ASD's Blueprint for Secure Cloud

ASD Office Hardening Guidelines

This section describes the configuration of device configuration profiles within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 7 minutes

Basics

ItemValue
NameASD Office Hardening Guidelines
Description
PlatformWindows 10 and later

Assignments

Included groups

ItemValue
GroupsAll devices

Excluded groups

None

Scope tags

ItemValue
Scope tagsDefault

Configuration settings

Microsoft Access 2016

ItemValue
Application Settings > Security > Trust Center
Block macros from running in Office files from the Internet (User)Enabled

Microsoft Excel 2016

ItemValue
Excel Options > Security
Force file extension to match file type (User)Enabled
Always match file type
Turn off file validation (User)Disabled
Excel Options > Security > Trust CenterEnabled
Block macros from running in Office files from the Internet (User)Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)Enabled
Require that application add-ins are signed by Trusted Publisher (User)Enabled
Turn off trusted documents (User)Enabled
Turn off Trusted Documents on the network (User)Enabled
Excel Options > Security > Trust Center > External Content
Always prevent untrusted Microsoft Query files from opening (User)Enabled
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)Enabled
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User)Enabled
Excel Options > Security > Trust Center > File Block Settings
dBase III / IV files (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Dif and Sylk files (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 2 macrosheets and add-in files (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 2 worksheets (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 3 macrosheets and add-in files (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 3 worksheets (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 4 macrosheets and add-in files (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 4 workbooks (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 4 worksheets (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 95 workbooks (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 95-97 workbooks and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel 97-2003 workbooks and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Set default file block behavior (User)Enabled
Blocked files are not opened
Web pages and Excel 2003 XML spreadsheets (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Excel Options > Security > Trust Center > Protected View
Always open untrusted database files in Protected View (User)Enabled
Do not open files from the Internet zone in Protected View (User)Disabled
Do not open files in unsafe locations in Protected View (User)Disabled
Set document behavior if file validation fails (User)Enabled
Block files
- Checked: Allow edit. Unchecked: Do not allow edit. (User)False
Turn off Protected View for attachments opened from Outlook (User)Disabled

Microsoft Office 2016

ItemValue
Security Settings
Allow file extensions for OLE embedding (User)Disabled
Disable All ActiveX (User)Enabled
Force Runtime AV Scan (User)Enabled
Macro Runtime Scan Scope (User)Enabled
Enable for all documents
Trust Center
Allow including screenshot with Office Feedback (User)Disabled
Automatically receive small updates to improve reliability (User)Disabled
Configure the level of client software diagnostic data sent by Office to Microsoft (User)Enabled
- Type of diagnostic data: (User)Required
Disable Opt-in Wizard on first run (User)Enabled
Enable Customer Experience Improvement Program (User)Disabled
Send Office Feedback (User)Disabled
Send personal information (User)Disabled

Microsoft PowerPoint 2016

ItemValue
PowerPoint Options > SecurityEnabled
Make hidden markup visible (User)Enabled
Run Programs (User)Enabled
disable (don’t run any programs)
Turn off file validationDisabled
PowerPoint Options > Security > Trust Center
Block macros from running in Office files from the Internet (User)Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)Enabled
Require that application add-ins are signed by Trusted Publisher (User)Enabled
Turn off trusted documents (User)Enabled
Turn off Trusted Documents on the network (User)Enabled
PowerPoint Options > Security > Trust Center > File Block Settings
PowerPoint 2007 and later presentations, shows, templates, themes and add-in files (User)Disabled
Set default file block behavior (User)Enabled
Blocked files are not opened
PowerPoint Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)Disabled
Do not open files in unsafe locations in Protected View (User)Disabled
Set document behavior if file validation fails (User)Enabled
Block files
- Checked: Allow edit. Unchecked: Do not allow edit. (User)False
Turn off Protected View for attachments opened from Outlook (User)Disabled

Microsoft Project 2016

ItemValue
Project Options > Security > Trust Center
Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)Enabled
Require that application add-ins are signed by Trusted Publisher (User)Enabled

Microsoft Visio 2016

ItemValue
Visio Options > Security > Trust Center
Block macros from running in Office files from the Internet (User)Enabled
Visio Options > Security > Trust Center > File Block Settings
- File block setting (User)Open/Save blocked, use open policy
Visio 2000-2002 Binary Drawings, Templates and Stencils (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Visio 2003-2010 Binary Drawings, Templates and Stencils (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User)Enabled

Microsoft Word 2016

ItemValue
Word Options > Security
Make hidden markup visible (User)Enabled
Turn off file validation (User)Disabled
Word Options > Security > Trust Center
Block macros from running in Office files from the Internet (User)Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated)Enabled
Require that application add-ins are signed by Trusted Publisher (User)Enabled
Turn off trusted documents (User)Enabled
Turn off Trusted Documents on the network (User)Enabled
Word Options > Security > Trust Center > File Block Settings
Set default file block behavior (User)Enabled
Blocked files are not opened
Word 2 and earlier binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 2000 binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 2003 binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 2007 and later binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 6.0 binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 95 binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word 97 binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word XP binary documents and templates (User)Enabled
- File block setting (User)Open/Save blocked, use open policy
Word Options > Security > Trust Center > Protected View
Do not open files from the Internet zone in Protected View (User)Disabled
Do not open files in unsafe locations in Protected View (User)Disabled
Set document behavior if file validation fails (User)Enabled
Block files
- Checked: Allow edit. Unchecked: Do not allow edit. (User)False
Turn off Protected View for attachments opened from Outlook (User)Disabled
Word Options > Advanced
Update automatic links at Open (User)Disabled

Security & Governance

Design

Configuration

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra