Information
This policy setting allows controls whether Dynamic Data Exchange (DDE) server lookup is allowed.
The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.
Dynamic Data Exchange Server Lookup allows Excel to find and use visible DDE servers on the network.
Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.
The recommended state for this setting is: Enabled.
Rationale:
In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. Email attachments are a primary method an attacker could use to spread malware.
For more information please see Microsoft Security Advisory 4053440.
Impact:
When enabled DDE server lookup isn't allowed, and users can't turn on DDE server lookup in the Trust Center. A Systems Administrator would need to implement DDE under a zero trust framework.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled.
User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\External Content\Don't allow Dynamic Data Exchange (DDE) server lookup in Excel
Default Value:
Disabled. (DDE lookup is on)