- WSL: Start Linux apps in Windows and Windows apps in Linux, access ext4 and NTFS - Mon, Dec 11 2023
- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
Microsoft updates the security baseline for Windows 10 with every feature update of the OS. Companies are encouraged to harden their PCs against threats by applying this baseline. For Office, the need for such measures is no less important, as the applications still contain many old and vulnerable technologies for compatibility reasons.
Support of Office versions is unclear
Due to the different editions and licensing options, managing Office using security baselines is not as easy as it is with Windows. For example, Microsoft 365 business applications cannot be managed via group policies at all.
Here, you can at least try to avert threats from macros by setting the relevant registry keys via group policy preferences.
In addition, the Office applications you get from the subscriptions are updated every six months (SAC), while the 2016 or 2019 versions from the Long-Term Servicing Channel (LTSC) don't receive any new features.
However, the security baseline always refers to one of the latest SAC releases (currently to Microsoft Office 365 ProPlus, which is now called Microsoft 365 Apps for Enterprise). However, the documentation does not provide any information about the settings that are also supported in Office 2016 or 2019.
In fact, the updates for Microsoft 365 hardly bring any new security-relevant GPO settings, so that the baseline essentially fulfills its purpose everywhere. However, where such changes do exist, such as the most recently introduced support for "Block execution of macros in Office files from the Internet" in Access, they have no effect on older versions.
ADMX templates for all Office versions
These inconsistencies continue with the ADMX templates for Office, which of course must be installed as a requirement for the baseline. The major version of Office has not changed internally since 2016, so existing GPOs will continue to work for 2019 and 365.
While new settings are continually being added, they apparently do not have any effect on the older versions. You can't tell which setting is supported by which version of Office from the GPO editor, because it only shows the supported version of Windows, not Office.
Content of the Security Baseline
The current security baseline for Office is included in the Security Compliance Toolkit. Like the one for Windows, it comprises a backup of the sample GPOs, GPO reports in HTML format showing the configured settings, PowerShell scripts for import, and documentation (Word and Excel files).
In addition, there is an ADMX template for Windows and Office security settings in the Template directory, which is required for the GPO MSFT Office 365 ProPlus 1908 – Computer. Therefore, you should copy it together with the English language file into the local directory PolicyDefinitions or into the central store for group policies.
Settings in five GPOs
Once these preparations have been made, you can consider which baseline settings to apply to your environment. They are distributed among five GPOs, whereby all those that will probably not have an adverse impact on functionality or usability are located in MSFT Office 365 ProPlus 1908 - Computer or User.
Three other GPOs are responsible for allowing only signed macros to run, disabling DDE for Excel, and blocking old file formats. If companies still use many macros that were developed in-house but haven't been signed, then you should not apply the corresponding group policy object.
The same is true for old binary formats such as .doc, .xls or .ppt. According to Microsoft, their complexity makes them not only more vulnerable to attack, but also more dangerous because of the embedded macros. However, if you need these file formats for data exchange, for example, then you must also do without the corresponding GPO.
Importing the baseline
The easiest way to acquire the settings recommended by Microsoft is to import the supplied GPO backups into Group Policy Management. To do this, first create an empty GPO to receive the settings in the Group Policy Objects section. It makes sense to keep the name from the baseline.
To display the names of the GPOs before the import, you can run the following PowerShell script from the root directory of the unpacked ZIP archive:
.\\Scripts\\Tools\\MapGuidsToGpoNames.ps1 $PWD | Format-Table -AutoSize
Then open the context menu of the new GPO and select Import Settings. The following wizard first offers to back up the GPO, but this is not necessary in this case.
Then select the GPOs directory from the baseline, and you will get a list of all objects saved there. Select the object whose settings you want to import.
Repeat this process for the other GPOs. These will not be linked to any domain or OU, so you can check their settings again before assigning them to specific users or PCs.
In addition to a security baseline for the operating system, Microsoft also offers one for Office. Its use should definitely be considered, as these applications are among the preferred targets of attack, along with the web browser and the OS. Their numerous legacy technologies pose a particular threat, and they can be largely deactivated via the recommended settings.
Subscribe to 4sysops newsletter!
Due to the large number of Office variants and insufficient documentation, it is not always clear which setting applies to which version. However, the vast majority of group policies have secured all Office packages since 2016.