{
"stig": {
"date": "2016-06-30",
"description": "The Microsoft Access 2007 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-17173": {
"checkid": "C-19314r3_chk",
"checktext": "Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cDisable user name and password\u201d is set to \u201cEnabled\u201d and \u2018msaccess.exe\u2019 check box is selected.\nProcedure: Use the Windows Registry Editor to navigate to the following key:\nHKLM\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\n\nCriteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.\n\n",
"description": "The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax.\n\nThis functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk.\n",
"fixid": "F-17763r4_fix",
"fixtext": "Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cDisable user name and password\u201d to \u201cEnabled\u201d and select the \"msaccess.exe\" check box.\n\n",
"iacontrols": null,
"id": "V-17173",
"ruleID": "SV-19429r2_rule",
"severity": "medium",
"title": "Disable user name and password syntax from being used in URLs",
"version": "DTOO104 - Access"
},
"V-17174": {
"checkid": "C-17872r3_chk",
"checktext": "Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cBind to Object\u201d is set to \u201cEnabled\u201d and \"msaccess.exe\" check box is checked.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_SAFE_BINDTOOBJECT\n\nCriteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.\n\n",
"description": "Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized.\n\nThis functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.\n",
"fixid": "F-16966r3_fix",
"fixtext": "Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cBind to Object\u201d to \u201cEnabled\u201d and select the \"msaccess.exe\" check box.\n",
"iacontrols": null,
"id": "V-17174",
"ruleID": "SV-18190r2_rule",
"severity": "medium",
"title": "Bind to Object - Access",
"version": "DTOO111 - Access"
},
"V-17175": {
"checkid": "C-17888r3_chk",
"checktext": "Validate the policy value for Computer Configuration -> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cSaved from URL\u201d is set to \u201cEnabled\u201d and \"msaccess.exe\" check box is checked.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_UNC_SAVEDFILECHECK\n\nCriteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.\n",
"description": "Typically, when Internet Explorer loads a web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.",
"fixid": "F-17052r2_fix",
"fixtext": "Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cSaved from URL\u201d to \u201cEnabled\u201d and select the \u2018msaccess.exe\u2019 check box.\n\n",
"iacontrols": null,
"id": "V-17175",
"ruleID": "SV-18205r2_rule",
"severity": "medium",
"title": "Saved from URL - Access",
"version": "DTOO117 - Access"
},
"V-17183": {
"checkid": "C-18845r3_chk",
"checktext": "Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cNavigate URL\u201d is set to \u201cEnabled\u201d and \"msaccess.exe\" check box is checked.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_VALIDATE_NAVIGATE_URL \n\nCriteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.\n\n",
"description": "To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.",
"fixid": "F-17445r3_fix",
"fixtext": "Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cNavigate URL\u201d to \u201cEnabled\u201d and select the \"msaccess.exe\" check box.\n",
"iacontrols": null,
"id": "V-17183",
"ruleID": "SV-18603r2_rule",
"severity": "medium",
"title": "Block navigation to URL embedded in Office products to protect against attack by malformed URL. ",
"version": "DTOO123 - Access"
},
"V-17184": {
"checkid": "C-17900r3_chk",
"checktext": "Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cBlock popups\u201d is set to \u201cEnabled\u201d and \"msaccess.exe\" check box is checked.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKLM\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_POPUPMANAGEMENT\n\nCriteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.\n",
"description": "The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.",
"fixid": "F-17060r3_fix",
"fixtext": "Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security \u201cBlock popups\u201d to \u201cEnabled\u201d and select the \"msaccess.exe\" check box.\n\n",
"iacontrols": null,
"id": "V-17184",
"ruleID": "SV-18215r2_rule",
"severity": "medium",
"title": "No pop-ups - Access",
"version": "DTOO129 - Access"
},
"V-17187": {
"checkid": "C-17912r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center \u201cDisable Trust Bar Notification for unsigned application add-ins\u201d will be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Security\n\nCriteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.\n",
"description": "By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.",
"fixid": "F-17079r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center \u201cDisable Trust Bar Notification for unsigned application add-ins\u201d will be set to \u201cEnabled\u201d.\n\n",
"iacontrols": null,
"id": "V-17187",
"ruleID": "SV-18219r1_rule",
"severity": "medium",
"title": "Disable Trust Bar Notification for unsigned application add-ins - Access",
"version": "DTOO131 - Access"
},
"V-17545": {
"checkid": "C-18854r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center \u201cVBA Macro Warning Settings\u201d will be set to \u201cEnabled (Trust Bar warning for all macros)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Security\n\nCriteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.\n",
