Microsoft Office 365 ProPlus Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000179
Group -
Macros must be blocked from running in Access files from the Internet.
This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all mac...Rule Medium Severity -
SRG-APP-000131
Group -
SRG-APP-000141
Group -
VBA Macros not digitally signed must be blocked in Access.
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If this policy setting is enabled, choose from four options for ...Rule Medium Severity -
SRG-APP-000210
Group -
The Macro Runtime Scan Scope must be enabled for all documents.
This policy setting specifies for which documents the VBA Runtime Scan feature is enabled. If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed. I...Rule Medium Severity -
SRG-APP-000429
Group -
SRG-APP-000141
Group -
SRG-APP-000516
Group -
Custom user interface (UI) code must be blocked from loading in all Office applications.
This policy setting controls whether Office 365 ProPlus applications load any custom user interface (UI) code included with a document or template. Office 365 ProPlus allows developers to extend th...Rule Medium Severity -
SRG-APP-000488
Group -
ActiveX Controls must be initialized in Safe Mode.
This policy setting specifies the Microsoft ActiveX initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, mali...Rule Medium Severity -
SRG-APP-000210
Group -
SRG-APP-000131
Group -
Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled...Rule Medium Severity -
SRG-APP-000231
Group -
SRG-APP-000231
Group -
SRG-APP-000340
Group -
Users must be prevented from creating new trusted locations in the Trust Center.
This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enab...Rule Medium Severity -
SRG-APP-000516
Group -
Office applications must not load XML expansion packs with Smart Documents.
This policy setting controls whether Office 365 ProPlus applications can load an XML expansion pack manifest file with a Smart Document.Rule Medium Severity -
SRG-APP-000207
Group -
SRG-APP-000207
Group -
Add-on Management must be enabled for all Office 365 ProPlus programs.
Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring ...Rule Medium Severity -
SRG-APP-000179
Group -
SRG-APP-000210
Group -
SRG-APP-000207
Group -
SRG-APP-000516
Group -
The Local Machine Zone Lockdown Security must be enabled in all Office programs.
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine ...Rule Medium Severity -
SRG-APP-000179
Group -
SRG-APP-000210
Group -
Navigate URL must be enabled in all Office programs.
To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Offic...Rule Medium Severity -
SRG-APP-000179
Group -
Object Caching Protection must be enabled in all Office programs.
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and D...Rule Medium Severity -
SRG-APP-000112
Group -
Protection from zone elevation must be enabled in all Office programs.
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine ...Rule Medium Severity -
SRG-APP-000488
Group -
SRG-APP-000112
Group -
File Download Restriction must be enabled in all Office programs.
Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without...Rule Medium Severity -
SRG-APP-000210
Group -
SRG-APP-000112
Group -
Scripted Windows Security restrictions must be enabled in all Office programs.
Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not ...Rule Medium Severity -
SRG-APP-000488
Group -
SRG-APP-000210
Group -
Trusted Locations on the network must be disabled in Excel.
This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locat...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000207
Group -
Dynamic Data Exchange (DDE) server launch in Excel must be blocked.
This policy setting allows you to control whether Dynamic Data Exchange (DDE) server launch is allowed. By default, DDE server launch is turned off, but users can turn on DDE server launch by goin...Rule Medium Severity -
SRG-APP-000207
Group
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.