- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
In a default install of Office 2013, there may be features that could cause security issues, such as data leakage, in your environment if your end users handle sensitive data. Here are a few of the settings you can use to remove these features from Office 2013 installs. (Note: You’ll need to have the Office 2013 ADMX files installed on your management station or Group Policy Central Store. Refer to Part 1 of this series for a download link and install instructions.)
Remove access to OneDrive [Consumer]
By default, end users can sign in to their Microsoft Account within Office 2013 and access their OneDrive [Consumer] files. This also means they can potentially save company data there.
Go to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Miscellaneous > Block signing into Office. Set the option to Enabled and specify “Org ID only.”
Block signing into Office to prevent access to OneDrive
If end users try to access their OneDrive by going to Connected Services in the Account settings (File > Account), they’ll see that OneDrive – Personal is grayed out, and they’ll see the message, “Your administrator has blocked OneDrive – Personal on this computer.” There are still plenty of other ways an end user could access OneDrive, but this removes the option in Office 2013.
Your administrator has blocked OneDrive - Personal on this computer
Remove feedback options
Even though Microsoft has a privacy policy for the product feedback functionality in Office 2013, many organizations still like to turn it off just to ensure they are in compliance with local laws and their own security policies. The Office 2013 “Send a Smile” feedback system also has a feature that allows end users to send a screenshot with their feedback—something you may want to turn off for users who handle sensitive data.
Send a Smile in Office 2013 allows sending screenshots to Microsoft
The Send a Smile and Customer Experience Improvement Program (CEIP) options can be found in
User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Privacy > Trust Center. Set “Allow including screenshot with Office Feedback,” “Enable Customer Experience Improvement Program,” and “Send Office Feedback” all to Disabled.
Disabling feedback and CEIP options
Remove Internet faxing
In Office 2013 applications, users can go to Share > Email > Send as Internet Fax and connect to third-party Internet faxing services that may not be approved by the organization. You can remove access to Internet faxing by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Services > Fax > Disable Internet Fax Feature and setting the option to Enabled.
Send as Internet Fax option in Word 2013
Manage Trusted Locations
Trusted Locations can be specified for Office 2013 applications so that Office applications open files in those folders with lower security. This can be very helpful to eliminate pop-ups for templates and macro-enabled files, but it can cause some security issues if end users control the settings themselves.
Office has default locations (specified in the Office install) for Trusted Locations, but you can remove the ability for a user to change the setting by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center > Allow mix of policy and user locations and setting the option to Disabled.
“Allow mix of policy and user locations” set to Disabled
The end user is unable to add additional locations in the Trust Center
If you want to add locations, you can do so in User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center or User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations. You can set up to 20 Trusted Locations using Trusted Location #1 through #20.
Example of a network Trusted Location for Office 2013
Just be aware of one gotcha: By default, network locations aren’t included in Trusted Locations unless you enable them. You’ll need to go to User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations > Allow Trusted Locations on the network for each Office application and set the option to Enabled.
Allow Trusted Locations on the network set to Enabled for Word 2013
Good article and good ideas. We still haven’t even talked about an office 2013 upgrade yet, as we are still on 2010. I would be surprised if it happened this year but I’m keeping up with any notes on it that I can.
I wonder how many other people are going to be in the same position as I for a while yet.
Thanks for this great article. I never thought about the possible data leak.
(Un)fortunately we still use MS Office 2010. A wonder if there are also some restrictions I should set using GPOs for the version 2010.
Have you ever wrote an article about that or can you recommend any article?
Thanks
Michael
With the exception of the OneDrive settings, I believe the others settings have comparable equivalents in Office 2010 using those ADMX files. I’ve been off Office 2010 for quite some time now.
Hi thanks for the tips! Have you by chance found a way to grey-out or get rid of altogether the access to “Apps for Office” within Outlook under File>Manage Apps and the button you see on the ribbon when you create a new message?
Thanks, Pete
Sorry for not getting back to you sooner, Pete. I needed to research your question a bit further to see if it was possible to disable that feature. The “Manage Apps” functionality in Outlook is a feature of Exchange, not Outlook from everything I’ve read. The EAC gives you the ability to perform some management of the apps that are available, but I haven’t seen a way to completely disable it yet.
Hello Kyle,
is it possible after an Office 365 installation by GPO (click to run) to prevent the opening of this window:
here is the picture I want to remove:
https://www.google.fr/imgres?imgurl=https%3A%2F%2Fsupport.content.office.net%2Ffr-fr%2Fmedia%2Fdcc564ff-7829-4927-9870-ccfc518da624.png&imgrefurl=https%3A%2F%2Fsupport.office.com%2Ffr-fr%2Farticle%2Factiver-office-365-office-2016-ou-office-2013-5bd38f38-db92-448b-a982-ad170b1e187e&docid=Pvky4Eb5Wo8RbM&tbnid=6MNQQTO8kwYZOM%3A&vet=10ahUKEwjGsryTi-rdAhXJy4UKHUfOA2sQMwg-KAAwAA..i&w=520&h=307&bih=927&biw=1920&q=connecter%20vous%20pour%20configurer%20office&ved=0ahUKEwjGsryTi-rdAhXJy4UKHUfOA2sQMwg-KAAwAA&iact=mrc&uact=8
Best regard