Sometimes you encounter a headline where the individual words make sense, but the overall meaning isn’t immediately clear. This article might be one of those cases. Unless you’re familiar with the Office Cloud Policy Service or the Microsoft security ecosystem, the concepts here might be new to you. Let’s dive in.
Understanding Microsoft Security Baselines
Years ago, Microsoft faced criticism for having too many settings with insufficient guidance for customers. This issue dates back to the days of the Windows resource kits—large sets of printed documentation for BackOffice applications. Over time, Microsoft improved its documentation quality, while organizations like the National Security Agency and the National Institute of Standards and Technology began producing their own configuration recommendations, such as the U.S. Department of Defense’s STIGs (Security Technical Implementation Guides).
Microsoft responded by creating group policy templates, simplifying the application of consistent settings across enterprise domains. However, these were too restrictive for most corporate environments. Consequently, Microsoft developed its own baseline settings, tailored for broader use. Here is the current set of Microsoft baseline settings for Windows.
The Challenge with Baselines
The main challenge isn’t with the baselines themselves but with their applicability. Not every device is joined to a domain or on-premises Active Directory. Group policy objects aren’t effective for personal devices or those joined to an Entra ID domain. To address this, Microsoft introduced the Office Cloud Policy Service (OCPS).
OCPS allows Office 365 administrators to push policies to any device running Office and connecting to their tenant. While it can’t control settings like screen lock time or password requirements (for which you need Intune or another device management solution), it ensures consistent policy application across Office apps.
Implementing Baselines with OCPS
Good news: you can apply recommended baseline security policies for Office applications using OCPS, available for free with your E3 licenses. The bad news: these settings aren’t grouped, making application somewhat cumbersome. However, setting up a baseline policy significantly enhances Office app security.
Creating a New Tenant Policy
OCPS supports multiple policies, prioritized and scoped to specific groups. Here’s how to set up a tenant-wide policy:
- Log in to config.office.com using an account with Global admin or Office Apps Administrator rights.
- Navigate to Customization > Policy Management on the left navigation bar.
- Click ‘Create’ to initiate a new policy, provide a name and description, then click ‘Next’.
- Ensure ‘This policy configuration applies to all users’ is selected on the scope page, then click ‘Next’.
On the Configure Settings page, filter your choices by clicking the Security baseline pivot, revealing over 135 policies in the security baseline for Office clients, most showing as “Not configured”.
Policy Configuration States
Each OCPS policy setting can be:
- Not configured
- Enabled
- Disabled
Baseline settings include a ‘Microsoft recommended baseline’ option, applying Microsoft’s recommended configurations. Alternatively, you can manually configure settings.
Recommended Security Settings
With over 135 settings, choosing the right ones can be daunting. Focus on these key areas:
- Restrict file types and sources. Start with “Block macros from running in Office files from the internet”.
- Apply settings consistently across applications. Policies often apply to specific apps.
- Test settings before full deployment to anticipate user impact.
Since OCPS is free, investing time to configure these settings is worthwhile for enhancing security.