Office 365 security baseline adds macro signing, JScript protection

Microsoft has updated the security baseline for Microsoft 365 Apps for enterprise (formerly Office 365 Professional Plus) to include protection from JScript code execution attacks and unsigned macros.

Security baselines enable security admins to use Microsoft-recommended Group Policy Object (GPO) baselines to reduce the attack surface of Microsoft 365 Apps and boost the security posture of enterprise endpoints they run on.

"A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact," as Microsoft explains.

"These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers."

Security baseline changes

The highlights of the new recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104, include protection against remote code execution attacks by restricting legacy JScript execution for Office.

JScript is a legacy Internet Explorer component that, although replaced by JScript9, is still being used by business-critical apps in enterprise environments.

Additionally, admins are also advised to extend macro protection by enabling a GPO to require application add-ins to be signed by trusted publishers and disable them silently by blocking them and turning off Trust Bar notifications.

The GPOs that need to be enabled to implement these baseline recommended security settings are:

• "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone.
• "Require Macro Signing - User" is a User Configuration GPO that disables unsigned macros in each of the Office applications.

Other new policies added to the baseline since last year's release include:

• "DDE Block - User" is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones.
• "Legacy File Block - User" is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats.
• New policy: "Control how Office handles form-based sign-in prompts" we recommend enabling and blocking all prompts. This results in no form-based sign-in prompts displayed to the user and the user is shown a message that the sign-in method isn't allowed.
• New policy: We recommend enforcing the default by disabling "Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine" (Note: This policy description is a double negative, the behavior we recommend is the security checks remain ON).
• New policy: We recommend enforcing the default by disabling "Allow VBA to load typelib references by path from untrusted intranet locations". Learn more at FAQ for VBA solutions affected by April 2020 Office security updates.
• New dependent policy: "Disable Trust Bar Notification for unsigned application add-ins" policy had a dependency that was missed in the previous baseline. To correct, we have added that missing policy, "Require that application add-ins are signed by Trusted Publisher". This applies to Excel, PowerPoint, Project, Publisher, Visio, and Word.

Available via Microsoft's Security Compliance Toolkit

"Most organizations can implement the baseline's recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations," Microsoft said.

"We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set.

"The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed."

The final release of the security baseline for Microsoft 365 Apps for enterprise is available for download via the Microsoft Security Compliance Toolkit.

It includes "importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy."

Microsoft also provides all the recommended settings in spreadsheet form, together with an updated custom administrative template (SecGuide.ADMX/L) file and a Policy Analyzer rules file.

Future security baselines will be aligned with semi-annual channel releases of Microsoft 365 Apps for enterprise every June and December.

Comments are closed.