Security baseline for Office 365 ProPlus (v1907, July 2019) - DRAFT
Published Jul 24 2019 03:46 AM 19.4K Views
Former Employee

[Update, 24 September 2019: final version of this baseline released and is now available as part of the Security Compliance Toolkit.]


Microsoft is pleased to announce the draft release of the recommended security configuration baseline settings for Microsoft Office 365 ProPlus, version 1907. Please evaluate this proposed baseline and send us your feedback through the Baselines Discussion site.


This baseline builds on the overhauled Office baseline we released in early 2018. The highlights of this baseline include:

  • Componentization of GPOs so that “challenging” settings can be added or removed as a unit.
  • Comprehensive blocking of legacy file formats
  • Blocking Excel from using Dynamic Data Exchange (DDE)

Also see the announcements at the end of this post regarding the new Security Policy Advisor and Office cloud policy services.


The downloadable attachment to this blog post includes importable GPOs, a script to apply the GPOs to local policy, a custom administrative template (ADMX) file for Group Policy settings, all the recommended settings in spreadsheet form and as Policy Analyzer rules. The recommended settings correspond with the Office 365 ProPlus administrative templates version 4888 released on July 17, 2019 that can be downloaded here. The download for the final version of this baseline will be released through the Security Compliance Toolkit.


Componentization of GPOs

Most organizations can implement most of the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We have broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script, BaselineLocalInstall.ps1, offers command-line options to control whether these GPOs are installed.

The “MSFT Office 365 ProPlus 1907” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later:

  • “Legacy File Block – User” is a User Configuration GPO that prevents Office applications from loading or saving legacy file formats.
  • “Require Macro Signing – User” is a User Configuration GPO that disables unsigned macros in each of the Office applications.
  • “Excel DDE Block – User” is a User Configuration GPO that blocks Excel from using DDE to search for existing DDE server processes or to start new ones.


Comprehensive blocking of legacy file formats

In the previous Office baseline we published, we tried to end the use of legacy file formats, including all the old Office document formats such as *.doc, *.xls, and *.ppt. However, we missed some important ones. So we just went ahead and fixed the glitch.


One of the threats of these old binary file formats is that their inherent complexity too often led to exploitable bugs in their parsers. The bigger threat is that many of these formats can include macros or other executable instructions that are easily abused. By contrast, macros are disabled with the most-commonly used Office Open XML (OOXML) document formats, which were first introduced with Office 2007. Only macro-enabled formats such as *.docm and *.xlsm support macros, and these can be filtered at the point of ingress.


While fixing the glitch, however, we also recognized that many organizations cannot entirely end their use of legacy Office document formats, so we broke out the file-blocking settings into a separate GPO, so they can be added or removed as a cohesive unit.


Blocking Excel from using DDE

Dynamic Data Exchange (DDE) is a very old interprocess communication method that is still used in some parts of Windows and remains supported for applications to use, primarily for backward compatibility. A few years ago, malware authors began embedding specially-formed DDE references in Office documents that were sent to victims and that would run attacker-chosen code. Since then, most Office apps quietly disabled the use of DDE. Excel retained user-configurable settings to enable DDE server process lookup and launch. These can now be configured through Group Policy, and this baseline recommends disabling both settings. Because of the likelihood that some organizations still depend on this functionality, we have broken out “Excel DDE Block” as a separate GPO.


Macro signing

The baseline also retains the “VBA Macro Notification Settings” options from our previous baselines that require that macros embedded in Office documents be signed by a trusted publisher. We recognize that some organizations have had workflows and processes relying on such macros for a long time, and that enforcing these particular settings can cause operational issues. It can also be challenging to identify all the documents and VBA projects that need to be signed. We have decided at this time to move these settings into a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline.


Note that the “Block macros from running in Office files from the Internet” settings we turned on in the previous baseline are retained in the main GPOs and should be enforced by all security-conscious organizations.


Also see below about how the new Security Policy Advisor service can provide tailored recommendations for VBA macro policies.


Other changes in the baseline

  • “Block macros from running in Office files from the Internet” is now supported for Access, so we added it.
  • Implemented new settings to block the opening of certain untrusted files and to open others in Protected View.
  • Enabled the new “Macro Runtime Scan Scope” setting.
  • Removed the file block setting for “PowerPoint beta converters,” as Office no longer implements that block.


Deploy policies from the cloud, and get tailored recommendations for specific security policies

In addition to being able deploy these policies through Active Directory Group Policy or through Local Group Policy, you now have a new way to deploy user-based policies from the cloud to any Office 355 ProPlus client through the new Office cloud policy service.


The Office cloud policy service allows administrators to define policies for Office 365 ProPlus and assign these policies to users via Azure Active Directory security groups. Once defined, policies are automatically enforced as users sign in and use Office 365 ProPlus. No need to be domain joined or MDM enrolled, and it works with corporate-owned devices or BYOD. To learn more about Office cloud policy service, check out the announcement here:


We also have a new service in public preview called Security Policy Advisor that can help you with deploying security policies. Security Policy Advisor can provide you with tailored recommendations for specific security policies based on how Office is used in your enterprise. For example, in most customer environments, macros are typically used in specific apps such as Excel and only by specific groups of users. Security Policy Advisor can help you identify groups of users and applications where macros can be disabled with minimal productivity impact, and optionally integrate with Office 365 Advanced Threat Protection to provide you information on who is being attacked. To learn more about Security Policy Advisor, check out the announcement here:

Version history
Last update:
‎Nov 29 2021 08:29 AM
Updated by: