Security baseline for Office 365 ProPlus (v1908, Sept 2019) – FINAL

Security baseline for Office 365 ProPlus (v1908, Sept 2019) – FINAL
Microsoft is pleased to reveal the last release of the advised security setup standard settings for Microsoft Office 365 ProPlus, variation1908 Please assess this proposed standard and send us your feedback through the Baselines Discussion website

This standard develops on the revamped Office standard we launched in early 2018 The highlights of this standard consist of:

  • Componentization of GPOs so that “difficult” settings can be included or eliminated as a system.
  • Comprehensive stopping of tradition file formats
  • Blocking Excel from utilizing Dynamic Data Exchange (DDE)

Also see the statements at the end of this post concerning the brand-new Security Policy Advisor and Office cloud policy services.

Download the material from the Security Compliance Toolkit

The downloadable standard plan consists of importable GPOs, a script to use the GPOs to regional policy, a script to import the GPOs into Active Directory Group Policy, a customized administrative design template (ADMX) apply for Group Policy settings, all the advised settings in spreadsheet kind and as Policy Analyzer guidelines. The advised settings refer the Office 365 ProPlus administrative design templates variation 4909 launched on September 5, 2019 that can be downloaded here

Componentization of GPOs

Most companies can execute the majority of the standard’s advised settings with no issues. There are a couple of settings that will trigger functional concerns for some companies. We have actually broken out associated groups of such settings into their own GPOs to make it much easier for companies to include or get rid of these limitations as a set. The local-policy script, Baseline-LocalInstall. ps1, provides command-line choices to manage whether these GPOs are set up.

The “MSFT Office 365 ProPlus 1907” GPO set consists of “Computer” and “User” GPOs that represent the “core” settings that must be problem totally free, and each of these possibly difficult GPOs, each of which is explained later on:

  • ” Legacy File Block– User” is a User Configuration GPO that avoids Office applications from opening or conserving tradition file formats.
  • ” Require Macro Signing– User” is a User Configuration GPO that disables anonymous macros in each of the Office applications.
  • ” Excel DDE Block– User” is a User Configuration GPO that obstructs Excel from utilizing DDE to look for existing DDE server procedures or to begin brand-new ones.

Comprehensive stopping of tradition file formats

In the previous Office standard we released, we attempted to end using tradition file formats, consisting of all the old Office file formats such as *. doc, *. xls, and *. ppt. We missed out on some essential ones. We simply went ahead and repaired the problem.

One of the risks of these old binary file formats is that their fundamental intricacy frequently resulted in exploitable bugs in their parsers. The larger danger is that a lot of these formats can consist of macros or other executable guidelines that are quickly mistreated. By contrast, macros are handicapped with the most-commonly utilized Office Open XML (OOXML) file formats, which were initially presented with Office2007 Just macro-enabled formats such as *. docm and *. xlsm assistance macros, and these can be filtered at the point of ingress.

While repairing the problem, nevertheless, we likewise acknowledged that lots of companies can not totally end their usage of tradition Office file formats, so we broke out the file-blocking settings into a different GPO, so they can be included or eliminated as a cohesive system.

Blocking Excel from utilizing DDE

Dynamic Data Exchange (DDE) is a really old interprocess interaction technique that is still utilized in some parts of Windows and stays supported for applications to utilize, mainly for backwards compatibility. A couple of years earlier, malware authors started embedding specially-formed DDE recommendations in Office files that were sent out to victims which would run attacker-chosen code. Ever since, most Office apps have actually disabled using DDE. Excel by default obstructs the capability to release approximate DDE servers and now likewise supports user-configurable settings to make it possible for DDE server procedure lookup and launch. These can now be set up through Group Policy, and this standard suggests disabling both settings. Due to the fact that of the possibility that some companies still depend upon this performance, we have actually broken out “Excel DDE Block” as a different GPO.

Macro finalizing

The standard likewise keeps the “VBA Macro Notification Settings” choices from our previous standards that need that macros embedded in Office files be signed by a relied on publisher. We acknowledge that some companies have actually had workflows and procedures depending on such macros for a long period of time, which imposing these specific settings can trigger functional problems. It can likewise be challenging to determine all the files and VBA jobs that require to be signed. We have actually chosen at this time to move these settings into a different GPO to make it much easier to change the settings on or off without impacting the remainder of the standard.

Note that the “ Block macros from running in Office files from the Internet” settings we switched on in the previous standard are maintained in the primary GPOs and ought to be imposed by all security-conscious companies.

Also see listed below about how the brand-new Security Policy Advisor service can supply customized suggestions for VBA macro policies.

Other modifications in the standard

” Block macros from running in Office files from the Internet” is now supported for Access, so we included it.

Implemented brand-new settings to obstruct the opening of particular untrusted files and to open others in Protected View.

Enabled the brand-new “Macro Runtime Scan Scope” setting.

Removed the file block setting for “PowerPoint beta converters,” as Office no longer carries out that block.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: