Share via

How to prevent Excel 2016 from inserting executables as OLE

Michal Zyzak 31 Reputation points
2020-09-21T07:30:20.87+00:00

Hello,

We have an Excel 2016 published on Citrix for our users. Recent penetration test showed that user can breakout from Excel. He can launch CMD.exe or PowerShell.exe on that server by Inserting them as object from file. And later he just needs to double-click on the object.

How can we prevent inserting binaries into Excel spreadsheet?

Regards
MZ

Microsoft 365 and Office Excel For business Windows
Windows for business Windows Server Devices and deployment Configure application groups
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Emily Hua-MSFT 27,796 Reputation points
    2020-09-22T07:29:45.29+00:00

    @MichalZyzak-1432 ,
    Have you installed the Office Administrative Template files (ADMX/ADML)?

    If yes, please go to Group Policy Editor > User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings, find the "Allow file extensions for OLE embedding" at right panel, check whether you have enabled the extension of "exe". Please make sure, the extension of "exe" is not enabled.

    26392-capture23.jpg

    Generally, if you choose Disabled or Not Configured, or with the policy enabled but not enable "exe" extension, after double-clicking the executables, like cmd.exe, you would get the warning below.

    26320-capture-24.jpg

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Michal Zyzak 31 Reputation points
    2020-09-23T07:57:29.687+00:00

    Hello

    Thank you for your response.
    However the description of this setting states that it applies to Office 365. Not for Office 2016 stand alone version.

    0 comments
  3. Emily Hua-MSFT 27,796 Reputation points
    2020-09-29T10:35:54.403+00:00

    @Michal Zyzak ,
    Maybe you could test the following steps to modify registry on one PC.
    (Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
    Please refer to this article about how to back up and restore the registry in Windows: https://support.microsoft.com/en-us/kb/322756)

    Go to HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security, add REG_DWORD (32-bit) which is named PackagerPrompt, data value is 0x00000002 (2)

    29048-capture39.jpg

    If an Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  4. CK 106 Reputation points
    2021-12-08T06:00:04.46+00:00

    Yep, for reference, this is how our GPO looks for the PackagerPrompt setting:

    155834-screenshot-2021-12-08-165803.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.