Details
This policy setting controls the security level for macros in Outlook.
If you enable this policy setting, you can choose from four options for handling macros in
Outlook-
Always warn. This option corresponds to the ‘Warnings for all macros’ option in the
‘Macro Security’ section of the Outlook Trust Center. Outlook disables all macros
that are not opened from a trusted location, even if the macros are signed by a
trusted publisher. For each disabled macro, Outlook displays a security alert dialog
box with information about the macro and its digital signature (if present), and
allows users to enable the macro or leave it disabled.
Never warn, disable all. This option corresponds to the ‘No warnings and disable all
macros’ option in the Trust Center. Outlook disables all macros that are not opened
from trusted locations, and does not notify users.
Warning for signed, disable unsigned. This option corresponds to the ‘Warnings for
signed macros; all unsigned macros are disabled’ option in the Trust Center.
Outlook handles macros as follows-
o If a macro is digitally signed by a trusted publisher, the macro can run if the
user has already trusted the publisher.
o If a macro has a valid signature from a publisher that the user has not
trusted, the security alert dialog box for the macro lets the user choose
whether to enable the macro for the current session, disable the macro for
the current session, or to add the publisher to the Trusted Publishers list so
that it will run without prompting the user in the future.
o If a macro does not have a valid signature, Outlook disables it without
prompting the user, unless it is opened from a trusted location.
This option is the default configuration in Outlook.. No security check. This option corresponds to the ‘No security check for macros
(Not recommended)’ option in the Trust Center. Outlook runs all macros without
prompting users. This configuration makes users’ computers vulnerable to
potentially malicious code and is not recommended.
If you disable or do not configure this policy setting, the behavior is the equivalent of
Enabled — Warning for signed, disable unsigned. The recommended state for this setting is-
Enabled-Never warn, disable all.
*Rationale*
To protect users from dangerous code, the Outlook 2010 default configuration disables all
macros that are not trusted, including unsigned macros, macros with expired or invalid
signatures, and macros with valid signatures from publishers who are not on users’
Trusted Publishers lists. The default configuration also allows macros that are signed by
trusted publishers to run automatically without notifying users, which could allow
dangerous code to run.
Solution
To implement the recommended configuration state, set the following Group Policy setting
to Enabled.
User ConfigurationAdministrative TemplatesMicrosoft Outlook 2010SecurityTrust
CenterSecurity setting for macrosSecurity setting for macros
Then set the Security Level option to Never warn, disable all.
Impact-Configuring this setting to ‘Never warn, disable all’ will cause Outlook 2010 users to lose
the benefits of any functionality provided by macros. Users who wish to benefit from
macros can install the macros in a trusted location, unless Disable all trusted locations is
set to Enabled.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Windows.