Security baseline for Microsoft 365 Apps for enterprise v2106 - FINAL

Published Jun 29 2021 09:35 AM 2,501 Views
Microsoft

We've reviewed the new settings released for Office since the last security baseline (v2104) and determined there are no additional security settings that require enforcement. Please continue to use the Security baseline for Microsoft 365 Apps for enterprise v2104 -FINAL which can be downloaded from the Microsoft Security Compliance Toolkit

 

New Office policies are contained in the Administrative Template files (ADMX/ADML) version 5179 published on 6/7/2021 which introduced 7 new user settings. We have attached a spreadsheet listing the new settings to make it easier for you to find them. 

 

Only trust VBA macros that use V3 signatures (Worth considering) 

Microsoft discovered a vulnerability in Office Visual Basic for Applications (VBA) macro project signing which might enable a malicious user to tamper with a signed VBA project without invalidating its digital signature. This blog post explains how VBA macros signed with legacy signatures do not offer strong enough protection against a malicious actor looking to compromise the files integrity. 

  

Admins should consider upgrading the existing VBA signatures to the V3 signature as soon as possible after they upgrade Office to the supported product versions, see instructions in the links below. Once this is complete you can disable the old VBA signatures by enabling the "Only trust VBA macros that use V3 signatures" policy setting. 

  

  

If you have questions or issues, please let us know via the Security Baseline Community or this post. 

%3CLINGO-SUB%20id%3D%22lingo-sub-2492355%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20for%20Microsoft%20365%20Apps%20for%20enterprise%20v2106%20-%20FINAL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2492355%22%20slang%3D%22en-US%22%3E%3CP%3EWe've%20reviewed%20the%20new%20settings%20released%20for%20Office%20since%20the%20last%20security%20baseline%20(v2104)%20and%20determined%20there%20are%20no%20additional%20security%20settings%20that%20require%20enforcement.%20Please%20continue%20to%20use%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fsecurity-baseline-for-microsoft-365-apps-for-enterprise-v2104%2Fba-p%2F2307695%22%20target%3D%22_blank%22%3ESecurity%20baseline%20for%20Microsoft%20365%20Apps%20for%20enterprise%20v2104%20-FINAL%3C%2FA%3E%26nbsp%3Bwhich%20can%20be%20downloaded%20from%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Security%20Compliance%20Toolkit%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%20Office%20policies%20are%20contained%20in%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D49030%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAdministrative%20Template%20files%20(ADMX%2FADML)%20version%205179%3C%2FA%3E%26nbsp%3Bpublished%20on%206%2F7%2F2021%26nbsp%3Bwhich%20introduced%207%20new%20user%20settings.%20We%20have%20attached%20a%20spreadsheet%20listing%20the%20new%20settings%20to%20make%20it%20easier%20for%20you%20to%20find%20them.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EOnly%20trust%20VBA%20macros%20that%20use%20V3%20signatures%20(Worth%20considering)%3C%2FSTRONG%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMicrosoft%20discovered%20a%20vulnerability%20in%20Office%20Visual%20Basic%20for%20Applications%20(VBA)%20macro%20project%20signing%20which%20might%E2%80%AFenable%20a%20malicious%20user%E2%80%AFto%20tamper%20with%20a%20signed%20VBA%20project%20without%20invalidating%20its%20digital%20signature.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fblogs%2Fupgrade-signed-office-vba-macro-projects-to-v3-signature%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EThis%20blog%20post%3C%2FA%3E%26nbsp%3Bexplains%20how%20VBA%20macros%20signed%20with%20legacy%20signatures%20do%20not%20offer%20strong%20enough%20protection%20against%20a%20malicious%20actor%20looking%20to%20compromise%20the%20files%20integrity.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%E2%80%AF%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAdmins%20should%20consider%20upgrading%20the%E2%80%AFexisting%E2%80%AFVBA%20signatures%20to%20the%20V3%20signature%20as%20soon%20as%20possible%20after%20they%20upgrade%E2%80%AFOffice%20to%20the%20supported%20product%20versions%2C%20see%20instructions%20in%20the%20links%20below.%20Once%20this%20is%20complete%20you%20can%20disable%20the%20old%20VBA%20signatures%20by%20enabling%20the%E2%80%AF%22Only%20trust%20VBA%20macros%20that%20use%20V3%20signatures%22%20policy%20setting.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%E2%80%AF%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EInstructions%20on%20how%20to%20upgrade%20Office%20VBA%20macro%20signatures%3A%3C%2FSTRONG%3E%26nbsp%3B%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fblogs%2Fupgrade-signed-office-vba-macro-projects-to-v3-signature%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpgrade%20signed%20Office%20VBA%20macro%20projects%20to%20V3%20signature%20-%20Microsoft%20365%20Developer%20Blog%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fprod.support.services.microsoft.com%2Fen-us%2Ftopic%2Fupgrade-signed-office-vba-macro-projects-to-v3-signature-kb5000676-2b8b3cae-ad64-4b4b-aa85-c4a98ca6da87%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUpgrade%20signed%20Office%20VBA%20macro%20projects%20to%20V3%E2%80%AFsignature%20(KB5000676)%20(microsoft.com)%3C%2FA%3E%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%E2%80%AF%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20have%20questions%20or%20issues%2C%20please%20let%20us%20know%20via%20the%E2%80%AF%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fbd-p%2FSecurity-Baselines%22%20target%3D%22_blank%22%3ESecurity%20Baseline%20Community%3C%2FA%3E%E2%80%AFor%20this%20post.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2492355%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22v2106.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F291926i0725F021BB815456%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22v2106.png%22%20alt%3D%22v2106.png%22%20%2F%3E%3C%2FSPAN%3EMicrosoft%20is%20pleased%20to%20announce%20the%20final%20security%20baseline%20for%20Microsoft%20365%20Apps%20for%20enterprise%20v2106.%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Version history
Last update:
‎Jun 29 2021 09:34 AM
Updated by: