- #Security policies for mac in enterprise code
- #Security policies for mac in enterprise download
Restrict legacy JScript execution for Office Apps
“DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones. “Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications. “Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats. "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone. The “MSFT M365 Apps for enterprise 2104” GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs, each of which is described later: The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set.
However, there are a few settings that will cause operational issues for some organizations. Most organizations can implement the baseline’s recommended settings without any problems.
GPO changes – We removed the Application Guard settings, while secure, there are conditions where preventing users from exiting App Guard may have an unacceptable end-user productivity impact as Application Guard continues to evolve to handle more file types and active content. Naming – We were reminded shortly after the Draft released (which was actually reviewed) that we no longer call the product Office 365 ProPlus, it will now be referred to as Microsoft 365 Apps for enterprise. The recommended settings correspond with the administrative templates version 5146, released March 22, 2021.Ī couple small changes were made since the Draft baseline released last month. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file. Block Dynamic Data Exchange (DDE) entirely.Īlso, see the information at the end of this post regarding updates to Security Policy Advisor and Office Cloud Policy Services. Also, turning off Trust Bar notifications for unsigned application add ins and blocking them to silently disable without notification. Expanded macro protection requiring application add-ins to be signed by a trusted publisher. #Security policies for mac in enterprise code
Restrict legacy JScript execution for Office to help protect remote code execution attacks while maintaining user productivity as core services continue to function as usual. This baseline builds on the previous Office baseline we released mid-2019. If you have questions or issues, please let us know via the Security Baseline Community or this post. #Security policies for mac in enterprise download
Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. Microsoft is pleased to announce the final release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2104.