Windows Client is often targeted by adversaries using malicious web pages, malicious email attachments, and removable media with malicious content to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.
This document provides guidance on hardening Microsoft Office 2016 and higher, including Microsoft Excel, Microsoft PowerPoint, and Microsoft Word.
Before implementing the recommendations in this document, testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

Attack Surface Reduction

Attack Surface Reduction (ASR) is a security feature introduced in Microsoft Windows 10, version 1709, as part of Windows Defender Exploit Guard. It is designed to minimize the threat of malware exploiting legitimate functionality in Microsoft Office applications.
To use ASR, Windows Defender Antivirus must be configured as the primary real-time antivirus scanning engine on workstations.
ASR offers some attack surface reduction rules. These include:
Block executable content from email client and webmail: BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office applications from creating child processes:D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content:3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes:75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript and VBScript from launching downloaded executable content:D3E037E1-3EB8-44C8-A917-57927947596D
Block execution of potentially obfuscated scripts:5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro:92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B.
You can implement ASR using Windows Defender Antivirus or use third-party antivirus solutions that offer similar functionality to those provided by ASR. For older versions of Microsoft Windows, alternative measures will need to be implemented to mitigate certain threats addressed by ASR, such as Dynamic Data Exchange (DDE) attacks.
Note: for organizations using Windows Defender Antivirus, the following Group Policy settings can be implemented to enforce the above ASR rules. Microsoft Security Advisory 4053440

ActiveX

• Microsoft Office files can contain embedded code (known as a macro) written in the Visual Basic for Applications (VBA) programming language.
• A macro can contain a series of commands that can be coded or recorded and replayed later to automate repetitive tasks. Macros are powerful tools that can be easily created by novice users to improve their productivity greatly.
• For information on securing the use of Microsoft Office macros, sees the Microsoft Office Macro Security publication.

Add-ins

Add-ins can be used for legitimate business purposes to provide additional functionality for Microsoft Office. An adversary can also use them to gain unauthorized access to sensitive information or to execute malicious code. To reduce this risk, add-in use should be managed.
The following Group Policy settings can be implemented to manage add-ins in Microsoft Excel, Microsoft PowerPoint, and Microsoft Word.

Patching

To address the security vulnerabilities identified in Microsoft Office, Microsoft regularly releases patches. If patches are not applied appropriately, it can allow an adversary to compromise workstations easily. To reduce this risk, patches should be applied in an appropriate timeframe as determined by the severity of security vulnerabilities they address and any mitigating measures already in place.

Office File Validation

• Office File Validation (OFV) checks that a Microsoft Office file format conforms to an expected standard. By default, Microsoft Office files that fail OFV checking will be opened in Protected View, with users given the option to enable editing.  To reduce this risk, OFV functionality should be enabled for Microsoft Office.
• The following Group Policy settings can be implemented to enable OFV functionality in Microsoft Excel, Microsoft PowerPoint, and Microsoft Word.