Prevent OLE Package Activation in Microsoft Office
Ensure Microsoft Office is set to block the use of OLE packages for added security.
Plain language
This control ensures that Microsoft Office is set up to block the activation of OLE packages, which are a way of linking or embedding objects from different applications. This is important because OLE packages can be exploited by hackers to run malicious code on your computer, leading to potential data breaches or system damage.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
All queries to databases from software that are initiated by users, and any resulting crash or error messages, are centrally logged.
Why it matters
If user-initiated database queries and resulting errors aren’t centrally logged, malicious or unauthorised queries may go undetected and investigations hindered.
Operational notes
Configure central logging for user-initiated database queries and related crashes/errors; review logs routinely and alert on suspicious or repeated failures.
Implementation tips
- IT Team should configure Microsoft Office settings: Use the Office Group Policy settings to disable OLE package activation. This involves accessing the administrative template files in Group Policy Editor and setting the required configurations to prevent OLE features from functioning.
- System Administrator should update policies: Make sure that your organisation's IT policy includes a section that specifically disallows the use of OLE packages. Include instructions for keeping software up to date to ensure security patches are applied.
- Security Officer should train staff: Educate staff about the risks of OLE packages and explain why such features are being disabled. Use simple examples and demonstrate how malicious files might look so employees can better identify suspicious activities.
- IT Support should verify configurations: Regularly check that the Office configurations to block OLE packages are still in place. This includes conducting periodic reviews of the policy settings across different systems in the organisation.
- Procurement should coordinate with vendors: Ensure that any new Office software purchases or subscriptions come with the capability to manage these configurations. Confirm that suppliers understand this requirement and provide appropriate support materials.
Audit / evidence tips
-
Askthe Office Group Policy configuration report: Request documentation showing the current settings for OLE packages in Microsoft Office
Goodincludes a record showing these settings are set to 'disabled' or 'not configured'
-
Askstaff training records: Request records of any training sessions conducted about Microsoft Office security measures
Goodwould be signed attendance sheets and training content that covered the disallowing of OLE packages
-
Askpolicy documentation: Request the section of your IT policy that relates to software configuration and OLE package activation
Goodis a policy document clearly stating this requirement, along with revision dates
-
Asklogs of configuration reviews: Request logs or records of when configuration settings were last checked or audited
Goodshows regular checks have been conducted and discrepancies addressed immediately
-
Askprocurement checklists: Request a copy of the checklist used when purchasing new Office software
Goodincludes documented discussions with vendors and notes on how these requirements were complied with
Cross-framework mappings
How ISM-1536 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1536 requires implementing one defined security configuration in Microsoft Office: blocking OLE package activation | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.7 | ISM-1536 requires a specific Microsoft Office security configuration: blocking activation of OLE packages | |
| link Related (1) expand_less | ||
| E8-AH-ML2.5 | ISM-1536 requires Microsoft Office to be configured to block activation of OLE packages to reduce exploitation of embedded objects | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.