Skip to content

benjamin-robertson/acsc_e8_office_hardening

Repository files navigation

acsc_e8_office_hardening

Automate the enforcement of the ACSC essential eight Microsoft office macro security.

The module will restrict the use of macros within Office.

There are 4 operating modes

  • All macros allowed - default mode
  • All macros disabled - disable all macros in Office, most secure setting
  • Only macros from trusted locations - Only permit macros from locations specified in the trusted_location parameter
  • Only macros digitally signed by trusted publishers - Macros must be signed by a trusted publisher.

Please see ACSC documentation for more details. Saved link

Table of Contents

  1. Description
  2. Setup - The basics of getting started with acsc_e8_office_hardening
  3. Usage - Configuration options and additional functionality
  4. Limitations - OS compatibility, etc.
  5. Development - Guide for contributing to the module

Description

Use this module to automate the enforcement of ACSC Essential 8 Office macro controls.

Setup

What acsc_e8_office_hardening affects

acsc_e8_office_hardening will add required registry settings to systems to restrict Office macros as required.

Most registry settings are applied to HKEY_USER. Due to this, Puppet will manage a significant number of resources as each user has their own registry hive. acsc_e8_office_hardening will also modify the default c:\users\Default\ntuser.dat. This is required for any new users who log on to the system. Without this, Puppet won't restrict that user until the next Puppet run. A suboptimal outcome. By default the module will mount and check the default ntuser.dat on each clean boot and every 24 hours thereafter.

Setup Requirements

Plugin sync is required for this module. Three facts will be automatically distributed

  • office_macro_local_sids
  • office_macro_last_run
  • office_macro_uptime

Following forge modules are required

  • puppetlabs-stdlib
  • puppetlabs-registry

Beginning with acsc_e8_office_hardening

The very basic steps needed for a user to get the module up and running. This can include setup steps, if necessary, or it can be an example of the most basic use of the module.

Usage

In most basic form, non-enforcement mode.

include acsc_e8_office_hardening

Block all macros

  class {'acsc_e8_office_hardening':
    macro_setting       => 'all_macros_disabled',
  }

Permit macros from trusted location using a profile and hiera

class profile::office_hardening (
  Hash $trusted_locations = {}
){
  class {'acsc_e8_office_hardening':
    macro_setting       => 'macros_from_trusted_locations'',
    trusted_locations   => $trusted_locations,
  }
}

Corresponding hiera data

profile::office_hardening::trusted_locations:
  location1:
    path: 'c:\\temp'
    date: '12/12/2021 12:00 PM'
    description: 'Temp on c for macros'
    allowsub: true

Explanation of trusted_location hash

  location1: - Name of hash
    path: 'c:\\temp' - Path to allow (string)
    date: '12/12/2021 12:00 PM' - Date, use format as shown (string) (Optional)
    description: 'Temp on c for macros' - Description of location (string) (Optional)
    allowsub: true - Permit subdirectory true\false (boolean) (Optional)

Limitations

Supported office versions

  • Office 365
  • Office 2016
  • Office 2019

Developed and tested on

  • Windows 2019
  • Office 365

Development

Please submit any issues to the issue tracker. Pull requests keenly accepted :)