Security baseline for Office 365 ProPlus (v2103, March 2021) - DRAFT

    Security baseline for Office 365 ProPlus (v2103, March 2021) - DRAFT

    Security baseline for Office 365 ProPlus (v2103, March 2021) - DRAFT

    Posted: 30 Mar 2021

    Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Microsoft Office 365 ProPlus, version 2103. We invite you to download the draft baseline package (attached to this post), evaluate the proposed baselines, and provide us your comments and feedback below.

    This baseline builds on the previous Office baseline we released mid-2019. The highlights of this baseline include:

    • Restrict legacy JScript execution for Office to help protect remote code execution attacks while maintaining user productivity as core services continue to function as usual.
    • Expanded macro protection requiring application add-ins to be signed by a trusted publisher. Also, turning off Trust Bar notifications for unsigned application add ins and blocking them to silently disable without notification.
    • Block Dynamic Data Exchange (DDE) entirely.
    • New policies added for Microsoft Defender Application Guard, protecting users from unsafe documents.

    Also, see the information at the end of this post regarding updates to Security Policy Advisor and Office Cloud Policy Services.

    The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file. The recommended settings correspond with the Office 365 ProPlus administrative templates version 5140, released February 26, 2021.

    GPOs included in the baseline

    Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed.

    The “MSFT Office 365 ProPlus 2103” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:

    • "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.
    • “Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.
    • “Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.
    • “DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.

    Restrict legacy JScript execution for Office

    The JScript engine is a legacy component in Internet Explorer which has been replaced by JScript9. Some organizations may have Office applications and workloads relying on this component, therefore it's important to determine whether legacy JScript is being used to provide business-critical functionality before you enable this setting. Blocking the legacy JScript engine will help protect against remote code execution attacks while maintaining user productivity as core services continue to function as usual. As a security best practice, we recommend you disable legacy JScript execution for websites in Internet Zone and Restricted Sites Zone. We’ve enabled a new custom setting called "Restrict legacy JScript execution for Office" in the baseline and provided it in a separate GPO "MSFT Office 365 ProPlus 2103 - Legacy JScript Block - Computer" to make it easier to deploy. Learn more about Restrict JScript at a Process Level.

    Note: It can be a challenge to identify all applications and workloads using the legacy JScript engine, it's often used by a webpage by setting the script language attribute in HTML to Jscript.Encode or Jscript.Compact, it can also be used by the WebBrowser Control (WebOC). After the policy is applied, Office will not execute legacy JScript for the internet zone or restricted site zone websites. Therefore, applying this Group Policy can impact the functionalities in an Office application or add-ins that require the legacy JScript component and users aren’t notified by the application that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.

    Important: If you disable or don’t configure this Group Policy setting, legacy JScript runs without any restriction at the application level.

    Comprehensive blocking of legacy file formats

    In the last Office baseline we published, we blocked legacy file formats in a separate GPO that can be applied as a cohesive unit. There are no changes to the legacy file formats recommended to block.

    Blocking DDE entirely

    Excel already disabled Dynamic Data Exchange (DDE) as an interprocess communication method, and now Word added a new setting “Dynamic Data Exchange” that we have configured to a disabled state. Because of the new addition from Word the existing GPO has been renamed to “MSFT Office 365 ProPlus 2103 - DDE Block – User”.

    Macro signing

    The “VBA Macro Notification Settings” policy has been updated for Access, Excel, PowerPoint, Publisher, Visio, and Word with a new option. To further control macros we now recommend that macros also need to be signed by a Trusted Publisher. With this new recommendation macros not digitally signed by a Trusted Publisher will be blocked from running. Learn more at Upgrade signed Office VBA macro projects to V3 signature.

    Note: Enabling “Block macros from running in Office files from the Internet” continues to be considered part of the main baseline and should be enforced by all security-conscious organizations.

    Application Guard policies

    We're excited to announce the integration of Office with Microsoft Defender Application Guard. When Application Guard is enabled for your tenant, the integration will help prevent untrusted files from accessing trusted resources. New policies for Application Guard are added to the baseline to protect users from unsafe documents including enabling "Prevent users from removing Application Guard protection on files." and disabling "Turn off protection of unsupported file types in Application Guard for Office." Learn more about Microsoft Defender Application Guard.

    Other changes in the baseline

    • New policy: "Control how Office handles form-based sign-in prompts" we recommend enabling and blocking all prompts. This results in no form-based sign-in prompts displayed to the user and the user is shown a message that the sign-in method isn’t allowed. We understand this setting might have some issues, and we value your feedback during the Draft cycle of this baseline posting.
    • New policy: We recommend enforcing the default by disabling "Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine" (Note: This policy description is a double negative, the behavior we recommend is the security checks remain ON).
    • New policy: We recommend enforcing the default by disabling "Allow VBA to load typelib references by path from untrusted intranet locations”. Learn more at FAQ for VBA solutions affected by April 2020 Office security updates.
    • New dependent policy: "Disable Trust Bar Notification for unsigned application add-ins" policy had a dependency that was missed in the previous baseline. To correct, we have added that missing policy, "Require that application add-ins are signed by Trusted Publisher". This applies to Excel, PowerPoint, Project, Publisher, Visio, and Word.
    • Removed from the baseline: "Do not display 'Publish to GAL' button". While this setting has been there for a long time, after further research, we believe this setting is used to ensure good deployment practices and not to mitigate security concerns.

    Deploy policies from the cloud, and get tailored recommendations for specific security policies

    Deploy user-based policies from the cloud to any Office 365 ProPlus client through the Office cloud policy service. The Office cloud policy service allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. Learn more about Office cloud policy service.

    Security Policy Advisor can help give you insights on the security and productivity impact of deploying certain security policies. Security Policy Advisor provides you with tailored recommendations based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in apps such as Excel and only by specific groups of users. Security Policy Advisor helps you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with Office 365 Advanced Threat Protection to provide you details on who is being attacked. Learn more about Security Policy Advisor.

    As always, please let us know your thoughts by commenting on this post.

    Brink's Avatar Posted By: Brink
    30 Mar 2021


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 14:34.
Find Us

Windows 10 Forums