Many of the default install options for Microsoft Office 2013 could result in end users leaking organizational data unintentionally. In this article, I’ll discuss some of the options you can use in Group Policy to improve Office security.
Avatar

In a default install of Office 2013, there may be features that could cause security issues, such as data leakage, in your environment if your end users handle sensitive data. Here are a few of the settings you can use to remove these features from Office 2013 installs. (Note: You’ll need to have the Office 2013 ADMX files installed on your management station or Group Policy Central Store. Refer to Part 1 of this series for a download link and install instructions.)

Remove access to OneDrive [Consumer]

By default, end users can sign in to their Microsoft Account within Office 2013 and access their OneDrive [Consumer] files. This also means they can potentially save company data there.

Go to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Miscellaneous > Block signing into Office. Set the option to Enabled and specify “Org ID only.”

Block signing into Office to prevent access to OneDrive

Block signing into Office to prevent access to OneDrive

If end users try to access their OneDrive by going to Connected Services in the Account settings (File > Account), they’ll see that OneDrive – Personal is grayed out, and they’ll see the message, “Your administrator has blocked OneDrive – Personal on this computer.” There are still plenty of other ways an end user could access OneDrive, but this removes the option in Office 2013.

Your administrator has blocked OneDrive - Personal on this computer

Your administrator has blocked OneDrive - Personal on this computer

Remove feedback options

Even though Microsoft has a privacy policy for the product feedback functionality in Office 2013, many organizations still like to turn it off just to ensure they are in compliance with local laws and their own security policies. The Office 2013 “Send a Smile” feedback system also has a feature that allows end users to send a screenshot with their feedback—something you may want to turn off for users who handle sensitive data.

Send a Smile in Office 2013 allows sending screenshots to Microsoft

Send a Smile in Office 2013 allows sending screenshots to Microsoft

The Send a Smile and Customer Experience Improvement Program (CEIP) options can be found in

User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Privacy > Trust Center. Set “Allow including screenshot with Office Feedback,” “Enable Customer Experience Improvement Program,” and “Send Office Feedback” all to Disabled.

Allow including screenshot with Office Feedback set to Disabled Enable Customer Experience Improvement Program set to Disabled Send Office Feedback set to Disabled

Disabling feedback and CEIP options

Remove Internet faxing

In Office 2013 applications, users can go to Share > Email > Send as Internet Fax and connect to third-party Internet faxing services that may not be approved by the organization. You can remove access to Internet faxing by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Services > Fax > Disable Internet Fax Feature and setting the option to Enabled.

Send as Internet Fax option in Word 2013

Send as Internet Fax option in Word 2013

Manage Trusted Locations

Trusted Locations can be specified for Office 2013 applications so that Office applications open files in those folders with lower security. This can be very helpful to eliminate pop-ups for templates and macro-enabled files, but it can cause some security issues if end users control the settings themselves.

Office has default locations (specified in the Office install) for Trusted Locations, but you can remove the ability for a user to change the setting by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center > Allow mix of policy and user locations and setting the option to Disabled.

Allow mix of policy and user locations set to Disabled

“Allow mix of policy and user locations” set to Disabled

The end user is unable to add additional locations in the Trust Center

The end user is unable to add additional locations in the Trust Center

If you want to add locations, you can do so in User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center or User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations. You can set up to 20 Trusted Locations using Trusted Location #1 through #20.

Example of a network Trusted Location for Office 2013

Example of a network Trusted Location for Office 2013

Just be aware of one gotcha: By default, network locations aren’t included in Trusted Locations unless you enable them. You’ll need to go to User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations > Allow Trusted Locations on the network for each Office application and set the option to Enabled.

Allow Trusted Locations on the network set to Enabled for Word 2013

Allow Trusted Locations on the network set to Enabled for Word 2013

6 Comments
  1. Avatar
    Dave N 9 years ago

    Good article and good ideas. We still haven’t even talked about an office 2013 upgrade yet, as we are still on 2010. I would be surprised if it happened this year but I’m keeping up with any notes on it that I can.

    I wonder how many other people are going to be in the same position as I for a while yet.

  2. Avatar
    Michael 9 years ago

    Thanks for this great article. I never thought about the possible data leak.

    (Un)fortunately we still use MS Office 2010. A wonder if there are also some restrictions I should set using GPOs for the version 2010.

    Have you ever wrote an article about that or can you recommend any article?

    Thanks
    Michael

    • Avatar

      With the exception of the OneDrive settings, I believe the others settings have comparable equivalents in Office 2010 using those ADMX files. I’ve been off Office 2010 for quite some time now.

  3. Avatar
    Pete 9 years ago

    Hi thanks for the tips! Have you by chance found a way to grey-out or get rid of altogether the access to “Apps for Office” within Outlook under File>Manage Apps and the button you see on the ribbon when you create a new message?

    Thanks, Pete

    • Avatar

      Sorry for not getting back to you sooner, Pete. I needed to research your question a bit further to see if it was possible to disable that feature. The “Manage Apps” functionality in Outlook is a feature of Exchange, not Outlook from everything I’ve read. The EAC gives you the ability to perform some management of the apps that are available, but I haven’t seen a way to completely disable it yet.

  4. Avatar
    Noubissi (Rank 1) 5 years ago

    Hello Kyle,

    is it possible after an Office 365 installation by GPO (click to run) to prevent the opening of this window:

    here is the picture I want to remove:

    https://www.google.fr/imgres?imgurl=https%3A%2F%2Fsupport.content.office.net%2Ffr-fr%2Fmedia%2Fdcc564ff-7829-4927-9870-ccfc518da624.png&imgrefurl=https%3A%2F%2Fsupport.office.com%2Ffr-fr%2Farticle%2Factiver-office-365-office-2016-ou-office-2013-5bd38f38-db92-448b-a982-ad170b1e187e&docid=Pvky4Eb5Wo8RbM&tbnid=6MNQQTO8kwYZOM%3A&vet=10ahUKEwjGsryTi-rdAhXJy4UKHUfOA2sQMwg-KAAwAA..i&w=520&h=307&bih=927&biw=1920&q=connecter%20vous%20pour%20configurer%20office&ved=0ahUKEwjGsryTi-rdAhXJy4UKHUfOA2sQMwg-KAAwAA&iact=mrc&uact=8

    Best regard

     

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account