/disable_ddeauto.reg
Last active Jul 6, 2018
| Windows Registry Editor Version 5.00 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail] | |
| "DontUpdateLinks"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options] | |
| "DisableEmbeddedFiles"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options] | |
| "DisableEmbeddedFiles"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| "DDEAllowed"=dword:00000000 | |
| "DDECleaned"=dword:00000001 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| "DDEAllowed"=dword:00000000 | |
| "DDECleaned"=dword:00000001 | |
| "Options"=dword:00000117 | |
| [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options] | |
| "DontUpdateLinks"=dword:00000001 | |
| "DDEAllowed"=dword:00000000 | |
| "DDECleaned"=dword:00000001 | |
| "Options"=dword:00000117 |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
|
Note that the OneNote mitigations are somewhat heavy-handed. With the above OneNote protections, OneNote 2013 and 2016 will not be able to create or interact with embedded objects. OneNote 2010 doesn't need any special protections, as the Excel and Word DDE blocking apply to those objects embedded in a OneNote document. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
homjxi0e
commented
Oct 21, 2017
|
good job man On this work / %100 thiٍٍs /'',, |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
nhayatnagarkar
Oct 24, 2017
Thanks for the .reg file. What is the downside of disabling DDEAuto, what things will break? Is there any GPO policy to disable this feature?
Thanks.
nhayatnagarkar
commented
Oct 24, 2017
|
Thanks for the .reg file. What is the downside of disabling DDEAuto, what things will break? Is there any GPO policy to disable this feature? Thanks. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
gregkcarson
Oct 27, 2017
Has anyone implemented these changes at the GPO level or registry level across all client systems? I have reservations enabling this as it's unclear if Excel and Word use DDE as a messaging bus for content linked between files. Example: Graph in a word or excel doc referencing data in second excel doc that gets dynamically updated. Obviously many organizations may have users with this type of reporting/excel usage and it's not clear if changes indicated in this GIST may impact such a workflow? I've only done a bit of testing but it's not quite clear to me what Windows uses for this 'native' type of data exchange (whether its DDE or some other mechanism).
gregkcarson
commented
Oct 27, 2017
|
Has anyone implemented these changes at the GPO level or registry level across all client systems? I have reservations enabling this as it's unclear if Excel and Word use DDE as a messaging bus for content linked between files. Example: Graph in a word or excel doc referencing data in second excel doc that gets dynamically updated. Obviously many organizations may have users with this type of reporting/excel usage and it's not clear if changes indicated in this GIST may impact such a workflow? I've only done a bit of testing but it's not quite clear to me what Windows uses for this 'native' type of data exchange (whether its DDE or some other mechanism). |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
wdormann
Oct 30, 2017
I've confirmed that the DDE-disabling option for Excel actually disables the ability for Windows Explorer to launch Excel itself (e.g. by double-clicking on an Excel file). Opening the same file via File -> Open in Excel still works though.
The better mitigation may be to enable ASR features via Windows 10, and still import the "WordMail" registry values above. That is, set D4F940AB-401B-4EFC-AADC-AD5F3C50688A to 1, and import:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000001
|
I've confirmed that the DDE-disabling option for Excel actually disables the ability for Windows Explorer to launch Excel itself (e.g. by double-clicking on an Excel file). Opening the same file via File -> Open in Excel still works though. The better mitigation may be to enable ASR features via Windows 10, and still import the "WordMail" registry values above. That is, set D4F940AB-401B-4EFC-AADC-AD5F3C50688A to 1, and import: |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Squuiid
Oct 31, 2017
NOTE: ASR only works if you are using Windows Defender as your primary AV.
"ASR has a dependency on Windows Defender Antivirus being the primary AV on the device and its real-time protection feature must be enabled."
https://blogs.technet.microsoft.com/mmpc/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
Squuiid
commented
Oct 31, 2017
|
NOTE: ASR only works if you are using Windows Defender as your primary AV. "ASR has a dependency on Windows Defender Antivirus being the primary AV on the device and its real-time protection feature must be enabled." |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
moonyh
commented
Nov 2, 2017
•
edited
Edited 1 time
-
moonyh
edited Nov 2, 2017 (most recent)
edited
-
Nov 2, 2017 (most recent)
|
thx bro. can you make regitry that works for 2007(version) |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
wdormann
Nov 11, 2017
I couldn't find discrete, human-readable DDE registry values for Office 2007. For that version of Office, which shouldn't be used for obvious reasons, your best bet is to set the DDE options in the respective Office applications preferences or possibly GPO.
For example, in Word:
Options -> Advanced -> General -> "Update automatic links at open" (uncheck this)
For Excel, the option is called "Ignore other applications that use Dynamic Data Exchange DDE" (but note that this breaks the ability to open Excel files by double-clicking them)
The Outlook attack vector didn't seem to work in my testing with Outlook 2007, so no special protections seem to be needed there.
|
I couldn't find discrete, human-readable DDE registry values for Office 2007. For that version of Office, which shouldn't be used for obvious reasons, your best bet is to set the DDE options in the respective Office applications preferences or possibly GPO. The Outlook attack vector didn't seem to work in my testing with Outlook 2007, so no special protections seem to be needed there. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
id7368
Nov 13, 2017
emmm...if you want enable DDE again:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail]
"DontUpdateLinks"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options]
"DisableEmbeddedFiles"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000
[HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000
"Options"=dword:00000117
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options]
"DontUpdateLinks"=dword:00000000
"DDEAllowed"=dword:00000000
"DDECleaned"=dword:00000000
"Options"=dword:00000117
id7368
commented
Nov 13, 2017
emmm...if you want enable DDE again:Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail] [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Options\WordMail] [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Options\WordMail] [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\OneNote\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\OneNote\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Excel\Options] [HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options] |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
jay
Nov 23, 2017
If anyone is curious I tried to do it system-wide by using HKEY_LOCAL_MACHINE but that didn't work to disable the link updates.
jay
commented
Nov 23, 2017
|
If anyone is curious I tried to do it system-wide by using HKEY_LOCAL_MACHINE but that didn't work to disable the link updates. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
abraeg
Jan 16, 2018
Is there any information about what "Options"=dword:00000117 is about?
What, if I already have an Options value other than 00000117? Should it be replaced or should it be added (bitwise?)
Thanks for any hint.
abraeg
commented
Jan 16, 2018
|
Is there any information about what "Options"=dword:00000117 is about? |
Note that the OneNote mitigations are somewhat heavy-handed. With the above OneNote protections, OneNote 2013 and 2016 will not be able to create or interact with embedded objects. OneNote 2010 doesn't need any special protections, as the Excel and Word DDE blocking apply to those objects embedded in a OneNote document.