that allow this control. HKCU\Software\Microsoft\Office\15.0\Word\Security Shows only the previous "Trusted Documents" and "Trusted Locations" branches. No problem though, it's very common for registry keys to not be present until you add them. (a missing key is a default value).
Also, and more importantly, there are no corresponding updates to the Office 2013 ADMX files, so you won't be seeing any new settings in your group policy screen for Office 2013. You can (and should) put these macro limit controls in for Office 2016, but as far as I can see, that's an entirely different branch in both Group Policy and in the Registry. Office 2013 apps won't read Office 2016 settings, and vice versa. So the Office 2013 settings you had 30 days ago are still the only ones that are easy to get to. It's great to see where Microsoft is going with this, but I think we'll all need to wait for the other half of this update before we can use it effectively. So I think the best advice still remains to use one of these two settings for Office 2013: Disable all without notification: If you don't use macro's in your organization, disable them and DON'T give your users the ability to bypass this setting. Office 2016 has these settings, as well as "Block Macros from running in Office files from the Internet". This one is essentially the "easy button" that will shut down lots of the ransomware infections we're seeing these days. I'm waiting with anticipation for this same "easy button" in GPO for Office 2013 to match this update (and Office 2016)! If it doesn't come, I might write one and post it here (I really hope it doesn't come to that though). =============== |
Rob VandenBrink 578 Posts ISC Handler Aug 15th 2016 |
Thread locked Subscribe |
Aug 15th 2016 5 years ago |
Is there an option for Office 2010 and earlier versions?
|
Rahul 1 Posts |
Quote |
Aug 15th 2016 5 years ago |
Security controls become less and less flexible as you go back in versions, with Office 2007 having almost no controls at all in this area.
If you can updated you'll be a lot further ahead - I think in 2010 the end user always has the ability to "OK" any error message and bypass it. I'd consider Office 2013 to be a decent starting point, 2016 if you can swing it. Anything older than that and you start to look like the "straggler in the herd" to the attacking community. |
Rob VandenBrink 578 Posts ISC Handler |
Quote |
Aug 15th 2016 5 years ago |
And on the flip-side, you end up married to that "Ribbon" garbage, which should be considered malware in-and-of itself.
I sincerely doubt there's any [other] malware that has caused more expense to business than that. |
Lynn 2 Posts |
Quote |
Aug 15th 2016 5 years ago |
> Is there an option for Office 2010 and earlier versions?
Mainstream support for Office 2007 ended on 2012-Oct-09. https://support.microsoft.com/en-ca/lifecycle?p1=11346 Extended support for Office 2007 will end on 2017-10-10. Office 2007 (Version 12) is no longer part of mainstream support and hasn't been tested on Windows 10. However, Office 2007 will install and run on Windows 10. Versions of Office prior to Office 2007 are no longer supported and may not work on Windows 10. https://support.office.com/en-us/article/Which-versions-of-Office-work-with-Windows-10-0fc85c97-da69-466e-b2b4-54f7d7275705 So, your best option is to plan for an upgrade to your Office suite. |
Anonymous |
Quote |
Aug 16th 2016 5 years ago |
very anxious to see an update to this post when we have some ADMX files :) :) :).
I wont be on 2016 for another 6-10 months .. |
TuggDougins 37 Posts |
Quote |
Aug 16th 2016 5 years ago |
There is already ADMX for this feature on Office 2013
https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/ |
TuggDougins 3 Posts |
Quote |
Oct 30th 2016 5 years ago |
I mean this one :
https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/ |
TuggDougins 3 Posts |
Quote |
Oct 30th 2016 5 years ago |
ADMX is here :
https://blogs.technet.microsoft.com/mmpc/2016/10/26/office-2013-can-now-block-macros-to-help-prevent-infection/ |
TuggDougins 3 Posts |
Quote |
Oct 30th 2016 5 years ago |
Quoting Anonymous:Versions of Office prior to Office 2007 are no longer supported and may not work on Windows 10.... meaning, MS will find a way to make it not work on Windows 10, so you have to buy an upgrade... |
Visi 41 Posts |
Quote |
Oct 31st 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!