4

My security organization has responded to the threat of macro-based viruses by changing all copies of Excel to no longer run macros/VBA scripts. Through some quick research, it looks like there are many valid alternatives to the "brute orce" approach. From my limited understanding, we could:

  • Establish a trusted location
  • Use the Office 2016 option to block macros in Internet sourced files
  • Block other Office applications than Excel
  • Establish an access group that has permissions to run macros
  • As above, but with permissions to run certified macros (and then certify the macro(s) needed)

All of these seem like worthwhile ways of letting our group continue working and I'm hoping the conversation will go well.

As security professionals yourselves, how would you wish a customer/user would present and participate in this discussion? Thanks very much in advance.

Ian McKechnie
  • 41
  • 2

1 Answers1

1

Make sure they understand that you are aware of the Risks of enabling macro's even if its for a select group. Then explain them for who and why enabling marco's would improve [insert your reason] (for example productivity). Then you can always suggest one of the options you listed above, however I would suggest you only come up with these solutions if they responded well to the conversation above.

I always take users way more serious when they explain that they understand the risks, explain why it is needed and suggest possible solutions

probably this reply belongs in the comments, so if someone can move it

toom
  • 584
  • 3
  • 20
  • Cheers toom -- that's *exactly* why I've posted here. We're a modestly educated group of engineers so we don't make the request recklessly. This particular set of Excel macros was written by a 70+ year old industry veteran and helps inform million dollar decisions. Serious stuff, but security is too so we can't have a single winner. Glad to hear I may be on the right track here! – Ian McKechnie Mar 20 '18 at 09:48
  • Well security and usability never go well together, however I believe every company needs to find a solution that is acceptable for both. I don't have a definitive answer what is the right way to do it, but glad I could give some feedback – toom Mar 20 '18 at 12:33