acceptedMicrosoft Access 2007The Microsoft Access 2007 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 14 Benchmark Date: 22 Jul 20164I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>DTOO104 - Disable user name and password<GroupDescription></GroupDescription>DTOO104 - AccessDisable user name and password syntax from being used in URLs<VulnDiscussion>The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.
This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” to “Enabled” and select the "msaccess.exe" check box.
Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” is set to “Enabled” and ‘msaccess.exe’ check box is selected.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.
DTOO111 - Enable IE Bind to Object <GroupDescription></GroupDescription>DTOO111 - AccessBind to Object - Access<VulnDiscussion>Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.
This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” to “Enabled” and select the "msaccess.exe" check box.
Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” is set to “Enabled” and "msaccess.exe" check box is checked.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.
DTOO117 - Saved from URL<GroupDescription></GroupDescription>DTOO117 - AccessSaved from URL - Access<VulnDiscussion>Typically, when Internet Explorer loads a web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” to “Enabled” and select the ‘msaccess.exe’ check box.
Validate the policy value for Computer Configuration -> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” is set to “Enabled” and "msaccess.exe" check box is checked.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.
DTOO123-Block Navigation to URL from Office <GroupDescription></GroupDescription>DTOO123 - AccessBlock navigation to URL embedded in Office products to protect against attack by malformed URL. <VulnDiscussion>To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” to “Enabled” and select the "msaccess.exe" check box.
Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” is set to “Enabled” and "msaccess.exe" check box is checked.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.
DTOO129 - Block Pop-Ups<GroupDescription></GroupDescription>DTOO129 - AccessNo pop-ups - Access<VulnDiscussion>The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” to “Enabled” and select the "msaccess.exe" check box.
Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” is set to “Enabled” and "msaccess.exe" check box is checked.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.
DTOO131 - Trust Bar Notifications<GroupDescription></GroupDescription>DTOO131 - AccessDisable Trust Bar Notification for unsigned application add-ins - Access<VulnDiscussion>By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”.
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security
Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.
DTOO304 - VBA Macro Warning settings<GroupDescription></GroupDescription>DTOO304 - AccessEnable Warning Bar settings for VBA macros contained in Access Files.<VulnDiscussion>By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”.The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security
Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.
DTOO136 - Default file format <GroupDescription></GroupDescription>DTOO136 - AccessSet the default saved file format for Access. <VulnDiscussion>By default, when users create new database files, Access 2007 saves them in the new Access 2007 format. Users can change this functionality by clicking the Office button, clicking Access Options, and then selecting a file format from the Default file format list.
If a new database is created in an inappropriate format, some users might be unable to open or use it.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”.The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings
Criteria: If the value Default File Format is REG_DWORD = c (hex) or 12 (Decimal), this is not a finding.
DTOO137 - Prompt / Convert Older Databases<GroupDescription></GroupDescription>DTOO137 - AccessDo not Prompt to convert when opening older databases - Access. <VulnDiscussion>By default, when users open databases that were created in the Access 97 file format, Access 2007 prompts them to convert the database to a newer file format. Users can choose to convert the database or leave it in the older format.
If this configuration is changed, Access will leave Access 97-format databases unchanged. Access informs the user that the database is in the older format, but does not provide the user with an option to convert the database. Some features introduced in more recent versions of Access will not be available, and the user will not be able to make any design changes to the database.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”.The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings
Criteria: If the value NoConvertDialog is REG_DWORD = 0, this is not a finding.
DTOO135 - Modal Trust Decision Only<GroupDescription></GroupDescription>DTOO135 - AccessEnable Modal Trust Decision Only - Access<VulnDiscussion>By default, when users open an untrusted Access 2007 database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action.
The default configuration can be changed so that users see a dialog box when they open an untrusted database with executable components. Users must then choose whether to enable or disable the components before working with the database. In these circumstances users frequently enable the components, even if they do not require them. Executable components can be used to launch an attack against a computer environment.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”.The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security
Criteria: If the value ModalTrustDecisionOnly is REG_DWORD = 0, this is not a finding.
DTOO130 - Underline hyperlinks <GroupDescription></GroupDescription>DTOO130 - AccessEnable the feature to underline hyperlinks in Access. <VulnDiscussion>By default, Access 2007 underlines hyperlinks that appear in tables, queries, forms, and reports. If this configuration is changed, users might click on dangerous hyperlinks without realizing it, which could pose a security risk</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility>System Administrator</Responsibility><Responsibility>Information Assurance Officer</Responsibility><IAControls></IAControls>DPMS Target Microsoft Access 2007DISADPMS TargetMicrosoft Access 20071260The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”.The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”.
Procedure: Use the Windows Registry Editor to navigate to the following key:
HKCU\Software\Policies\Microsoft\Office\12.0\Access\Internet
Criteria: If the value DoNotUnderlineHyperlinks is REG_DWORD = 0, this is not a finding.