Block Microsoft Office from creating child processes
Prevent Microsoft Office from starting other programs or activities on its own.
Plain language
This control is about stopping Microsoft Office from launching other programs on its own. This matters because if Office is tricked into starting harmful software, it could cause damage or steal information from your computers.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML2
Official control statement
Microsoft Office is blocked from creating child processes.
Why it matters
If Office can spawn child processes, malicious macros may launch payloads (e.g., PowerShell) leading to compromise, data theft, or outages.
Operational notes
Enable and test the Office “Block all Office applications from creating child processes” ASR rule; monitor alerts and revalidate after Office updates.
Implementation tips
- System Administrator: Ensure that Microsoft Office's settings are configured to prevent it from launching other programs. This can be done by adjusting Group Policy settings with specific rules to block child processes.
- IT Security Officer: Communicate the importance of blocking child processes within Office applications to your team. Use training sessions to demonstrate potential risks and how mitigation improves security.
- IT Team: Regularly check and update the settings to ensure new Office updates haven't changed these configurations. Use Microsoft's Security Baseline tools for guidance.
- Network Administrator: Implement network-based monitoring to alert if an Office application attempts to launch an unexpected process. Set rules in the network firewall to deny these actions.
Audit / evidence tips
- AskHow are child processes blocked in Microsoft Office across the organisation?
- GoodThere is a clear policy in Group Policy that disables child processes in Office applications, and it is enforced across all computers
- AskHave there been any exceptions made for this policy?
- GoodThere are no exceptions, or well-documented justifications and approvals exist for any exceptions made
Cross-framework mappings
How E8-AH-ML2.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-0843 | E8-AH-ML2.2 requires a specific application control hardening rule: blocking Microsoft Office from creating child processes | |
| ISM-0955 | E8-AH-ML2.2 requires Microsoft Office to be blocked from creating child processes as a specific preventative execution control | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1542 | E8-AH-ML2.2 requires Microsoft Office to be blocked from creating child processes to reduce the ability of Office documents to launch add... | |
| ISM-1668 | ISM-1668 requires Microsoft Office to be blocked from creating executable content | |
| ISM-1669 | ISM-1669 requires Microsoft Office to be blocked from injecting code into other processes | |
| ISM-1670 | E8-AH-ML2.2 requires blocking Microsoft Office from creating child processes to prevent Office-originated process spawning | |
| ISM-1673 | E8-AH-ML2.2 requires Microsoft Office to be blocked from creating child processes to reduce Office-based malware execution and living-off... | |
| link Related (4) expand_less | ||
| ISM-1601 | ISM-1601 requires organisations to implement Microsoft Attack Surface Reduction rules | |
| ISM-1667 | ISM-1667 requires Microsoft Office to be blocked from creating child processes | |
| ISM-1858 | ISM-1858 requires organisations to harden IT equipment using ASD and vendor hardening guidance, applying the most restrictive guidance wh... | |
| ISM-1859 | ISM-1859 requires organisations to harden office productivity suites in line with ASD and vendor guidance, applying the most restrictive ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.