locked
How can I disable ALT-F11 without disabling VBA for Office? RRS feed

  • Question

  • Hi

    We're trying to create a secure image that will still allow me to run VB scripts in word documents that our team created, but I don't want users to be able to access the VB editor in any way.

    I managed to disable the developers tab via a GPO reg key but it seems I have no way to disable ALT+F11 without completely disabling VB in Office.

    The GPO "Disable VBA for Office Applications" ruins our documents so it's not an option.

    Is there any way of disabling ALT+F11 only, or to somehow disable the VB editor only, without disabling VB itself?

    Monday, June 17, 2019 3:46 PM

Answers

  • Given the multiple ways a user can access the VBA environment - not just via Alt-F11 - I doubt you'll achieve what you want. One can also access it simply enough via Alt-F8 followed by Alt-E, for example... or by code if access to the VBE is granted.

    And, unless you locked down the VBE in every Office application, users could still work around your restrictions (e.g. by automating any of Word, Excel, Access, PowerPoint, or Outlook from any of that same group of applications - plus any others that can automate Office applications).

     

    Cheers
    Paul Edstein
    [MS MVP - Word]

    • Marked as answer by MercuryZ Monday, July 1, 2019 10:15 AM
    Tuesday, June 25, 2019 12:54 PM

All replies

  • Can you not achieve what you want simply by password-protecting the code module(s) containing your scripts? Is there a reason users should otherwise be prevented from using VBA (e.g. in documents using content controls, etc., or to automate certain processes)?

    Cheers
    Paul Edstein
    [MS MVP - Word]

    Tuesday, June 18, 2019 3:40 AM
  • Hi Paul

    Yes, there is a reason. The VB Editor can be used by attacker as they see fit, this allows for some bad possibilities to open up as a Penetration Test we recently had showed very clearly.

    I simply need to disable the VB Editor in some way without completely disabling VB.


    • Edited by MercuryZ Tuesday, June 18, 2019 10:30 AM
    Tuesday, June 18, 2019 10:02 AM
  • Hi,

    As far a I know, there seems to be no effective way to prevent users from accessing Visual Basic Editor. 

    To restrict access to the macro, apply a Password. This is done using Tools > Properties > Lock Project for Viewing.

    Best Regards,

    Herb


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Office 2019.

    • Marked as answer by MercuryZ Tuesday, June 18, 2019 10:33 AM
    • Unmarked as answer by MercuryZ Tuesday, June 25, 2019 8:36 AM
    Tuesday, June 18, 2019 10:16 AM
  • Hi Herb

    Thank you for the answer.

    Locking our own VBs is all good and nice, but it doesn't prevent a user from opening the VB Editor and basically doing as he pleases with it. If there is a way, I would strongly recommend passing this request on to the product group as an InfoSec request.

    Thanks again for all the help.

    Tuesday, June 18, 2019 10:33 AM
  • Unless you allow trusted access to the VBA environment (which you can disable as a group policy), that suggests your attacker would probably be an insider, perhaps by allowing macros to run in a file they've downloaded from the internet. In Office 2016, that too can be prevented as a group policy. Similarly, you can control the VBA notification settings as a group policy, allowing macros to only be run from trusted locations - which you can likewise define (so as to allow your addin to run). You can also remove the Alt-F11 shortcut.


    Cheers
    Paul Edstein
    [MS MVP - Word]

    Tuesday, June 18, 2019 1:03 PM
  • Unless you allow trusted access to the VBA environment (which you can disable as a group policy), that suggests your attacker would probably be an insider, perhaps by allowing macros to run in a file they've downloaded from the internet. In Office 2016, that too can be prevented as a group policy. Similarly, you can control the VBA notification settings as a group policy, allowing macros to only be run from trusted locations - which you can likewise define (so as to allow your addin to run). You can also remove the Alt-F11 shortcut.


    Cheers
    Paul Edstein
    [MS MVP - Word]

    Hi Paul

    How can I remove the ALT-F11 shortcut? If that is possible it's all I really need.


    • Marked as answer by MercuryZ Tuesday, June 25, 2019 8:35 AM
    • Unmarked as answer by MercuryZ Tuesday, June 25, 2019 8:35 AM
    Monday, June 24, 2019 3:16 PM
  • Deleting the Alt-F11 shortcut is trivial. Go to File|Options|Customize Ribbon>Keyboard Shortcuts:Customize>Categories:Developer Tab>Commands:ViewVBCode>Current Keys:Alt+F11>Remove. By default, the changes are saved to Normal.dotm. So, customize a Normal.dotm and roll that out to the users you want to impact.

    Cheers
    Paul Edstein
    [MS MVP - Word]

    Monday, June 24, 2019 11:40 PM
  • That's almost what I need but I was hoping this was possible through policy or registry and not in a way where a user can simply activate it with whatever keyboard shortcut he desires.

    I need to lock that option somehow.

    Thanks a lot for all your help Paul, it's very appreciated!


    • Edited by MercuryZ Tuesday, June 25, 2019 8:36 AM
    Tuesday, June 25, 2019 8:36 AM
  • Given the multiple ways a user can access the VBA environment - not just via Alt-F11 - I doubt you'll achieve what you want. One can also access it simply enough via Alt-F8 followed by Alt-E, for example... or by code if access to the VBE is granted.

    And, unless you locked down the VBE in every Office application, users could still work around your restrictions (e.g. by automating any of Word, Excel, Access, PowerPoint, or Outlook from any of that same group of applications - plus any others that can automate Office applications).

     

    Cheers
    Paul Edstein
    [MS MVP - Word]

    • Marked as answer by MercuryZ Monday, July 1, 2019 10:15 AM
    Tuesday, June 25, 2019 12:54 PM