IT security: BSI gives tips on Microsoft Office – and warns of "residual risks"

The use of Microsoft Office under Windows is often associated with risks such as phishing and social engineering, malicious macros and, in some cases, previously unknown security vulnerabilities (zero-day vulnerabilities). The German Federal Office for Information Security (BSI) therefore issued new recommendations on Friday for the secure configuration of parts of the widely used office software package, updating previous advice from 2024.

According to the Bonn-based authority, the tips contain specific instructions and settings that should be adjusted in the Office applications "to quickly and efficiently increase the level of IT security". In addition to the entire Office package, the experts also look at individual products such as Access, Excel, Outlook, PowerPoint and Word.

The recommendations are primarily aimed at medium-sized to large organizations that manage their end devices via group policies in an Active Directory environment. However, the BSI also wants to address "experienced IT users". Compared to configuration in the user interface (GUI), such an implementation offers the advantage "that a higher number of configuration options are available".

Deactivate VBA and macros where possible

For the entire Office package, the Office urges users to observe a few basic principles: The required application functionality should not be significantly impaired. At the same time, however, it is important to deactivate functions that are not required to reduce the attack surface. Data protection should be increased by avoiding unnecessary data transfers to the manufacturer and avoiding external cloud services.

The report contains detailed computer and user guidelines that are classified as security-relevant. The BSI advises, for example, that such settings should always be explicitly set to "enabled" or "disabled", as the default setting "not configured" could change its meaning with security patches. Automatic updates should be activated, it says. The use of Visual Basic for Applications (VBA) for Office applications should be deactivated. To ensure privacy, the confirmation wizard should be deactivated on the first start. When accessing cloud services, the user is advised to block login to Office and OneDrive.

"The configuration of the group policies only helps to reduce the attack surface on Microsoft Office applications", the BSI points out, referring to "residual risks". This is because there are behaviors that cannot be configured via the policies. For example, "sensitive data could also be transmitted to Microsoft via telemetry".

A balance between security and functionality

Regarding the Access database software, the BSI states that the configuration of software often represents a compromise between security and functionality. The greater the focus on the former, the more the scope of the application is restricted. The number of security decisions that have to be made by users should definitely be minimized with Access. Here, too, the transfer of unnecessary information to the manufacturer should be prevented. External cloud services should be avoided.

The execution of macros in Office files from the Internet should be blocked, the Office adds, including for Word and Excel. This also applies to all unmanaged and unsigned add-ins. All trusted storage locations should be deactivated to prevent content from being automatically classified as secure. Ultimately, the general security of the environment is an important prerequisite for further steps.

For the email and calendar program Outlook, for example, the BSI advises using options to deactivate or block synchronization with social networks in a targeted manner. Activating encryption and preventing the saving of login information is crucial. Functions for RSS feeds and calendar integration should not be used to prevent the automatic downloading of attachments. It is also advisable to set up rules for file extensions that are classified as potentially dangerous and should be blocked. Regarding Windows itself, the BSI has previously stated that driver management in particular is "challenging" for the operating system and that hardening is recommended.

(nen)