UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Office 365 ProPlus Security Technical Implementation Guide


Overview

Date Finding Count (139)
2020-06-17 CAT I (High): 0 CAT II (Med): 139 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC II - Mission Support Classified)

Finding ID Severity Title
V-99663 Medium Office applications must not load XML expansion packs with Smart Documents.
V-99665 Medium The load of controls in Forms3 must be blocked.
V-99667 Medium Add-on Management must be enabled for all Office 365 ProPlus programs.
V-99669 Medium Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
V-99683 Medium Protection from zone elevation must be enabled in all Office programs.
V-99709 Medium Open/save of Excel 2 worksheets must be blocked.
V-99707 Medium Open/save of Excel 2 macrosheets and add-in files must be blocked.
V-99705 Medium Open/save of Dif and Sylk format files must be blocked.
V-99703 Medium Open/save of dBase III / IV format files must be blocked.
V-99701 Medium Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.
V-99787 Medium The minimum encryption key length in Outlook must be at least 168.
V-99785 Medium The Publish to Global Address List (GAL) button must be disabled in Outlook.
V-99783 Medium Internet must not be included in Safe Zone for picture download in Outlook.
V-99781 Medium Outlook must be configured to prevent users overriding attachment security settings.
V-99869 Medium Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked.
V-99867 Medium Visio must automatically disable unsigned add-ins without informing users.
V-99865 Medium Trusted Locations on the network must be disabled in Visio.
V-99863 Medium VBA Macros not digitally signed must be blocked in Visio.
V-99789 Medium The warning about invalid digital signatures must be enabled to warn Outlook users.
V-99861 Medium Publisher must disable all unsigned VBA macros.
V-99893 Medium Open/Save of Word 2000 binary documents and templates must be blocked.
V-99691 Medium Scripted Windows Security restrictions must be enabled in all Office programs.
V-99891 Medium Open/Save of Word 2 and earlier binary documents and templates must be blocked.
V-99659 Medium Users must be prevented from creating new trusted locations in the Trust Center.
V-99895 Medium Open/Save of Word 2003 binary documents and templates must be blocked.
V-99655 Medium Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
V-99657 Medium Office applications must be configured to specify encryption type in password-protected Office Open XML files.
V-99651 Medium Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.
V-99693 Medium Flash player activation must be disabled in all Office programs.
V-99653 Medium Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
V-99719 Medium Open/save of Excel 4 worksheets must be blocked.
V-99715 Medium Open/save of Excel 4 macrosheets and add-in files must be blocked.
V-99717 Medium Open/save of Excel 4 workbooks must be blocked.
V-99711 Medium Open/save of Excel 3 macrosheets and add-in files must be blocked.
V-99713 Medium Open/save of Excel 3 worksheets must be blocked.
V-99795 Medium The ability to demote attachments from Level 2 to Level 1 must be disabled.
V-99819 Medium Outlook must be configured to not allow hyperlinks in suspected phishing messages.
V-99797 Medium The display of Level 1 attachments must be disabled in Outlook.
V-99791 Medium Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
V-99793 Medium The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
V-99813 Medium When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.
V-99811 Medium When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.
V-99817 Medium When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.
V-99799 Medium Level 1 file attachments must be blocked from being delivered.
V-99815 Medium When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.
V-99881 Medium Files downloaded from the Internet must be opened in Protected view in Word.
V-99649 Medium ActiveX Controls must be initialized in Safe Mode.
V-99885 Medium If file validation fails, files must be opened in Protected view in Word with ability to edit disabled.
V-99887 Medium Word attachments opened from Outlook must be in Protected View.
V-99643 Medium Document metadata for rights managed Office Open XML files must be protected.
V-99641 Medium The Macro Runtime Scan Scope must be enabled for all documents.
V-99647 Medium Custom user interface (UI) code must be blocked from loading in all Office applications.
V-99645 Medium The Office client must be prevented from polling the SharePoint Server for published links.
V-99729 Medium Extraction options must be blocked when opening corrupt Excel workbooks.
V-99721 Medium Open/save of Excel 95 workbooks must be blocked.
V-99723 Medium Open/save of Excel 95-97 workbooks and templates must be blocked.
V-99725 Medium The default file block behavior must be set to not open blocked files in Excel.
V-99727 Medium Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked.
V-99809 Medium When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.
V-99801 Medium Level 2 file attachments must be blocked from being delivered.
V-99803 Medium Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message.
V-99805 Medium When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.
V-99807 Medium When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.
V-99737 Medium AutoRepublish warning alert in Excel must be enabled.
V-99735 Medium AutoRepublish in Excel must be disabled.
V-99733 Medium Loading of pictures from Web pages not created in Excel must be disabled.
V-99731 Medium Updating of links in Excel must be prompted and not automatic.
V-99739 Medium File extensions must be enabled to match file types in Excel.
