Microsoft Office 365 ProPlus Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000207
Group -
SRG-APP-000207
Group -
Open/Save of Word 2003 binary documents and templates must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, ...Rule Medium Severity -
SRG-APP-000207
Group -
SRG-APP-000207
Group -
SRG-APP-000207
Group -
SRG-APP-000207
Group -
Open/Save of Word 97 binary documents and templates must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, ...Rule Medium Severity -
SRG-APP-000207
Group -
SRG-APP-000210
Group -
In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.
This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macr...Rule Medium Severity -
SRG-APP-000210
Group -
SRG-APP-000141
Group -
VBA Macros not digitally signed must be blocked in Word.
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four opti...Rule Medium Severity -
SRG-APP-000112
Group -
Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy ...Rule Medium Severity -
Document metadata for rights managed Office Open XML files must be protected.
This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint...Rule Medium Severity -
The Office client must be prevented from polling the SharePoint Server for published links.
This policy setting controls whether Office 365 ProPlus applications can poll Office servers to retrieve lists of published links. If this policy setting is enabled, Office 365 ProPlus applicatio...Rule Medium Severity -
Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.
This policy setting controls whether macros can run in an Office 365 ProPlus application that is opened programmatically by another application. If this policy setting is enabled, the user can choo...Rule Medium Severity -
Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office app...Rule Medium Severity -
Office applications must be configured to specify encryption type in password-protected Office Open XML files.
This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to en...Rule Medium Severity -
The load of controls in Forms3 must be blocked.
This policy setting allows the user to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe for Initialization (SFI) or Unsafe for Initialization (UFI). ...Rule Medium Severity -
Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to provide confidentiality or integrity, and DoD...Rule Medium Severity -
User name and password must be disabled in all Office programs.
The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to ...Rule Medium Severity -
The Information Bar must be enabled in all Office programs.
This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled...Rule Medium Severity -
The MIME Sniffing safety feature must be enabled in all Office programs.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
ActiveX installation restriction must be enabled in all Office programs.
Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Mi...Rule Medium Severity -
The Save from URL feature must be enabled in all Office programs.
Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the In...Rule Medium Severity -
Flash player activation must be disabled in all Office programs.
This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies only within Office processes. If you enable this policy set...Rule Medium Severity -
VBA Macros not digitally signed must be blocked in Excel.
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four opti...Rule Medium Severity -
Open/save of Dif and Sylk format files must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting,...Rule Medium Severity -
Open/save of Excel 3 macrosheets and add-in files must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting,...Rule Medium Severity -
Open/save of Excel 3 worksheets must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting,...Rule Medium Severity -
Open/save of Excel 4 worksheets must be blocked.
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting,...Rule Medium Severity -
The default file block behavior must be set to not open blocked files in Excel.
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting,...Rule Medium Severity -
Extraction options must be blocked when opening corrupt Excel workbooks.
This policy setting controls whether Excel presents users with a list of data extraction options before beginning an Open and Repair operation when users choose to open a corrupt workbook in repair...Rule Medium Severity -
Loading of pictures from Web pages not created in Excel must be disabled.
This policy setting controls whether Excel loads graphics when opening Web pages that were not created in Excel. It configures the "Load pictures from Web pages not created in Excel" option under t...Rule Medium Severity -
File extensions must be enabled to match file types in Excel.
This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensions that do not match the files' type. For example, if a comma-separated ...Rule Medium Severity -
Scan of encrypted macros in Excel Open XML workbooks must be enabled.
This policy setting controls whether encrypted macros in Open XML workbooks be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may c...Rule Medium Severity -
Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This pol...Rule Medium Severity -
Untrusted Microsoft Query files must be blocked from opening in Excel.
This policy setting controls whether Microsoft Query files (.iqy, oqy, .dqy, and .rqy) in an untrusted location are prevented from opening. If you enable this policy setting, Microsoft Query files...Rule Medium Severity -
Files from unsafe locations must be opened in Excel in Protected View mode.
This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Tempora...Rule Medium Severity -
File attachments from Outlook must be opened in Excel in Protected mode.
This policy setting allows you to determine if Excel files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If ...Rule Medium Severity -
The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note: Exchange Server supports the Kerberos authentication protocol and NTLM fo...Rule Medium Severity -
Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryp...Rule Medium Severity -
The junk email protection level must be set to No Automatic Filtering.
This policy setting controls the Junk E-mail protection level. The Junk E-mail Filter in Outlook helps to prevent junk email messages, also known as spam, from cluttering a user's Inbox. The filter...Rule Medium Severity -
Outlook must be configured to prevent users overriding attachment security settings.
This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments block...Rule Medium Severity -
The minimum encryption key length in Outlook must be at least 168.
This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message....Rule Medium Severity -
Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that ha...Rule Medium Severity -
Level 1 file attachments must be blocked from being delivered.
This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook u...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.