Microsoft changes default settings for a variety of reasons, but some recent key changes are designed to keep businesses safer from attacks, specifically ransomware. This includes blocking macros by default, limiting native tools used by attackers, and activating Credential Guard by default.
Blocking Office 365 macros
The first major change in an Office 365 default blocks internet macros by default. Launching malicious macros is a common way that attackers can gain access to computer systems and launch lateral attacks.
Specially, Visual Basic Application obtained from the internet will be blocked by default. Setting this as the default will mean that users will be better protected. If they've downloaded macro-based templates from websites, users should mark these files as trusted and remove the “mark of the web” from the files to ensure that they continue to work.
This change affects only Office on devices running Windows and Access, Excel, PowerPoint, Visio and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022.
Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. At a date to be determined, Microsoft plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.
Users should also evaluate if they want to take actions to block other macro settings using Intune with Azure Active Directory or Group Policy with Active Directory. With Group Policy settings, administrators have been able to block macros by default as far back as Office 2016.
First, download an appropriate Group Policy administrative template. Then decide how they want to better control Office files. They can control the following:
- Change the security warning settings for Visual Basic for Applications (VBA) macros. This includes disabling VBA macros, enabling all VBA macros, and changing the way that users are notified about VBA macros.
- Block VBA macros from running in Word, Excel, PowerPoint, Access and Visio files from the Internet.
- Disable VBA.
- Change how VBA macros behave in applications that are started programmatically through Automation.
- Change how anti-virus software scans encrypted VBA macros.
Users can even completely disable Visual Basic for Applications in their network with the Group Policy setting “Disable VBA for Office applications.”
Making it harder for attackers to live off the land
Microsoft is also starting to disable some of the “living off the land” (LOL) attack techniques. Living off the land (LOL) or living off the land binaries and scripts (LOLBAS) is using files and tools that are built into the operating system.
If an attacker doesn’t bring any new code into the system when they launch their attack, it’s much harder to identify and detect an attack. More attacks are moving to LOL methods.
Microsoft is moving to disable and define what code is uniquely allowed to run on a system. It is deprecating or slowly moving away from the Windows Management Instrumentation Command (WMIC) tool.
While WMI itself is not impacted, Microsoft is recommending Windows PowerShell for WMI going forward. While this won’t stop attacks by any means, it’s another step in making it a bit harder for attackers to use techniques and tools that are built into the operating system.
Enabling Credential Guard by default
Microsoft is starting to test the waters in enabling tools such as Credential Guard for qualifying Windows systems. In the Insider preview build 22526, Credential Guard will be enabled by default for Windows Enterprise and an E5 licensees.
Credential Guard uses virtualisation-based security to isolate secretive and important data for its protection. It protects users when unconstrained delegation is being used for nefarious tasks such as stealing a ticket-granting service in Kerberos. Since Credential Guard by default is limited to Windows Enterprise E5 licensed machines, it won’t have the same widespread impact as the Office macros limitation.
Limits to changing Microsoft defaults
Attackers who abuse these computer system settings have often been there for years. Users could disable the ability for attackers to gain more access by testing and implementing these settings themselves, but too often legacy software requires certain settings to function.
The Kerberoasting attack, for example, can be defeated completely if all software supports more modern settings. Legacy software won’t handle these settings because it doesn’t support pre-authorisation or other modern authentication processes.
Kerberoasting has been known since being discovered by Tim Medin in 2014. It allows an attacker with normal user privileges in a Microsoft Windows Active Directory environment to retrieve the hash for a service account in the same Active Directory environment.
If the service account is configured with a weak password, then the attacker can use password cracking techniques to retrieve the clear-text password from the hash that was obtained from the Kerberoast attack.
Users can make these changes if only they would take the time to test the impact on their networks. Security baselines have been presented by Microsoft for years, but users often don’t take the time to study and implement the recommendations.
Disabling settings in Windows often has side effects that users weren’t anticipating, but it allows systems and network to be more secure and more resilient from attacks.
I predict Microsoft will make more of these “by default” settings that will impact customer networks. Rather than viewing these as Microsoft unable to test and report the impact, users are looking at this as an indication that vendors and partners need to step up and do better as well.
Too often the security of customer networks is not set by the operating system, but the settings and compromises they've made as dictated by vendors or partners. The network ultimately has to support business needs, but it shouldn’t be at the expense of security posture. Users are now taking the time to look at current defaults to see if they can push themselves – and their vendors and partners – to do better.