How is a macro activated in C.

Oliver Klarmann 61

Allegedly you can switch off the execution of the dangerous Emotet macros company-wide with group policies. But this shelter has huge holes that only very few people know about.

One of the central protective measures against Emotet is to prohibit Microsoft Office from executing macros. Many Office users do not need this function in their daily work; turning it off prevents you from falling for one of the lousy Emotet tricks and accidentally infecting your system. This can easily be done company-wide or department-wide with group guidelines - at least that is the general level of knowledge on this topic. The fact is, however, that this protection is by no means as reliable as is generally rumored. Because Microsoft has knowingly crippled administration with group policies.

Imagine the following: As a responsible company administrator, you roll out group policies that prevent macros from being executed. You also control this on multiple systems and see in the Office settings, as expected, that the macro settings are pinned to "Disable all macros without notification". The options are grayed out; the user cannot change it. Nevertheless, a short time later an Emotet infection occurs, in which a user has received an alleged reply email from a business partner and has opened the attached document. When he clicked on "Activate edit", the disaster took its course.

You will of course fall from the clouds, because this option for activating macros should not have appeared at all. The solution to the riddle: Your company uses mixed versions of Office. Most of them still use "Office Professional Plus" and you have successfully tested such installations. However, some users have already moved to the recently purchased "Office 365 Business Premium" - and that ignores the group guidelines. And not with a message "Warning, any protective measures taken may no longer work", but quietly and quietly, without a warning. It was precisely this situation that the administrators at Heise stumbled upon by chance - luckily, without an Emotet infection.

Group policy ignored

Research has shown that Microsoft has switched off support for group policies in the following Office editions for corporate use:

  • Office 365 Business
  • Office 365 Business Essentials
  • Office 365 Business Premium
  • Office 365 Enterprise E1
  • Office 365 Enterprise F1
  • Microsoft 365 Business

It is by no means the case that this is due to a fundamental problem with the 365 versions. Because in addition to the classic Office Professional, the "large" and therefore more expensive Enterprise versions can also be administered using group policies. Specifically, group guidelines currently work with:

  • Office Professional Plus 2013
  • Office Professional Plus 2016
  • Office Professional Plus 2019
  • Office 365 ProPlus
  • Office 365 Enterprise E3
  • Office 365 Enterprise E5

This different behavior was introduced with Office 2013, different editions of older versions still evaluate the group policies. This behavior can also be simulated quite easily in a test environment.

This picture shows the Trust Center of Word in an installation of Office Professional Plus 2016. Since a group policy prohibits the execution of macros, the option "Deactivate all macros without notification" is set and the user does not have access to it. The computer is protected. The following picture shows a PC with the same Windows version that is located in the same domain. The group policy should therefore also apply to him. However, Office 365 Business Premium is installed here.

The result: The corresponding configuration options are neither set nor grayed out. Users can therefore change the setting at will and thus grant malicious software uncontrolled access.

It is by no means a bug, let alone an unintentional security hole, for which a patch can be expected. Microsoft is well aware of this behavior; it is documented in various places. For example, a download page for templates for Office policies under System Requirements only lists versions with active support for group policies. And a service description for Office applications quite far below denies the "support of the group policy" in the versions listed above without group policies.

So anyone who evaluates the small print down to the last detail before purchasing it should have known it. But hand on heart: Who really does it? In any case, heise Security reaped a mixture of amazement and horror in a brief, informal survey among admins and Windows experts. The fact that only the expensive enterprise editions actually implement the desired protection against dangers such as Emotet was interpreted by many as blackmail.

Hardly any administrator, unless he deals with the functional differences in detail, expects potentially risky behavior at this point. Microsoft apparently wants to boost sales of the more expensive, larger editions with these version differences. In times of crypto Trojans, however, Microsoft is depriving ignorant users of cheaper editions of an essential means of securing their IT environment. Only those who pay more can benefit from the template-based, simple method for switching off the high-risk macros.

Remedy with restrictions

If you have one of the affected Office 365 versions, you might be wondering whether there isn't a remedy. In fact, workarounds are being discussed in forums. Ultimately, they boil down to deactivating the execution of macros via registry entries, which are also distributed via group policies. On the one hand, this is not entirely trivial and, on the other hand, it has an important catch.

The key registry key is called and looks like this, for example:

Update action
Structure HKEY_CURRENT_USER
Key path Software \ Microsoft \ office \ 16.0 \ word \ security
Name vbawarnings
Value type REG_DWORD
Value data 4
Base decimal

You have to set the key for each individual application (Word, Excel, ...) and consider the Office version used in the key path. Office 2010 uses version number 14.0 internally; Office 2013 runs under 15.0 and Office 2016, 2019 and 365 operate under 16.0. Furthermore, the key path must be written on and not be found on the Internet as in some examples. Because it is precisely these policies that are not evaluated in some editions.

