Microsoft Office 365 ProPlus STIG Version Comparison
Microsoft Office 365 ProPlus Security Technical Implementation Guide
Comparison
There are 3 differences between versions v2 r5 (April 27, 2022) (the "left" version) and v2 r7 (Oct. 26, 2022) (the "right" version).
Check O365-EX-000002 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.
The regular view of the left check and right check may be easier to read.
Text Differences
Title
VBA Macros not digitally signed must be blocked in Excel.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Application Settings Excel Options >> Security >> Trust Center >> "Macro "VBA macro Notification Settings" is set to "Enabled" and "Disable all VBA macros except digitally signed macros" from the Options. Use Options is selected. Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\excel\security If key: HKCU\software\policies\Microsoft\office\16.0\excel\security If the value vbawarnings is REG_DWORD = 3, this is not a finding. Values A value of REG_DWORD = 2 or 4 are also acceptable. If the registry key does not exist or the value is REG_DWORD =1, not configured properly, this is a finding.
Discussion
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros: - Disable all with notification: The application displays the Trust Bar for all macros, whether signed or unsigned. This option enforces the default configuration in Office. - Disable all except digitally signed macros: The application displays the Trust Bar for digitally signed macros, allowing users to enable them or leave them disabled. Any unsigned macros are disabled, and users are not notified. - Disable all without notification: The application disables all macros, whether signed or unsigned, and does not notify users. - Enable all macros (not recommended): All macros are enabled, whether signed or unsigned. This option can significantly reduce security by allowing dangerous code to run undetected.
Fix
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Application Settings Excel Options >> Security >> Trust Center >> "Macro "VBA macro Notification Settings" is set to "Enabled" and select "Disable all VBA macros except digitally signed macros" from the Options.