Security baseline for Office 2016 and Office 365 ProPlus apps - FINAL

Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft Office Professional Plus 2016 and Office 365 ProPlus 2016 apps. There are no changes from the draft release we published a few weeks ago, other than minor corrections within the spreadsheet.

Highlights of this baseline:

  • Streamlined baseline
  • Stronger macro security
  • Defending against malware by blocking Flash ActiveX activation within Office documents

Download the content from the Microsoft Security Compliance Toolkit (click Download and select Office-2016-baseline.zip).

The downloadable attachment to this blog post includes importable GPOs, scripts for applying the GPOs to local policy, a custom administrative template (ADMX) file for Group Policy settings, all the recommended settings in spreadsheet form and as Policy Analyzer rules. The recommended settings correspond with the Office 2016 administrative templates version 4639 released on December 15, 2017; we have included those ADMX and ADML files in a zip file in the package's Templates subdirectory.

Instead of retaining the entire Office 2013 baseline and simply adding settings that were newly introduced in the Office 2016 GPOs, we have conducted a thorough review of all available configuration settings – as we did beginning with the Windows 10 baselines – including in the baseline only those settings that address contemporary security threats. In the process we removed over eight dozen settings that had been in previous baselines but that were determined not to advance security posture in a meaningful way, and added a handful of new settings. The result is a more streamlined, purposeful baseline that is easier to configure, deploy, and validate.

Macro security

Office’s support for macros remains a vital tool for enterprise automation and at the same time a vector for attack, so macro security remains an important consideration. Office 2016 introduced a new GPO setting, “Block macros from running in Office files from the Internet” that was also later backported to Office 2013. Enabling the setting disables macros embedded in Office documents that came from the internet, including through email from an external sender. Office displays a notification that does not give the user an option to enable the macros. This baseline enables the setting for all apps that offer it: Excel, PowerPoint, Visio, and Word. Because this setting affects only Office documents received from the Internet that contain embedded macros, we anticipate that enabling this setting should rarely if ever cause operational problems for enterprises. The settings do not affect documents that are received from the enterprise’s Intranet or Trusted Sites zones.

The baseline also retains the “VBA Macro Notification Settings” options from our previous baselines that require that macros embedded in Office documents be signed by a trusted publisher. We recognize that some organizations have had workflows and processes relying on such macros for a long time, and that enforcing these particular settings can cause operational issues. It can also be challenging to identify all the documents and VBA projects that need to be signed. We will continue considering moving these settings into a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline. Please let us know via the comments on this post what you think of that idea.

Blocking Flash activation

We have also added a setting to the custom “MS Security Guide” ADMX that prevents the Adobe Flash ActiveX control from being loaded by Office applications. Vulnerabilities in Adobe Flash are often exploited by sending the victim a Microsoft Office document that contains malformed Flash data and an OLE reference that activates Flash and passes it the malformed data, which triggers the exploit code. This setting allows you to either (1) block all activation of Flash from within Office or (2) only block activation of Flash when it is directly embedded or linked in an Office document. The baseline recommends that you block all activation as it is the safest option available but note that it can impact productivity scenarios (e.g. consuming embedded videos in PowerPoint) within your enterprise. Please test this setting within your environment to identify the appropriate level of protection that balances your security and productivity requirements.

Office has long included a “kill-bit” feature similar to Windows’ that enables administrators to block specific controls from being activated within Office processes. Enabling the new setting in “MS Security Guide” configures Flash kill-bit registry values to block Flash activation in Office processes, reducing your security exposure.

Other changes

Although we have removed many settings from the baseline, there are a few changes to which we would like to call attention. All of these are under User Configuration\Administrative Templates.

  • Microsoft Outlook 2016\Account Settings\Exchange, Authentication with Exchange Server: we are keeping this setting enabled, but changing its configuration from “Kerberos/NTLM Password Authentication” to “Kerberos Password Authentication.” We do not anticipate operational issues from strengthening this setting. Please test this change in your environments and let us know what you observe.
  • Microsoft Office 2016\Manage Restricted Permissions, Always require users to connect to verify permission: we are removing this setting from the baseline, but there is a security and usability tradeoff, and our finding is that the security benefit is too small for the usability degradation. The setting ensures that if someone’s access to a rights-managed document or email is revoked after they have received it, they will be blocked from opening it the next time they try. The downside is that this blocks all offline access. In our experience, this kind of revocation is far less common than the need to open rights-managed items when in airplane mode.
  • We have dropped the “Disable all trusted locations” Trust Center settings, but disabled two additional “Allow Trusted Locations on the network” settings that had been overlooked in past baselines for Project and Visio.

We believe that this baseline strikes the correct balance between security and usability, but as always we welcome your feedback for opportunities to improve it. Thank you.