UCF STIG Viewer Logo

Microsoft Office 365 ProPlus Security Technical Implementation Guide


Overview

Date Finding Count (139)
2020-06-17 CAT I (High): 0 CAT II (Med): 139 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Public)

Finding ID Severity Title
V-99663 Medium Office applications must not load XML expansion packs with Smart Documents.
V-99665 Medium The load of controls in Forms3 must be blocked.
V-99667 Medium Add-on Management must be enabled for all Office 365 ProPlus programs.
V-99669 Medium Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
V-99683 Medium Protection from zone elevation must be enabled in all Office programs.
V-99709 Medium Open/save of Excel 2 worksheets must be blocked.
V-99707 Medium Open/save of Excel 2 macrosheets and add-in files must be blocked.
V-99705 Medium Open/save of Dif and Sylk format files must be blocked.
V-99703 Medium Open/save of dBase III / IV format files must be blocked.
V-99701 Medium Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.
V-99787 Medium The minimum encryption key length in Outlook must be at least 168.
V-99785 Medium The Publish to Global Address List (GAL) button must be disabled in Outlook.
V-99783 Medium Internet must not be included in Safe Zone for picture download in Outlook.
V-99781 Medium Outlook must be configured to prevent users overriding attachment security settings.
V-99869 Medium Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked.
V-99867 Medium Visio must automatically disable unsigned add-ins without informing users.
V-99865 Medium Trusted Locations on the network must be disabled in Visio.
V-99863 Medium VBA Macros not digitally signed must be blocked in Visio.
V-99789 Medium The warning about invalid digital signatures must be enabled to warn Outlook users.
V-99861 Medium Publisher must disable all unsigned VBA macros.
V-99893 Medium Open/Save of Word 2000 binary documents and templates must be blocked.
V-99691 Medium Scripted Windows Security restrictions must be enabled in all Office programs.
V-99891 Medium Open/Save of Word 2 and earlier binary documents and templates must be blocked.
V-99659 Medium Users must be prevented from creating new trusted locations in the Trust Center.
V-99895 Medium Open/Save of Word 2003 binary documents and templates must be blocked.
V-99655 Medium Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
V-99657 Medium Office applications must be configured to specify encryption type in password-protected Office Open XML files.
V-99651 Medium Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.
V-99693 Medium Flash player activation must be disabled in all Office programs.
V-99653 Medium Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
V-99719 Medium Open/save of Excel 4 worksheets must be blocked.
V-99715 Medium Open/save of Excel 4 macrosheets and add-in files must be blocked.
V-99717 Medium Open/save of Excel 4 workbooks must be blocked.
V-99711 Medium Open/save of Excel 3 macrosheets and add-in files must be blocked.
V-99713 Medium Open/save of Excel 3 worksheets must be blocked.
V-99795 Medium The ability to demote attachments from Level 2 to Level 1 must be disabled.
V-99819 Medium Outlook must be configured to not allow hyperlinks in suspected phishing messages.
V-99797 Medium The display of Level 1 attachments must be disabled in Outlook.
V-99791 Medium Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
V-99793 Medium The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
V-99813 Medium When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.
V-99811 Medium When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.
V-99817 Medium When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.
V-99799 Medium Level 1 file attachments must be blocked from being delivered.
V-99815 Medium When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.
V-99881 Medium Files downloaded from the Internet must be opened in Protected view in Word.
V-99649 Medium ActiveX Controls must be initialized in Safe Mode.
V-99885 Medium If file validation fails, files must be opened in Protected view in Word with ability to edit disabled.
V-99887 Medium Word attachments opened from Outlook must be in Protected View.
V-99643 Medium Document metadata for rights managed Office Open XML files must be protected.
V-99641 Medium The Macro Runtime Scan Scope must be enabled for all documents.
V-99647 Medium Custom user interface (UI) code must be blocked from loading in all Office applications.
V-99645 Medium The Office client must be prevented from polling the SharePoint Server for published links.
V-99729 Medium Extraction options must be blocked when opening corrupt Excel workbooks.
V-99721 Medium Open/save of Excel 95 workbooks must be blocked.
V-99723 Medium Open/save of Excel 95-97 workbooks and templates must be blocked.
V-99725 Medium The default file block behavior must be set to not open blocked files in Excel.
V-99727 Medium Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked.
V-99809 Medium When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.
V-99801 Medium Level 2 file attachments must be blocked from being delivered.
V-99803 Medium Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message.
V-99805 Medium When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.
V-99807 Medium When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.
V-99737 Medium AutoRepublish warning alert in Excel must be enabled.
V-99735 Medium AutoRepublish in Excel must be disabled.
V-99733 Medium Loading of pictures from Web pages not created in Excel must be disabled.
V-99731 Medium Updating of links in Excel must be prompted and not automatic.
V-99739 Medium File extensions must be enabled to match file types in Excel.
