ACSC programs and advice are being migrated to (see sidebar)

Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016

Download ACSC Protect: Hardening Microsoft Office 365 ProPlus, Office 2019 and Office 2016 (PDF), January 2019
First published 2016; updated 2017, 2018 and January 2019


Workstations are often targeted by adversaries using malicious web pages, malicious email attachments and removable media with malicious content in an attempt to extract sensitive information. Hardening applications on workstations is an important part of reducing this risk.

This document provides guidance on hardening commonly targeted Microsoft Office 365 ProPlus, Office 2019 and Office 2016 applications – specifically Microsoft Excel, Microsoft PowerPoint and Microsoft Word. Before implementing the recommendations in this document, testing should be undertaken to ensure the potential for unintended negative impacts on business processes is reduced as much as possible.

This document is intended for information technology and information security professionals within organisations looking to undertake risk assessments or vulnerability assessments as well as those wishing to develop a hardened standard operating environment for workstations.

The Group Policy Administrative Templates for Microsoft Office 365 ProPlus, Office 2019 and Office 2016 referenced in this document can be obtained from Microsoft. Once downloaded, the ADMX and associated ADML files can be placed in %SystemDrive%\Windows\SYSVOL\domain\Policies\PolicyDefinitions on the Domain Controller and they will automatically be loaded in the Group Policy Management Editor. As Group Policy Administrative Templates for Microsoft Office are periodically updated by Microsoft, care should be taken to ensure the latest version is always used.

Table of contents

  • Introduction
  • High priorities
    • Attack Surface Reduction
    • Latest version
    • Macros
    • Patching
  • Medium priorities
    • ActiveX
    • Add-ins
    • Extension hardening
    • File type blocking
    • Hidden markup
    • Office file validation
    • Protected view
    • Trusted documents
  • Low priorities
    • Reporting information

Further information

The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations' systems.

The Strategies to Mitigate Cyber Security Incidents complement the advice in the ISM.

Contact details

Organisations or individuals with questions regarding this advice can contact the ACSC by emailing or calling 1300 CYBER1 (1300 292 371).

In August 2018 ACSC launched a new website,, to reflect its new organisation.

Cyber security programs and advice are being migrated to Information and advice on this site remains current.

Reports help the ACSC to develop a better understanding of the threat environment and will assist other organisations who are also at risk.

Cyber security incident reports are also used in aggregate for developing new defensive policies, procedures, techniques and training measures to help prevent future incidents.

Information for Australian businesses
Information for individual Australian citizens
Information for Federal, State and Local government agencies