2.2.4.7.2.1.2 Ensure 'Don't allow Dynamic Data Exchange (DDE) server launch in Excel' is set to 'Enabled'

Information

This policy setting allows controls whether Dynamic Data Exchange (DDE) server launch is allowed.

The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available.

Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.

The recommended state for this setting is: Enabled.

Rationale:

In an email attack scenario, an attacker could leverage the DDE protocol by sending a specially crafted file to the user and then convincing the user to open the file, typically by way of an enticement in an email. The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts. Email attachments are a primary method an attacker could use to spread malware.

For more information see Microsoft Security Advisory 4053440 link in the references of this recommendation.

Impact:

None - DDE Launch is disabled by default. Enforcing this policy ensures users cannot enter an unsecure state.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled.

User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\External Content\Don't allow Dynamic Data Exchange (DDE) server launch in Excel

Default Value:

Enabled. (DDE launch is turned off but users can turn it on.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(1)

Plugin: Windows

Control ID: 6acc63cc91ab3087504057f1308a80a3d0e2ee4a9b62bbcc3cf5db74d9f5703f