2.1.1.3.2.4 (L1) Ensure 'Require that application add-ins are signed by Trusted Publisher' is set to 'Enabled'

Information

This policy setting controls whether add-ins for the specified Office applications must be digitally signed by a trusted publisher.

The recommended state for this setting is: Enabled

By default, Office applications do not check the digital signature on application add-ins before opening them. Not configuring this setting may allow an application to load a dangerous add-in and as a result, malicious code could become active on a user's computer or the network.

Solution

To establish the recommended state via configuration profiles, set the following Settings Catalog path to Enabled

Microsoft Access 2016\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

Impact:

This setting could cause disruptions for users who rely on add-ins that are not signed by trusted publishers. These users will either have to obtain signed versions of such add-ins or stop using them.

Office stores certificates for trusted publishers in the trusted publisher store. Earlier versions of Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Office still reads trusted publisher certificate information from the Office trusted publisher store but does not write information to this store.

If a list of trusted publishers in a previous version of Office was created and upgrade the Office release, the trusted publisher list will still be recognized.

See Also

https://workbench.cisecurity.org/benchmarks/15808

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: 2576a8316450e31dcfd38e28b1e59fefd6cf917470bc9eced688d7fcfa182f2e