Prevent users from changing Microsoft Office macro security settings
Ensure users cannot alter macro settings in Microsoft Office applications.
Plain language
This control is about stopping people from changing the security settings for macros in Microsoft Office programs like Word and Excel. This is important because if these settings are altered, harmful macros could sneak in and cause chaos in your files, leading to data loss or theft.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
RM
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Microsoft Office macro security settings cannot be changed by users.
Why it matters
If users can change Office macro security, they may enable macros and run malicious code, leading to malware, data loss or fraud.
Operational notes
Enforce Office macro security via GPO/Intune; regularly confirm users cannot change settings and audit policy/application baselines after updates.
Implementation tips
- IT team: Ensure that users cannot change macro settings by configuring Group Policy settings across all computers in the organisation.
- System administrator: Lock down the Trust Center settings in Microsoft Office to prevent unauthorised changes by making changes in the Office Administrative Templates.
- Security officer: Regularly review and update the list of individuals with permissions to use macros, based on business necessity.
- IT manager: Coordinate with department heads to understand any business requirements for macros and whitelist only verified users.
Audit / evidence tips
-
AskAre users able to change the macro security settings on their computers?
-
GoodUsers are unable to change macro settings; these are controlled via Group Policy and locked at the system level
-
AskHow is access to alter these settings justified and documented?
-
GoodThere is a documented business need and management approval for any user who can run macros
Cross-framework mappings
How E8-RM-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1601 | ISM-1601 requires organisations to implement Microsoft Attack Surface Reduction (ASR) rules to reduce exploitable behaviours in user appl... | |
| ISM-1748 | ISM-1748 requires that email client security settings cannot be changed by users | |
| ISM-1825 | ISM-1825 requires that security product security settings cannot be changed by users to maintain enforced protections | |
| handshake Supports (8) expand_less | ||
| ISM-1488 | ISM-1488 requires that Microsoft Office macros in files originating from the internet are blocked | |
| ISM-1584 | E8-RM-ML1.4 requires that Microsoft Office macro security settings cannot be changed by users | |
| ISM-1671 | ISM-1671 mandates disabling Microsoft Office macros for users without a demonstrated business need | |
| ISM-1672 | ISM-1672 requires Microsoft Office macro antivirus scanning to be enabled as a protective configuration | |
| ISM-1673 | ISM-1673 requires enforcing a specific macro hardening setting: blocking Win32 API calls from Office macros | |
| ISM-1674 | ISM-1674 requires enforcement of macro execution so that only sandboxed, Trusted Location, or trusted-signed macros can run | |
| ISM-1675 | ISM-1675 requires a specific macro-enablement restriction (untrusted publisher macros cannot be enabled via Message Bar or Backstage View) | |
| ISM-1915 | ISM-1915 involves maintenance of approved user application configurations | |
| link Related (2) expand_less | ||
| ISM-1489 | E8-RM-ML1.4 requires that Microsoft Office macro security settings cannot be changed by users | |
| ISM-1823 | ISM-1823 requires that office productivity suite security settings cannot be changed by users | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.