Disable sending "InfoPath 2003" forms as email forms in InfoPath 2007.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-17668 | DTOO170 - InfoPath | SV-18832r1_rule | ECSC-1 | Medium |
| Description |
|---|
| An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a publish location for e-mail forms, which meant that forms could open without a corresponding published location. By default, InfoPath 2007 sends all forms via e-mail using InfoPath e-mail forms integration, including forms that were created using the InfoPath 2003 file format. |
| STIG | Date |
|---|---|
| Microsoft InfoPath 2007 | 2015-10-02 |
Details
| Check Text ( C-18939r1_chk ) |
|---|
| The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath Criteria: If the value DisableInfoPath2003EmailForms is REG_DWORD = 1, this is not a finding. |
| Fix Text (F-17566r1_fix) |
|---|
| The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” will be set to “Enabled”. |