News

Microsoft Releases Security Resources for Office, Intune

• By Kurt Mackie
• 02/19/2018

Microsoft this month announced final Office security baseline materials, advance notice of a coming Intune security change, and tips on combating e-mail name spoofing.

Organizations also received notice of 50 vulnerabilities (14 deemed "Critical") in last week's "update Tuesday," as tallied by the SANS Internet Storm Center's count.

Office Security Baseline
Microsoft has published its final security baseline materials for organizations that manage Office 2016 and Office 365 ProPlus productivity suites. The baseline is collection of scripts, administrative templates (ADMX) and importable Group Policy Objects (GPOs), along with an Excel document containing recommended settings for optimal security. It's available in a zipped archive from this link, with a description of the highlights listed in this announcement.

Microsoft updated the baseline without any changes from the draft that was announced last month, although it conducted a "thorough review of all available configuration settings" for this release. It removed more than 96 settings that weren't deemed meaningful in terms of security.

One of the notable highlights of the baseline recommendations is a setting that blocks macros from the Internet from running in Office documents. Microsoft sees it as unproblematic for enterprises to apply this security setting. If Trusted Sites zones are specified, then macros associated with those sites won't get blocked by this setting.

Microsoft acknowledged that its baseline setting that requires Visual Basic for Applications-based macros in Office documents to be "signed by a trusted publisher" can cause problems for some organizations. It's currently working to create "a separate GPO to make it easier to switch the settings on or off without affecting the rest of the baseline."

Another highlight is a setting that stops Adobe Flash ActiveX from loading in Office documents. The problem with Flash is that attackers can pass malformed data to Flash to execute malware. Organizations can either completely block Flash in Office or they can only block it when it is "directly embedded or linked in an Office document." Microsoft also permits the blocking of specific Component Object Model (COM) objects, such as ActiveX and OLE, via "kill bit" controls. Users can set these kill bit controls for Office using the Windows registry, according to this support article.

March Intune Security Change
Microsoft this month gave advance notice to users of the standalone Intune mobile management service that it plans to add a security change to the product in March that could affect operations. The change will just apply to "standalone" Intune service users and won't apply to "hybrid and O365 customers" at this time, Microsoft noted in an announcement. By "hybrid" Intune, Microsoft means using Intune integrated with System Center Configuration Manager.

Organizations using Microsoft's Conditional Access information protection service with standalone Intune appear to be affected by the coming security change because Microsoft is adding a new "devices without compliance policy" reporting capability to Intune. When that policy gets added to Intune in March, the Conditional Access service will block any devices that have no assigned compliance policy.

Standalone Intune users should "ensure that all your devices have at least one compliance policy assigned to them by March," Microsoft's announcement advised. If that's not in place, end users will "lose access to e-mail" when the new capability arrives.

E-Mail Name Spoofing
Organizations can set Exchange transport rules to block "display name spoofing" in e-mail phishing attempts. Attackers have increasingly resorted to using the names of company executives in their phishing attempts because spoofing a company's e-mail domain is harder to pull off, given the use of "DMARC, DKIM and SPF" technologies, according to Andrew Stobart, a Microsoft technical support employee for Exchange Online Protection, in a TechNet post.

Stobart showed how to set up Exchange transport rules to warn end users when the name in the "From" field of an e-mail has been spoofed. End users can get a warning message appended to the e-mail if the name of the executive in the "From" field is someone inside the organization but the e-mail address originates from "outside of the tenant." It's a simple approach that has worked to address such attempts, Stobart indicated.