TickYouOff
Sign in
Back
🔒

Office 365 ProPlus STIG Checklist

Hard 20 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist helps IT admins and security teams download, test, and apply the DISA STIG controls for Microsoft Office 365 ProPlus across managed endpoints. Follow the steps to stage, validate, audit, and roll out secure Office configurations in your environment.

Source: https://ncp.nist.gov/checklist/953

Progress
0 / 20
  1. Download STIG SCAP content from DISA — Get the SCAP 1.3 content for Office 365 ProPlus (Ver 3, Rel 7) from DISA.
  2. Download Standalone XCCDF package — Obtain the XCCDF 1.1.4 standalone file for review and scanning.
  3. Download DISA-provided GPO package — Save the Group Policy Objects bundle for Office 365 ProPlus from DISA resources.
  4. Download Intune policy package — Get the Intune policy definitions (latest release) to deploy mobile and managed device settings.
  5. Download automated SCC/SCCM content — Grab SCC/SCCM automation content to streamline deployment where available.
  6. Review STIG change history and release notes — Check versions, SHA changes, and recent resource updates before applying controls.
  7. Inventory Office 365 ProPlus installations — List versions, install channels, and device management state across endpoints.
  8. Assess your management platforms (Intune, GPO, SCCM) — Decide which platform will enforce each STIG control in your environment.
  9. Create a test group or pilot collection — Use a small representative set of endpoints/users for staged deployment.
  10. Apply GPO settings to the test group — Import and enable DISA GPOs in the test OU or policy scope.
  11. Deploy Intune policies to the test group — Import and assign DISA Intune policies to the pilot device/user group.
  12. Configure Office update and Click-to-Run settings — Set update channels, enable automatic update, and manage package exclusions as needed.
  13. Harden Office application security settings — Apply recommended protections to reduce attack surface.
  14. Disable VBA macros from the internet — Block or restrict macros from untrusted locations and files.
  15. Enable Protected View for files from the internet — Ensure files from external sources open in Protected View by default.
  16. Block automatic external content and data connections — Disable automatic download of images, data connections, and external content.
  17. Test functionality and compatibility in the test group — Validate business workflows and remediate breakages before wider rollout.
  18. Enable audit logging and monitoring for deployments — Capture changes and events to verify compliance and detect issues.
  19. Roll out approved settings to production in phases — Expand deployment gradually and monitor for regressions.
  20. Document applied configurations and store resources — Record settings, resource URLs, SHAs, and change notes for audits.
Sign in to save
📝 My Notes