Using Office Readiness/Telemetry Tools To Plan Macro/Add-On Hardening
Microsoft usually makes backward compatibility a priority. Sometimes, that hurts security, but it also creates some tools we can leverage FOR security, like the ability to create a multi-browser strategy, letting you force the use of a secure browser for everything but pre-approved websites.
The compatibility tool becomes a security tool.
Another IT tool that is not well known by security teams in general is the Microsoft Office Readiness Toolkit. It is used to plan Office upgrades, and can be used not only to scan files and understand what features are required where, but also to gather telemetry from running instances of Office.
This can be extremely useful information to gather before going down the path of hardening Microsoft Office properly, disabling access to macros on files downloaded from the Internet, and to know what legitimate use of VBA and other features are in your environment so you can ensure not to disrupt that. Understanding how systems are used is key to securing them without breaking important processes and losing credibility along the way, making people believe that security only makes things worse.
You can also leverage telemetry to understand where files are causing issues with Office, which could be useful for detection.
What you need
- A Windows Server with SQL, to install the Telemetry Processor.
- A Windows PC with Office and the Telemetry Dashboard installed.
- A file share that PCs in your environment can connect to (the wizard will configure permissions automatically).
- The Office 2016 .ADMX files on a system that can edit GPOs. (Other versions of Office can also do this, but the setup is a bit different. Microsoft’s documentation highlights the differences well.)
- Office Documents to analyze as well as open with Office on the test PC. I downloaded sample files from govdocs1 and a few dozen files found using Google with “filetype:xlsx/docx” specified for various terms.
- For any deployment at scale, work with your IT team — this tool will be extremely helpful for them to improve Office reliability, and will need decent systems provisioned and dedicated to it.
Understanding Office File Usage
The first step in understanding how Office is used, to know how to harden it, is to scan files in use in your organization.
Install the Readiness toolkit on a workstation, and scan shares containing Office files.
I highly recommend doing this on an isolated workstation if you believe you could end up accidentally scanning files with malware. You could copy the files you want to scan locally on that system and isolate it completely. Ensure your Office is fully up to date on the workstation used to do this.
Be sure to select “Advanced” only if you are ok with sharing this information with Microsoft. It will give us more information on our files, especially when it comes to macros.
Once the files are scanned, which could take a very long time if you have a lot of data, an Excel document is generated. Ironically, it includes macros 🎃.
The first thing you’ll see is how many files were analyzed, and how many have VBA macros.
The VBA summary will tell you exactly which files have macros, allowing you to quickly determine if a specific department is a bigger user of macros. For more recent Office versions, a simple search for .XLSM or .DOCM would also help you figure this out rapidly, but the readiness tool digs deeper.
In the VBA Results tab, you even get a hash of the VBA macros. This allows you to find files using the same VBA, and if some macros are incompatible with 2016, you will also get information on how to edit them.
If you see that legitimate macros are located in a few different paths, those would be great candidates to become Trusted Paths, as you start blocking macros from untrusted locations.
You can then schedule automated runs of this tool by using the command line version, as described here.
ReadinessReportCreator.exe -p c:\officefiles\ -r -output \\server01\finance -silentWhat about files not on shares?
We now have a lot of information about files located on shares, which were easy to find. But in the real world, people get files over email, the web, Dropbox, OneDrive, Pastebin… so we need information that is closer to real-time. This is where Office Telemetry comes in.
- Run Telemetry Dashboard from a server with the Office Readiness kit installed (Yes, it is a terrible spreadsheet).
- On the Getting Started page, click Install Telemetry Processor.
- Run the wizard, which will require specifying a SQL server that can be used. SQL Express can be used for testing. TCP connectivity must be allowed, and it can be run locally or remotely. For testing, I recommend installing SQL Express on the machine that will run the Telemetry Processor. In production, scaling needs to be planned.
- Point the wizard to a share machines can all access. The wizard will configure permissions. Don’t worry, when machines are offline, they will cache data until they’re back on the network. I wish this could be done using another protocol than SMB/over the Internet, but that’s what we have for now.
- For machines not running 2016, follow the instructions to deploy the telemetry agent. Office 2016 includes it.
- Download the Office 2016 GPO Administrative Templates and install them on a machine where you can edit GPOs. The setup will extract the files, and you must copy the content of the ADMX subfolder to C:\Windows\PolicyDefinitions. If you use centralized AMDX storage, simply ensure those are in the right directory under sysvol, such as \\yourdomain.local\SYSVOL\DOMAIN.POTATOES\Policies.
- Create a new GPO linked to an OU with your test users, and browse to Administrative Templates. You should now see Office settings.
- Under Microsoft Office 2016, you will find Telemetry Dashboard.
- Configure those policies. Tags can be used to easily identify different types of users — you could have a GPO applied to roaming users, accounting, HR, and add tags in there for ease of sorting the Telemetry Dashboard database. You can also exclude applications from information gathering, and enable the privacy setting which will prevent full file names from being logged (highly recommended for real deployments).
By default, the agent uploads files every 8 hours or so, with randomization thrown in to avoid flooding the file server. You can reduce randomness and force uploading. You can also, in test environments, edit the scheduled task in Task Scheduler, to reduce the 8 hour trigger.
- As we start having workstations with users logged in for which the Telemetry GPO has been pushed, the data will start getting uploaded to the share. Periodically, the Telemetry Processor will read that data, and insert it into the database.
- Run the Telemetry Dashboard and connect to the SQL Express database.
What is in the dashboard that is useful for security?
Stability of documents and Office versions
A sharp increase in unstable documents could indicate a problem with a document, add-in, or perhaps exploitation attempts.
Office Add-ins in use
You can see Add-Ins in use, if they are built-in, and you can even generate a GPO to enable or block the add-ins.
You can see documents in use, and filter on things such as extensions. In this example we see all XLSMs, XLSX documents with macros enabled. As we have privacy enabled, we do not see the full file names.
For each file loaded, you can see add-ins loaded, and if they have an ActiveX control.
What’s next?
Now that you have access to all of this data, you should begin by:
- Ensuring your deployment uses up to date versions of Office, in 64bit where possible.
- Disabling macros on files downloaded from the Internet.
- Identify paths that contain legitimate macros with the readiness kit, and consider making those trusted paths where it makes sense, or signing them, so you can allow macros automatically only on signed documents.