V-99835 Medium File validation in PowerPoint must be enabled.
V-99837 Medium Macros from the Internet must be blocked from running in PowerPoint.
V-99831 Medium The default file block behavior must be set to not open blocked files in PowerPoint.
V-99833 Medium Encrypted macros in PowerPoint Open XML presentations must be scanned.
V-99637 Medium VBA Macros not digitally signed must be blocked in Access.
V-99635 Medium Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
V-99633 Medium Macros must be blocked from running in Access files from the Internet.
V-99695 Medium Trusted Locations on the network must be disabled in Excel.
V-100517 Medium File validation in Word must be enabled.
V-99743 Medium File validation in Excel must be enabled.
V-99741 Medium Scan of encrypted macros in Excel Open XML workbooks must be enabled.
V-99747 Medium Macros must be blocked from running in Excel files from the Internet.
V-99639 Medium Allowing Trusted Locations on the network must be disabled in Access.
V-99745 Medium WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.
V-99749 Medium Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
V-99821 Medium The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.
V-99827 Medium The ability to run programs from PowerPoint must be disabled.
V-99825 Medium VBA Macros not digitally signed must be blocked in PowerPoint.
V-99829 Medium Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.
V-99901 Medium Open/Save of Word 95 binary documents and templates must be blocked.
V-99903 Medium Open/Save of Word 97 binary documents and templates must be blocked.
V-99905 Medium Open/Save of Word XP binary documents and templates must be blocked.
V-99907 Medium In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.
V-99909 Medium Trusted Locations on the network must be disabled in Word.
V-99839 Medium Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.
V-99889 Medium The default file block behavior must be set to not open blocked files in Word.
V-99751 Medium Untrusted Microsoft Query files must be blocked from opening in Excel.
V-99753 Medium Untrusted database files must be opened in Excel in Protected View mode.
V-99755 Medium Files from Internet zone must be opened in Excel in Protected View mode.
V-99757 Medium Files from unsafe locations must be opened in Excel in Protected View mode.
V-99759 Medium Files failing file validation must be opened in Excel in Protected view mode and disallow edits.
V-99857 Medium Publisher must be configured to prompt the user when another application programmatically opens a macro.
V-99855 Medium VBA Macros not digitally signed must be blocked in Project.
V-99853 Medium Project must automatically disable unsigned add-ins without informing users.
V-99697 Medium VBA Macros not digitally signed must be blocked in Excel.
V-99699 Medium Dynamic Data Exchange (DDE) server launch in Excel must be blocked.
V-99859 Medium Publisher must automatically disable unsigned add-ins without informing users.
V-99911 Medium VBA Macros not digitally signed must be blocked in Word.
V-99769 Medium Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
V-99765 Medium The HTTP fallback for SIP connection in Lync must be disabled.
V-99767 Medium The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
V-99761 Medium File attachments from Outlook must be opened in Excel in Protected mode.
V-99763 Medium The SIP security mode in Lync must be enabled.
V-99851 Medium Trusted Locations on the network must be disabled in Project.
V-99897 Medium Open/Save of Word 2007 and later binary documents and templates must be blocked.
V-99845 Medium Files in unsafe locations must be opened in Protected view in PowerPoint.
V-99847 Medium If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled.
V-99841 Medium Files downloaded from the Internet must be opened in Protected view in PowerPoint.
V-99689 Medium The Save from URL feature must be enabled in all Office programs.
V-99687 Medium File Download Restriction must be enabled in all Office programs.
V-99685 Medium ActiveX installation restriction must be enabled in all Office programs.
V-99849 Medium The use of network locations must be ignored in PowerPoint.
V-99681 Medium Object Caching Protection must be enabled in all Office programs.
V-99899 Medium Open/Save of Word 6.0 binary documents and templates must be blocked.
V-99673 Medium The Information Bar must be enabled in all Office programs.
V-99671 Medium User name and password must be disabled in all Office programs.
V-99779 Medium Active X One-Off forms must only be enabled to load with Outlook Controls.
V-99677 Medium The MIME Sniffing safety feature must be enabled in all Office programs.
V-99675 Medium The Local Machine Zone Lockdown Security must be enabled in all Office programs.
V-99773 Medium Scripts associated with shared folders must be prevented from execution in Outlook.
V-99679 Medium Navigate URL must be enabled in all Office programs.
V-99771 Medium Scripts associated with public folders must be prevented from execution in Outlook.
V-99777 Medium Junk e-mail level must be enabled at a setting of High.
V-99775 Medium Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
V-99871 Medium Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked.
V-99873 Medium Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked.
V-99875 Medium Macros must be blocked from running in Visio files from the Internet.
V-99877 Medium Word must automatically disable unsigned add-ins without informing users.
V-99879 Medium In Word, encrypted macros must be scanned.
V-99843 Medium PowerPoint attachments opened from Outlook must be in Protected View.
V-99883 Medium Files located in unsafe locations must be opened in Protected view in Word.