Detections
Analytics

6.7 Set 'Turn off all user customizations: Disallow in Outlook' to 'Enabled:True'

Information

This policy setting can prevent users from making any Quick Access Toolbar and the
Ribbon customizations. This includes customizations made through user interface (UI)
entry points, or loaded from documents or templates.
If you enable this policy setting, users will not be able to customize the Quick Access
Toolbar and Ribbon through either the Quick Access Toolbar and Ribbon tabs in the
application's Office Center dialog box, or the right-click menu on the Ribbon. In addition,
Quick Access Toolbar and Ribbon customizations originating from documents or templates
will not be loaded when these documents are opened.
If you disable or do not configure this policy setting, users can make Quick Access Toolbar
and Ribbon customizations through the UI, as well as load them from documents and
templates. The recommended state for this setting is- Enabled-True.

*Rationale*

The Quick Access Toolbar and Ribbon provide Office 2010 users with convenient access to
commonly used commands, such as Save and Undo.By default, in the 2010 versions of Access, Excel, Outlook (composing and reading windows
only), PowerPoint, and Word, users can customize the Quick Access Toolbar and Ribbon by
adding or removing commands. Templates can also add and remove commands when
loaded.Disabling or not configuring this setting allows users to customize the Quick Access
Toolbar and the Ribbon through UI entry points in Office 2010 applications, and then load
them from documents and templates.An attacker or malicious code contained in a template could modify the Quick Access
Toolbar and Ribbon and affect usability. The toolbar could also be modified to contain
shortcuts to macros with malicious code. Although other security mechanisms can be used
to prevent such malicious code from running, preventing changes to the Quick Access
Toolbar and Ribbon ensures a consistent user experience.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Office 2010\Global
Options\Customize\Turn off all user customizations\Turn off all user customizations

Then set the Disallow in Outlook option to True.

Impact-Enabling this setting ensures that any Quick Access Toolbar and Ribbon customizations
originating from documents or templates cannot load when users open such files. This
includes customizations that users may attempt to make through the UI.This setting recommendation does not modify the default configuration, and therefore
should not affect usability. Consider enabling this setting in specialized situations, such as
deployment to unattended kiosks.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Windows

Control ID: f01a77c24f77d1704ffbf8f174fe906a24b08acdd3107f6cc3d7cde09ee14cce