Microsoft changes the default settings for various reasons, but some recent key changes will protect us from attacks, especially ransomware. This includes blocking macros by default, limiting native tools used by attackers, and enabling Credential Guard by default.
Office 365 macro blocking
The first major change in an Office 365 default is blocking internet macros by default. Launching malicious macros is a common way for attackers to gain access to computer systems and launch side attacks. In particular, the Visual Basic application obtained from the Internet will be blocked by default. Setting this as the default means you will be better protected. If you’ve downloaded macro-based templates from websites, mark those files as safe and remove the “web mark” from the files to ensure they continue to work.
This change only affects Office on devices running Windows and Access, Excel, PowerPoint, Visio, and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in other Update Channels, such as Current Channel, Monthly Business and Semi-Annual Business Channel. . At a date to be determined, Microsoft plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016, and Office 2013.
You should also evaluate whether you want to take steps to block other macro settings using Intune with Azure Active Directory or Group Policy with Active Directory. With Group Policy settings, administrators have been able to block macros by default as early as Office 2016. First, download an appropriate Group Policy Administrative Template. Then decide how you want more control over Office files. You can control the following:
- Change security warning settings for Visual Basic for Applications (VBA) macros. This includes disabling VBA macros, enabling all VBA macros, and changing how users are notified of VBA macros.
- Block VBA macros from running in Word, Excel, PowerPoint, Access and Visio files from the Internet.
- Disable VBA.
- Change the behavior of VBA macros in applications started programmatically through Automation.
- Change how antivirus software scans encrypted VBA macros.
You can even completely disable Visual Basic for applications in your network with the “Disable VBA for Office applications” Group Policy setting.
Make it harder for attackers to live off the land
Microsoft is also starting to disable some of the “living off the ground” (LOL) attack techniques. Live Off Earth (LOL) or Live Off Earth Binaries and Scripts (LOLBAS) uses files and tools built into the operating system. If an attacker does not bring any new code into your system when they launch their attack, it is much more difficult to identify and detect an attack. More and more attacks are switching to LOL methods.
Microsoft is set to disable and define what code is only allowed to run on a system. It is either deprecated or slowly moving away from the Windows Management Instrumentation Command (WMIC) tool. Although WMI itself is unaffected, Microsoft recommends Windows PowerShell for WMI in the future. While this in no way stops attacks, it is another step to make it a little more difficult for attackers to use techniques and tools built into the operating system.
Enable Credential Guard by default
Microsoft is starting to test the waters by enabling tools like Credential Guard for eligible Windows systems. In Insider Preview build 22526, Credential Guard will be enabled by default for Windows Enterprise and E5 licensees. Credential Guard uses virtualization-based security to isolate secret and important data for its protection. It protects you when unconstrained delegation is used for nefarious tasks such as stealing your ticket-granting service in Kerberos. Since Credential Guard is limited by default to Windows Enterprise E5 licensed machines, it will not have the same widespread impact as the Office macro limitation.
Limits to changing Microsoft default settings
Attackers who abuse these computer system settings have often been around for years. We could disable the ability for attackers to gain more access by testing and implementing these settings ourselves, but too often legacy software requires certain settings to work. The Kerberoasting attack, for example, can be completely defeated if all your software supports more modern settings. Legacy software does not support these settings because it does not support pre-authorization or other modern authentication processes.
Kerberoasting has been known since it was discovered by Tim Medin in 2014. It allows an attacker with normal user privileges in a Microsoft Windows Active Directory environment to retrieve the hash of a service account in the same Active Directory environment. If the service account is configured with a weak password, the attacker can use password cracking techniques to recover the plaintext password from the hash obtained from the Kerberoast attack.
We can make these changes if only we take the time to test the impact on our networks. Security benchmarks have been presented by Microsoft for years, but we often don’t take the time to study and implement the recommendations. Disabling settings in Windows often has side effects that you didn’t anticipate, but it helps your systems and network to be more secure and resistant to attacks.
I predict that Microsoft will create more of these “default” settings that will impact your network. Rather than viewing them as Microsoft failing to test and report impact, take this as an indication that your vendors also need to step up and do better. Too often, the security of our networks is not defined by the operating system, but by the settings and compromises we have made according to our vendors’ guidelines. The network must ultimately meet the needs of the business, but this must not come at the expense of security. Take the time to review your current defaults and see if you can push yourself and your suppliers to do better.