The hook

These registry keys set the macro settings to "Disable all macros without notification". This means that all MS Office versions - including Office 365 - ignore macros contained in a document. However, it is only a user configuration. This means that the registered user can change this setting via the menu - for example to "Activate all macros". If a .doc file with macros is opened immediately afterwards, any malicious code is then executed immediately and without further request.

With the "Update" action, however, Windows resets this setting to the safe value by default after 90 minutes. If that seems too long, you can reduce the interval for updating the group policies to 15 minutes, for example. Especially if you have a large number of group policies in use, you should not set this value too low, because this interval generally applies to checking all group policies.

So there remains a certain risk. heise Security is aware of a case in which a user was so convinced of an Emotet mail that he allowed the execution of macros by hand in order to comply with the urgent request of the alleged business partner to update his data. So this danger is actually real.

Conclusion and assessment

Of course, Microsoft is free to define the range of functions of its products as it wishes. The fact that one of the most important functions for corporate use is missing in editions that are explicitly aimed at companies is at least curious. At least since the advent of Emotet and Co, which primarily spread via macros in Office files, it is no longer understandable that Microsoft is mutilating one of the simplest and most effective protective functions.

For administrators who are interested, the next page provides practical information on how to use group policies and in particular explains specifically how you can use it to switch off macros in the company network - if the Office version still supports this.

Deactivate macros via GPO

In Microsoft Office it has been possible for many years to completely prevent the execution of macros in your own company by means of guidelines. And if they use the corresponding Office versions, IT departments prevent users from carelessly executing potentially harmful content. In the age of Emotet and Co., it is precisely this blocking of macros that is one of the central measures to protect company networks.

If you use Office versions that do not ignore the group guidelines as just described, this protective function can be activated on all connected Windows PCs within a few minutes in a Microsoft Active Directory-based network. Microsoft itself provides the required guideline templates for download. These must be unpacked and preferably stored in the central store of the AD Sysvol share (see below GPO template folder). The current template files include Office 2016, Office 2019 and Office 365, but they are also still available for older versions. These templates can then be configured and activated using the Group Policy Management Editor.

For the desired purpose there are several places to switch off the execution of macros in Microsoft Office documents centrally. In principle, the execution of Visual Basic for Applications (VBA) for all Office applications can be switched off centrally: under; there the setting "Deactivate VBA for Office applications" must be activated. Please note that there is a separate branch for each Office version (i.e. 2010, 2013, 2016).

The explicit execution of VBA macros and the behavior of the Office applications when a file to be opened contains a VBA macro, on the other hand, is controlled or deactivated individually for each Office application with a user configuration policy. For Word 2016, for example, this can be found under. Activate the setting "Block execution of macros in Office files from the Internet" and set the setting "Settings for VBA macro notifications" in the selection box to "Deactivate all macros without notification" and activate it as well. The same applies to the other Microsoft Office applications.

After all policies have been configured and assigned to the desired organizational units (OUs), the policies take effect. It can only take up to 90 minutes until these settings are actually activated on the computers. This period is the standard interval at which Windows computers search for new or changed policies and process them.

However, because the control takes place via the organizational units, exceptions can also be defined. For example, if you need active macros for Excel calculations in the finance department, but not in the rest of the company, you group the finance department's computer objects in a separate OU, to which either the central guideline or at least the guideline for Excel is not applied.

GPO templates folder

The most sensible storage location for group policy templates is the "Central Store". In order to use the Central Store, the "PolicyDefinitions" folder must be created below the folder, into which the template files (.admx) are copied. The tool for group policy management always hard-coded evaluates this folder and uses existing templates in addition to the local templates in the folder.

This means that templates are available on all computers on which the Group Policy Management Editor is executed. If you do not want to use the Central Store, you copy the templates into the local policy folder in - that is typically. Supplied language files (.adml) belong in the sub-folders de-DE, en-US and so on, depending on the respective language.

When using a local policy folder, it should be noted that GPOs that have been configured on such a computer are applied across domains, but cannot be completely configured from other workstations because the necessary templates are missing there.

However, saving them in the local template folder enables the templates to be used with the local policy editor (gpedit.msc) on local systems that are not members of a Windows Active Directory, for example. This can be important for a family administrator to keep the rest of the family from careless "clicks" (and yourself too).

Such group policies are an indispensable tool for the administration of Windows computers. Why Microsoft amputated their support in the "small" Office 365 versions, especially popular with medium-sized companies, is simply incomprehensible.

61 comments