V-99835 Medium File validation in PowerPoint must be enabled.
V-99837 Medium Macros from the Internet must be blocked from running in PowerPoint.
V-99831 Medium The default file block behavior must be set to not open blocked files in PowerPoint.
V-99833 Medium Encrypted macros in PowerPoint Open XML presentations must be scanned.
V-99637 Medium VBA Macros not digitally signed must be blocked in Access.
V-99635 Medium Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
V-99633 Medium Macros must be blocked from running in Access files from the Internet.
V-99695 Medium Trusted Locations on the network must be disabled in Excel.
V-100517 Medium File validation in Word must be enabled.
V-99743 Medium File validation in Excel must be enabled.
V-99741 Medium Scan of encrypted macros in Excel Open XML workbooks must be enabled.
V-99747 Medium Macros must be blocked from running in Excel files from the Internet.
V-99639 Medium Allowing Trusted Locations on the network must be disabled in Access.
V-99745 Medium WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.
V-99749 Medium Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
V-99821 Medium The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.
V-99827 Medium The ability to run programs from PowerPoint must be disabled.
V-99825 Medium VBA Macros not digitally signed must be blocked in PowerPoint.
V-99829 Medium Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.
V-99901 Medium Open/Save of Word 95 binary documents and templates must be blocked.
V-99903 Medium Open/Save of Word 97 binary documents and templates must be blocked.
V-99905 Medium Open/Save of Word XP binary documents and templates must be blocked.
V-99907 Medium In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.
V-99909 Medium Trusted Locations on the network must be disabled in Word.
V-99839 Medium Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.
V-99889 Medium The default file block behavior must be set to not open blocked files in Word.
V-99751 Medium Untrusted Microsoft Query files must be blocked from opening in Excel.
V-99753 Medium Untrusted database files must be opened in Excel in Protected View mode.
V-99755 Medium Files from Internet zone must be opened in Excel in Protected View mode.
V-99757 Medium Files from unsafe locations must be opened in Excel in Protected View mode.
V-99759 Medium Files failing file validation must be opened in Excel in Protected view mode and disallow edits.
V-99857 Medium Publisher must be configured to prompt the user when another application programmatically opens a macro.
V-99855 Medium VBA Macros not digitally signed must be blocked in Project.
V-99853 Medium Project must automatically disable unsigned add-ins without informing users.
V-99697 Medium VBA Macros not digitally signed must be blocked in Excel.
V-99699 Medium Dynamic Data Exchange (DDE) server launch in Excel must be blocked.
V-99859 Medium Publisher must automatically disable unsigned add-ins without informing users.
V-99911 Medium VBA Macros not digitally signed must be blocked in Word.
V-99769 Medium Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
V-99765 Medium The HTTP fallback for SIP connection in Lync must be disabled.
V-99767 Medium The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
V-99761 Medium File attachments from Outlook must be opened in Excel in Protected mode.
V-99763 Medium The SIP security mode in Lync must be enabled.
V-99851 Medium Trusted Locations on the network must be disabled in Project.
V-99897 Medium Open/Save of Word 2007 and later binary documents and templates must be blocked.
V-99845 Medium Files in unsafe locations must be opened in Protected view in PowerPoint.
V-99847 Medium If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled.
V-99841 Medium Files downloaded from the Internet must be opened in Protected view in PowerPoint.
V-99689 Medium The Save from URL feature must be enabled in all Office programs.
V-99687 Medium File Download Restriction must be enabled in all Office programs.
V-99685 Medium ActiveX installation restriction must be enabled in all Office programs.
V-99849 Medium The use of network locations must be ignored in PowerPoint.
V-99681 Medium Object Caching Protection must be enabled in all Office programs.
V-99899 Medium Open/Save of Word 6.0 binary documents and templates must be blocked.
V-99673 Medium The Information Bar must be enabled in all Office programs.
V-99671 Medium User name and password must be disabled in all Office programs.
V-99779 Medium Active X One-Off forms must only be enabled to load with Outlook Controls.
V-99677 Medium The MIME Sniffing safety feature must be enabled in all Office programs.
V-99675 Medium The Local Machine Zone Lockdown Security must be enabled in all Office programs.
V-99773 Medium Scripts associated with shared folders must be prevented from execution in Outlook.
V-99679 Medium Navigate URL must be enabled in all Office programs.
V-99771 Medium Scripts associated with public folders must be prevented from execution in Outlook.
V-99777 Medium Junk e-mail level must be enabled at a setting of High.
V-99775 Medium Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
V-99871 Medium Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked.
V-99873 Medium Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked.
V-99875 Medium Macros must be blocked from running in Visio files from the Internet.
V-99877 Medium Word must automatically disable unsigned add-ins without informing users.
V-99879 Medium In Word, encrypted macros must be scanned.
V-99843 Medium PowerPoint attachments opened from Outlook must be in Protected View.
V-99883 Medium Files located in unsafe locations must be opened in Protected view in Word.