Overview
The Devicie Essential Eight Maturity Level 2 User Application Hardening (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy. This configuration is specifically for the vendors (Microsoft Office) guidance released in July 2023 for Office applications.
Intune Description:
E8 ML2 User App Hardening (Nov 2023) - ACSC Office Guidance 2023.7
Scope:
This baseline should be applied to Windows devices. Must be deployed with “DEVICIE-PROD-ACSC E8 Nov 2023-ML1 User app hardening” & all additional “DEVICIE-PROD-ACSC E8 Nov 2023-ML2 User app hardening” add on items
Policy Impact Areas:
When deployed, this policy will impact:
-
Enable additional Defender Attack Surface Reduction Rules
-
Require that application add-ins are signed by Trusted Publisher
-
Additional security controls, specifically for Office applications
Deployment Notes
-
Pre-Deployment Considerations:
-
Review if unsigned add-ins are used in the environment
-
-
Post-Deployment Validation:
-
Review Defender for Endpoint configuration. Check Attack Surface Reduction rule has been enabled to block executable content from email client and webmail.
-
|
Name |
Value |
|
Administrative Templates |
|
|
MS Security Guide |
|
|
Block Flash activation in Office documents |
Enabled |
|
Block Flash player in Office (Device) |
Block all activation |
|
Defender |
|
|
Attack Surface Reduction Rules |
|
|
Block executable content from email client and webmail |
Block |
|
Block all Office applications from creating child processes |
Block |
|
Block Office applications from creating executable content |
Block |
|
Block Office applications from injecting code into other processes |
Block |
|
Block Win32 API calls from Office macros |
Block |
|
Block Office communication application from creating child processes |
Block |
|
Microsoft Excel 2016 |
|
|
Security |
|
|
Force file extension to match file type (User) |
Enabled |
|
|
Always match file type |
|
Turn off file validation (User) |
Disabled |
|
External Content |
|
|
Always prevent untrusted Microsoft Query files from opening (User) |
Enabled |
|
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User) |
Enabled |
|
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User) |
Enabled |
|
File Block Settings |
|
|
dBase III / IV files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Dif and Sylk files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 2 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 2 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 3 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 3 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 workbooks (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 95 workbooks (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 95-97 workbooks and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 97-2003 workbooks and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Web pages and Excel 2003 XML spreadsheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Protected View |
|
|
Always open untrusted database files in Protected View (User) |
Enabled |
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Set document behavior if file validation fails (User) |
Enabled |
|
|
Block files |
|
Checked: Allow edit. Unchecked: Do not allow edit. (User) |
False |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trust Center |
|
|
Require that application add-ins are signed by Trusted Publisher (User) |
Enabled |
|
Disable Trust Bar Notification for unsigned application add-ins and block them (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
Microsoft Office 2016 |
|
|
Security Settings |
|
|
Disable All ActiveX (User) |
Enabled |
|
Trust Center |
|
|
Allow including screenshot with Office Feedback (User) |
Disabled |
|
Automatically receive small updates to improve reliability (User) |
Disabled |
|
Configure the level of client software diagnostic data sent by Office to Microsoft (User) |
Enabled |
|
Type of diagnostic data: (User) |
Neither |
|
Disable Opt-in Wizard on first run (User) |
Enabled |
|
Enable Customer Experience Improvement Program (User) |
Disabled |
|
Send Office Feedback (User) |
Disabled |
|
Send personal information (User) |
Disabled |
|
Microsoft PowerPoint 2016 |
|
|
Security |
|
|
Make hidden markup visible (User) |
Enabled |
|
Run Programs (User) |
Enabled |
|
|
disable (don't run any programs) |
|
Turn off file validation (User) |
Disabled |
|
File Block Settings |
|
|
PowerPoint 97-2003 presentations, shows, templates and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Protected View |
|
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Set document behavior if file validation fails (User) |
Enabled |
|
|
Block files |
|
Checked: Allow edit. Unchecked: Do not allow edit. (User) |
False |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trust Center |
|
|
Require that application add-ins are signed by Trusted Publisher (User) |
Enabled |
|
Disable Trust Bar Notification for unsigned application add-ins and block them (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
Microsoft Project 2016 |
|
|
Trust Center |
|
|
Require that application add-ins are signed by Trusted Publisher (User) |
Enabled |
|
Disable Trust Bar Notification for unsigned application add-ins and block them (User) |
Enabled |
|
Microsoft Visio 2016 |
|
|
File Block Settings |
|
|
Visio 2000-2002 Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Visio 2003-2010 Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Trust Center |
|
|
Require that application add-ins are signed by Trusted Publisher (User) |
Enabled |
|
Disable Trust Bar Notification for unsigned application add-ins and block them (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
Microsoft Word 2016 |
|
|
Advanced |
|
|
Update automatic links at Open (User) |
Disabled |
|
Security |
|
|
Make hidden markup visible (User) |
Enabled |
|
Turn off file validation (User) |
Disabled |
|
File Block Settings |
|
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Word 2 and earlier binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2000 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2003 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2007 and later binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 6.0 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 95 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 97 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word XP binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Protected View |
|
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Set document behavior if file validation fails (User) |
Enabled |
|
|
Block files |
|
Checked: Allow edit. Unchecked: Do not allow edit. (User) |
False |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trust Center |
|
|
Require that application add-ins are signed by a Trusted Publisher (User) |
Enabled |
|
Disable Trust Bar Notification for unsigned application add-ins and block them (User) |
Enabled |
|
Turn off trusted documents (User) |
Enabled |
|
Turn off Trusted Documents on the network (User) |
Enabled |
|
Devicie Template Name |
ACSC E8 Nov 2023-ML2 User app hardening-ACSC Office Guidance 2023.7 |
|
Default Intune Deployed Name |
DEVICIE-PROD-ACSC E8 Nov 2023-ML2 User app hardening-ACSC Office Guidance 2023.7 |
|
Version |
1.0 |
|
Template Last Updated |
Nov 18, 2024 |
|
Document Last Updated: |
Jun 12, 2025 |