2.3.27.3.4 Ensure 'Allow mix of policy and user locations' is set to 'Disabled'

Information

This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone.

The recommended state for this setting is: Disabled.

Rationale:

When files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links to content on the Internet.

By default, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations.

Impact:

Disabling this setting will cause some disruption for users who have defined their own trusted locations in the Trust Center. Applications will treat such locations like any other untrusted locations, which means that users will see Message Bar warnings about active content such as ActiveX controls and VBA macros when they open files, and they will have to choose whether to enable controls and macros or leave them disabled.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Trust Center\Allow Mix of Policy and User Locations

Default Value:

Enabled.

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 592395b7ca7cbf2bb23270ebe2a5b6ece7ecaeb7cc3c80379c074699656f6ee5