Disabling opening forms with managed code from the Internet security zone must be configured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-26620	DTOO296	SV-53392r1_rule		Medium

Description
When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Internet and then opens the same form from another location on the Internet, the cache will be updated with the new location information. If the user then opens the first form from its saved location, there will be a mismatch between the locally saved form and the locally cached form. This situation would typically happen when developers move forms to a new location, but if there is no warning when the cached location is used, it could be misused by an attacker attempting to redirect the forms to a new location. This type of attack is a form of beaconing. By default, if the location information in the cached form and the saved form to not match, the form cannot be opened without prompting the user for consent.

Description

When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Internet and then opens the same form from another location on the Internet, the cache will be updated with the new location information. If the user then opens the first form from its saved location, there will be a mismatch between the locally saved form and the locally cached form. This situation would typically happen when developers move forms to a new location, but if there is no warning when the cached location is used, it could be misused by an attacker attempting to redirect the forms to a new location. This type of attack is a form of beaconing. By default, if the location information in the cached form and the saved form to not match, the form cannot be opened without prompting the user for consent.

STIG	Date
Microsoft InfoPath 2013 STIG	2018-04-03

Details

Check Text ( C-47633r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security "Disable opening forms with managed code from the Internet security zone" must be set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\InfoPath\security Criteria: If the value RunManagedCodeFromInternet is REG_DWORD = 1, this is not a finding.

Check Text ( C-47633r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security "Disable opening forms with managed code from the Internet security zone" must be set to "Enabled".

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\15.0\InfoPath\security

Criteria: If the value RunManagedCodeFromInternet is REG_DWORD = 1, this is not a finding.

Fix Text (F-46316r1_fix)
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security "Disable opening forms with managed code from the Internet security zone" to "Enabled".