"description": "By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised. ",
"fixid": "F-17465r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center \u201cVBA Macro Warning Settings\u201d will be set to \u201cEnabled (Trust Bar warning for all macros)\u201d.",
"iacontrols": null,
"id": "V-17545",
"ruleID": "SV-18637r1_rule",
"severity": "medium",
"title": "Enable Warning Bar settings for VBA macros contained in Access Files.",
"version": "DTOO304 - Access"
},
"V-17584": {
"checkid": "C-18884r13_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous \u201cDefault File Format\u201d will be set to \u201cEnabled (Access 2007)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Settings\n\nCriteria: If the value Default File Format is REG_DWORD = c (hex) or 12 (Decimal), this is not a finding.\n\n\n",
"description": "By default, when users create new database files, Access 2007 saves them in the new Access 2007 format. Users can change this functionality by clicking the Office button, clicking Access Options, and then selecting a file format from the Default file format list.\nIf a new database is created in an inappropriate format, some users might be unable to open or use it.\n",
"fixid": "F-17502r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous \u201cDefault File Format\u201d will be set to \u201cEnabled (Access 2007)\u201d.",
"iacontrols": null,
"id": "V-17584",
"ruleID": "SV-18706r2_rule",
"severity": "medium",
"title": "Set the default saved file format for Access. ",
"version": "DTOO136 - Access"
},
"V-17603": {
"checkid": "C-18905r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous \u201cDo not prompt to convert older databases\u201d will be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Settings\n\nCriteria: If the value NoConvertDialog is REG_DWORD = 0, this is not a finding.\n",
"description": "By default, when users open databases that were created in the Access 97 file format, Access 2007 prompts them to convert the database to a newer file format. Users can choose to convert the database or leave it in the older format.\nIf this configuration is changed, Access will leave Access 97-format databases unchanged. Access informs the user that the database is in the older format, but does not provide the user with an option to convert the database. Some features introduced in more recent versions of Access will not be available, and the user will not be able to make any design changes to the database.\n",
"fixid": "F-17521r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous \u201cDo not prompt to convert older databases\u201d will be set to \u201cDisabled\u201d.",
"iacontrols": null,
"id": "V-17603",
"ruleID": "SV-18733r1_rule",
"severity": "medium",
"title": "Do not Prompt to convert when opening older databases - Access. ",
"version": "DTOO137 - Access"
},
"V-17757": {
"checkid": "C-19019r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \\ Security \u201cModal Trust Decision Only\u201d will be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Security\n\nCriteria: If the value ModalTrustDecisionOnly is REG_DWORD = 0, this is not a finding.\n",
"description": "By default, when users open an untrusted Access 2007 database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action.\nThe default configuration can be changed so that users see a dialog box when they open an untrusted database with executable components. Users must then choose whether to enable or disable the components before working with the database. In these circumstances users frequently enable the components, even if they do not require them. Executable components can be used to launch an attack against a computer environment.\n",
"fixid": "F-17656r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \\ Security \u201cModal Trust Decision Only\u201d will be set to \u201cDisabled\u201d.",
"iacontrols": null,
"id": "V-17757",
"ruleID": "SV-18952r1_rule",
"severity": "medium",
"title": "Enable Modal Trust Decision Only - Access",
"version": "DTOO135 - Access"
},
"V-17810": {
"checkid": "C-19077r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General \u201cUnderline Hyperlinks\u201d will be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\12.0\\Access\\Internet\n\nCriteria: If the value DoNotUnderlineHyperlinks is REG_DWORD = 0, this is not a finding.\n",
"description": "By default, Access 2007 underlines hyperlinks that appear in tables, queries, forms, and reports. If this configuration is changed, users might click on dangerous hyperlinks without realizing it, which could pose a security risk",
"fixid": "F-17711r1_fix",
"fixtext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General \u201cUnderline Hyperlinks\u201d will be set to \u201cEnabled\u201d.",
"iacontrols": null,
"id": "V-17810",
"ruleID": "SV-19046r1_rule",
"severity": "medium",
"title": "Enable the feature to underline hyperlinks in Access. ",
"version": "DTOO130 - Access"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-17173": "true",
"V-17174": "true",
"V-17175": "true",
"V-17183": "true",
"V-17184": "true",
"V-17187": "true",
"V-17545": "true",
"V-17584": "true",
"V-17603": "true",
"V-17757": "true",
"V-17810": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "microsoft_access_2007",
"title": "Microsoft Access 2007",
"version": "4"
}
}