Block Microsoft Office from creating child processes
Prevent Microsoft Office from starting other programs or activities on its own.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Application hardening
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Microsoft Office is blocked from creating child processes.
Source: ASD Essential Eight
Plain language
This control is about stopping Microsoft Office from launching other programs on its own. This matters because if Office is tricked into starting harmful software, it could cause damage or steal information from your computers.
Why it matters
If Office can spawn child processes, malicious macros may launch payloads (e.g., PowerShell) leading to compromise, data theft, or outages.
Operational notes
Enable and test the Office “Block all Office applications from creating child processes” ASR rule; monitor alerts and revalidate after Office updates.
Implementation tips
- System Administrator: Ensure that Microsoft Office's settings are configured to prevent it from launching other programs. This can be done by adjusting Group Policy settings with specific rules to block child processes.
- IT Security Officer: Communicate the importance of blocking child processes within Office applications to your team. Use training sessions to demonstrate potential risks and how mitigation improves security.
- IT Team: Regularly check and update the settings to ensure new Office updates haven't changed these configurations. Use Microsoft's Security Baseline tools for guidance.
- Network Administrator: Implement network-based monitoring to alert if an Office application attempts to launch an unexpected process. Set rules in the network firewall to deny these actions.
Audit / evidence tips
-
Ask: How are child processes blocked in Microsoft Office across the organisation?
-
Good: There is a clear policy in Group Policy that disables child processes in Office applications, and it is enforced across all computers
-
Ask: Have there been any exceptions made for this policy?
-
Good: There are no exceptions, or well-documented justifications and approvals exist for any exceptions made
Cross-framework mappings
How E8-AH-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| ISM-1668 | ISM-1668 requires Microsoft Office to be blocked from creating executable content | |
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| ISM-1670 | ISM-1670 requires that PDF applications are blocked from creating child processes to reduce execution paths from document handling | |
| ISM-1673 | E8-AH-ML2.2 requires blocking Microsoft Office from creating child processes to prevent macros/documents from launching other programs | |
| Supports (1) | ||
| ISM-1542 | ISM-1542 requires Microsoft Office to be configured to prevent activation of Object Linking and Embedding (OLE) packages | |
| Related (4) | ||
| ISM-1601 | ISM-1601 requires organisations to implement Microsoft Attack Surface Reduction rules | |
| ISM-1667 | ISM-1667 requires Microsoft Office to be blocked from creating child processes | |
| ISM-1858 | ISM-1858 requires organisations to harden IT equipment using ASD and vendor hardening guidance, applying the most restrictive guidance wh... | |
| ISM-1859 | ISM-1859 requires organisations to harden office productivity suites in line with ASD and vendor guidance, applying the most restrictive ... | |