2.8.4.1.2 Ensure 'Disable Trust Bar Notification for unsigned application add-ins and block them' is set to 'Enabled'

Information

This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disables such add-ins without notification.

Note: For this policy to apply, the Require that application add-ins are signed by Trusted Publisher policy setting needs to be enabled. This will prevent users from changing the Disable Trust Bar Notification for Unsigned Application Add-ins and Block Them policy setting.

The recommended state for this setting is: Enabled.

Rationale:

Allowing unsigned application add-ins could cause the application to load dangerous add-ins and as a result, malicious code could become active endpoints and the network.

Impact:

If an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled.

User Configuration\Administrative Templates\Microsoft Publisher 2016\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins and block them

Default Value:

Disabled. (Users can configure this requirement themselves in the 'Add-ins' category of the Trust Center for the application.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: 1c931400eefd35c16f9dc50fd584ec52569427adcec9da870f04d5e8947e280a