Americas

  • United States

Asia

Oceania

sbradley
Contributing Writer

Microsoft changes default settings to improve network security

Feature
Feb 23, 20225 mins
Network SecurityWindows Security

Here's what IT and security admins for Microsoft networks need to know about recent changes to Office and Windows.

microsoft new
Credit: IDG UK

Microsoft changes default settings for a variety of reasons, but some recent key changes will keep us safer from attacks, specifically ransomware. This includes blocking macros by default, limiting native tools used by attackers, and activating Credential Guard by default.

Blocking Office 365 macros

The first major change in an Office 365 default blocks internet macros by default. Launching malicious macros is a common way that attackers can gain access to computer systems and launch lateral attacks. Specially, Visual Basic Application obtained from the internet will be blocked by default. Setting this as the default will mean that you’ll be better protected. If you’ve downloaded macro-based templates from websites, mark these files as trusted and remove the “mark of the web” from the files to ensure that they continue to work.

This change affects only Office on devices running Windows and Access, Excel, PowerPoint, Visio and Word. The change will begin rolling out in Version 2203, starting with Current Channel (Preview) in early April 2022. Later, the change will be available in the other update channels, such as Current Channel, Monthly Enterprise Channel, and Semi-Annual Enterprise Channel. At a date to be determined, Microsoft plans to make this change to Office LTSC, Office 2021, Office 2019, Office 2016 and Office 2013.

You should also evaluate if you want to take actions to block other macro settings using Intune with Azure Active Directory or Group Policy with Active Directory. With Group Policy settings, administrators have been able to block macros by default as far back as Office 2016. First, download an appropriate Group Policy administrative template. Then decide how you want to better control Office files. You can control the following:

  • Change the security warning settings for Visual Basic for Applications (VBA) macros. This includes disabling VBA macros, enabling all VBA macros, and changing the way that users are notified about VBA macros.
  • Block VBA macros from running in Word, Excel, PowerPoint, Access and Visio files from the Internet.
  • Disable VBA.
  • Change how VBA macros behave in applications that are started programmatically through Automation.
  • Change how antivirus software scans encrypted VBA macros.

You can even completely disable Visual Basic for Applications in your network with the Group Policy setting “Disable VBA for Office applications.”

Making it harder for attackers to live off the land

Microsoft is also starting to disable some of the “living off the land” (LOL) attack techniques. Living off the land (LOL) or living off the land binaries and scripts (LOLBAS) is using files and tools that are built into the operating system. If an attacker doesn’t bring any new code into your system when they launch their attack, it’s much harder to identify and detect an attack. More attacks are moving to LOL methods.

Microsoft is moving to disable and define what code is uniquely allowed to run on a system. It is deprecating or slowly moving away from the Windows Management Instrumentation Command (WMIC) tool. While WMI itself is not impacted, Microsoft is recommending Windows PowerShell for WMI going forward. While this won’t stop attacks by any means, it’s another step in making it a bit harder for attackers to use techniques and tools that are built into the operating system.

Enabling Credential Guard by default

Microsoft is starting to test the waters in enabling tools such as Credential Guard for qualifying Windows systems. In the Insider preview build 22526, Credential Guard will be enabled by default for Windows Enterprise and an E5 licensees. Credential Guard uses virtualization-based security to isolate secretive and important data for its protection. It protects you when unconstrained delegation is being used for nefarious tasks such as stealing your ticket-granting service in Kerberos. Since Credential Guard by default is limited to Windows Enterprise E5 licensed machines, it won’t have the same widespread impact as the Office macros limitation.

Limits to changing Microsoft defaults

Attackers who abuse these computer system settings have often been there for years. We could disable the ability for attackers to gain more access by testing and implementing these settings ourselves, but too often legacy software requires certain settings to function. The Kerberoasting attack, for example, can be defeated completely if all your software supports more modern settings. Legacy software won’t handle these settings because it doesn’t support pre-authorization or other modern authentication processes.

Kerberoasting has been known since being discovered by Tim Medin in 2014. It allows an attacker with normal user privileges in a Microsoft Windows Active Directory environment to retrieve the hash for a service account in the same Active Directory environment. If the service account is configured with a weak password, then the attacker can use password cracking techniques to retrieve the clear-text password from the hash that was obtained from the Kerberoast attack.

We can make these changes if only we would take the time to test the impact on our networks. Security baselines have been presented by Microsoft for years, but we often don’t take the time to study and implement the recommendations. Disabling settings in Windows often has side effects that you weren’t anticipating, but it allows your systems and network to be more secure and more resilient from attacks.

I predict Microsoft will make more of these “by default” settings that will impact your network. Rather than viewing these as Microsoft unable to test and report the impact, look at this as an indication that your vendors need to step up and do better as well. Too often the security of our networks is not set by the operating system, but the settings and compromises we’ve made as dictated by our vendors. The network ultimately has to support business needs, but it shouldn’t be at the expense of security posture. Take the time to look at your current defaults and see if you can push yourself – and your vendors – to do better.

sbradley
Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for Askwoody.com, is a moderator on the PatchManagement.org listserve, and writes a column of Windows security tips for CSOonline.com. In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at https://www.askwoody.com/tag/patch-lady-posts/ and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author