- Managing shared mailboxes in Office 365 with PowerShell - Thu, May 5 2016
- Managing shared mailboxes in Office 365 with the GUI - Wed, May 4 2016
- Installing and configuring the Enhanced Mitigation Experience Toolkit (EMET) - Wed, Mar 16 2016
In a default install of Office 2013, there may be features that could cause security issues, such as data leakage, in your environment if your end users handle sensitive data. Here are a few of the settings you can use to remove these features from Office 2013 installs. (Note: You’ll need to have the Office 2013 ADMX files installed on your management station or Group Policy Central Store. Refer to Part 1 of this series for a download link and install instructions.)
Remove access to OneDrive [Consumer] ^
By default, end users can sign in to their Microsoft Account within Office 2013 and access their OneDrive [Consumer] files. This also means they can potentially save company data there.
Go to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Miscellaneous > Block signing into Office. Set the option to Enabled and specify “Org ID only.”
Block signing into Office to prevent access to OneDrive
If end users try to access their OneDrive by going to Connected Services in the Account settings (File > Account), they’ll see that OneDrive – Personal is grayed out, and they’ll see the message, “Your administrator has blocked OneDrive – Personal on this computer.” There are still plenty of other ways an end user could access OneDrive, but this removes the option in Office 2013.
Your administrator has blocked OneDrive - Personal on this computer
Remove feedback options ^
Send a Smile in Office 2013 allows sending screenshots to Microsoft
The Send a Smile and Customer Experience Improvement Program (CEIP) options can be found in
User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Privacy > Trust Center. Set “Allow including screenshot with Office Feedback,” “Enable Customer Experience Improvement Program,” and “Send Office Feedback” all to Disabled.
Disabling feedback and CEIP options
Remove Internet faxing ^
In Office 2013 applications, users can go to Share > Email > Send as Internet Fax and connect to third-party Internet faxing services that may not be approved by the organization. You can remove access to Internet faxing by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Services > Fax > Disable Internet Fax Feature and setting the option to Enabled.
Send as Internet Fax option in Word 2013
Manage Trusted Locations ^
Trusted Locations can be specified for Office 2013 applications so that Office applications open files in those folders with lower security. This can be very helpful to eliminate pop-ups for templates and macro-enabled files, but it can cause some security issues if end users control the settings themselves.
Office has default locations (specified in the Office install) for Trusted Locations, but you can remove the ability for a user to change the setting by going to User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center > Allow mix of policy and user locations and setting the option to Disabled.
“Allow mix of policy and user locations” set to Disabled
The end user is unable to add additional locations in the Trust Center
If you want to add locations, you can do so in User Configuration > Policies > Administrative Templates > Microsoft Office 2013 > Security Settings > Trust Center or User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations. You can set up to 20 Trusted Locations using Trusted Location #1 through #20.
Example of a network Trusted Location for Office 2013
Just be aware of one gotcha: By default, network locations aren’t included in Trusted Locations unless you enable them. You’ll need to go to User Configuration > Policies > Administrative Templates > Microsoft $ApplicationName 2013 > $ApplicationName Options > Security > Trust Center > Trusted Locations > Allow Trusted Locations on the network for each Office application and set the option to Enabled.
Allow Trusted Locations on the network set to Enabled for Word 2013