Solutions

Overview

GenSpace Individual

For Business

Overview

GenSpace Business

Small Business

Small business productivity tools

New business

Tools for new businesses

Startups

Startup productivity tools

For Enterprise

Overview

GenSpace Enterprise

Frontline Workers

GenSpace for the frontline

Work Safer

Protect organizations from cyberattacks

Products

Mail

Custom business email

Calendar

Custom business email

Files

Files

Documents

Documents

Presentations

Presentations

Spreadsheets

Spreadsheets

Talk

Talk

Notes

Notes

Deck

Deck

Enhance Office App Security with Office Cloud Policy Service

Sometimes you encounter a headline where the individual words make sense, but the overall meaning isn’t immediately clear. This article might be one of those cases. Unless you’re familiar with the Office Cloud Policy Service or the Microsoft security ecosystem, the concepts here might be new to you. Let’s dive in.

Understanding Microsoft Security Baselines

Years ago, Microsoft faced criticism for having too many settings with insufficient guidance for customers. This issue dates back to the days of the Windows resource kits—large sets of printed documentation for BackOffice applications. Over time, Microsoft improved its documentation quality, while organizations like the National Security Agency and the National Institute of Standards and Technology began producing their own configuration recommendations, such as the U.S. Department of Defense’s STIGs (Security Technical Implementation Guides).

Microsoft responded by creating group policy templates, simplifying the application of consistent settings across enterprise domains. However, these were too restrictive for most corporate environments. Consequently, Microsoft developed its own baseline settings, tailored for broader use. Here is the current set of Microsoft baseline settings for Windows.

The Challenge with Baselines

The main challenge isn’t with the baselines themselves but with their applicability. Not every device is joined to a domain or on-premises Active Directory. Group policy objects aren’t effective for personal devices or those joined to an Entra ID domain. To address this, Microsoft introduced the Office Cloud Policy Service (OCPS).

OCPS allows Office 365 administrators to push policies to any device running Office and connecting to their tenant. While it can’t control settings like screen lock time or password requirements (for which you need Intune or another device management solution), it ensures consistent policy application across Office apps.

Implementing Baselines with OCPS

Good news: you can apply recommended baseline security policies for Office applications using OCPS, available for free with your E3 licenses. The bad news: these settings aren’t grouped, making application somewhat cumbersome. However, setting up a baseline policy significantly enhances Office app security.

Creating a New Tenant Policy

OCPS supports multiple policies, prioritized and scoped to specific groups. Here’s how to set up a tenant-wide policy:

  1. Log in to config.office.com using an account with Global admin or Office Apps Administrator rights.
  2. Navigate to Customization > Policy Management on the left navigation bar.
  3. Click ‘Create’ to initiate a new policy, provide a name and description, then click ‘Next’.
  4. Ensure ‘This policy configuration applies to all users’ is selected on the scope page, then click ‘Next’.

On the Configure Settings page, filter your choices by clicking the Security baseline pivot, revealing over 135 policies in the security baseline for Office clients, most showing as “Not configured”.

Policy Configuration States

Each OCPS policy setting can be:

  • Not configured
  • Enabled
  • Disabled

Baseline settings include a ‘Microsoft recommended baseline’ option, applying Microsoft’s recommended configurations. Alternatively, you can manually configure settings.

Recommended Security Settings

With over 135 settings, choosing the right ones can be daunting. Focus on these key areas:

  • Restrict file types and sources. Start with “Block macros from running in Office files from the internet”.
  • Apply settings consistently across applications. Policies often apply to specific apps.
  • Test settings before full deployment to anticipate user impact.

Since OCPS is free, investing time to configure these settings is worthwhile for enhancing security.

GenSpace.ai is an autonomous AI workspace that integrates with chat platforms like Discord or Slack. It lets you control all your work and productivity apps and browse the web via simple chat commands. Our AI agents automate tasks, manage workflows, and act as your digital assistant, streamlining operations and reducing costs for entrepreneurs and startups.

Share the Post:

Related Posts

GenSpace Logo

Request Access

If you have any feedback or inquiries, feel free to contact [email protected]