Detections
Analytics

1.8.7.2.5 Ensure 'Disable Trust Bar Notification for Unsigned Application Add-ins and Block Them' to Enable

Information

This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the 'Require that application add-ins are signed by Trusted Publisher' policy setting, which prevents users from changing this policy setting. If you enable this policy setting, applications automatically disable unsigned add-ins without informing users. If you disable this policy setting, if this application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in. If you do not configure this policy setting, the disable behavior applies, and in addition, users can configure this requirement themselves in the 'Add-ins' category of the Trust Center for the application. The recommended state for this setting is: Enabled. By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\Administrative Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Disable Trust Bar Notification for Unsigned Application Add-ins and Block Them Impact: This setting only applies if the Office application is configured to require that all add-ins are signed by a trusted publisher. By default, users can configure this requirement themselves in the Add-ins category of the Trust Center for the application. To enforce this requirement, you must enable the Require that application add-ins are signed by Trusted Publisher setting in Group Policy, which prevents users from changing the setting themselves.

See Also

https://workbench.cisecurity.org/files/557

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: 6c36182b2f725f5e4dfbab88ec1c71878cab4fd1ed74b163f2277250e8a415a2