UCF STIG Viewer Logo

Microsoft Office 365 ProPlus Security Technical Implementation Guide


Overview

Date Finding Count (139)
2020-09-11 CAT I (High): 0 CAT II (Med): 139 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Sensitive)

Finding ID Severity Title
V-223378 Medium The ability to run programs from PowerPoint must be disabled.
V-223379 Medium Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.
V-223374 Medium Trusted Locations on the network must be disabled in Project.
V-223375 Medium Project must automatically disable unsigned add-ins without informing users.
V-223376 Medium VBA Macros not digitally signed must be blocked in Project.
V-223377 Medium VBA Macros not digitally signed must be blocked in PowerPoint.
V-223370 Medium When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.
V-223371 Medium When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.
V-223372 Medium Outlook must be configured to not allow hyperlinks in suspected phishing messages.
V-223373 Medium The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.
V-223369 Medium When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.
V-223368 Medium When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.
V-223367 Medium When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.
V-223366 Medium When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.
V-223365 Medium When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.
V-223364 Medium Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message.
V-223363 Medium Level 2 file attachments must be blocked from being delivered.
V-223362 Medium Level 1 file attachments must be blocked from being delivered.
V-223361 Medium The display of Level 1 attachments must be disabled in Outlook.
V-223360 Medium The ability to demote attachments from Level 2 to Level 1 must be disabled.
V-223324 Medium Open/save of Excel 95-97 workbooks and templates must be blocked.
V-223288 Medium ActiveX Controls must be initialized in Safe Mode.
V-223289 Medium Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.
V-223280 Medium Macros must be blocked from running in Access files from the Internet.
V-223281 Medium Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
V-223406 Medium The default file block behavior must be set to not open blocked files in Word.
V-223283 Medium Allowing Trusted Locations on the network must be disabled in Access.
V-223284 Medium The Macro Runtime Scan Scope must be enabled for all documents.
V-223285 Medium Document metadata for rights managed Office Open XML files must be protected.
V-223286 Medium The Office client must be prevented from polling the SharePoint Server for published links.
V-223287 Medium Custom user interface (UI) code must be blocked from loading in all Office applications.
V-223352 Medium Active X One-Off forms must only be enabled to load with Outlook Controls.
V-223353 Medium Outlook must be configured to prevent users overriding attachment security settings.
V-223350 Medium Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
V-223351 Medium Junk e-mail level must be enabled at a setting of High.
V-223356 Medium The minimum encryption key length in Outlook must be at least 168.
V-223357 Medium The warning about invalid digital signatures must be enabled to warn Outlook users.
V-223354 Medium Internet must not be included in Safe Zone for picture download in Outlook.
V-223355 Medium The Publish to Global Address List (GAL) button must be disabled in Outlook.
V-223358 Medium Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
V-223359 Medium The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
V-223408 Medium Open/Save of Word 2000 binary documents and templates must be blocked.
V-223409 Medium Open/Save of Word 2003 binary documents and templates must be blocked.
V-223299 Medium The Information Bar must be enabled in all Office programs.
V-223298 Medium User name and password must be disabled in all Office programs.
V-223293 Medium Users must be prevented from creating new trusted locations in the Trust Center.
V-223292 Medium Office applications must be configured to specify encryption type in password-protected Office Open XML files.
V-223291 Medium Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
V-223290 Medium Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
V-223297 Medium Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
V-223296 Medium Add-on Management must be enabled for all Office 365 ProPlus programs.
V-223295 Medium The load of controls in Forms3 must be blocked.
V-223294 Medium Office applications must not load XML expansion packs with Smart Documents.
V-223418 Medium File validation in Word must be enabled.
V-223411 Medium Open/Save of Word 6.0 binary documents and templates must be blocked.
V-223410 Medium Open/Save of Word 2007 and later binary documents and templates must be blocked.
V-223413 Medium Open/Save of Word 97 binary documents and templates must be blocked.
V-223412 Medium Open/Save of Word 95 binary documents and templates must be blocked.
V-223415 Medium In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.
V-223414 Medium Open/Save of Word XP binary documents and templates must be blocked.
V-223417 Medium VBA Macros not digitally signed must be blocked in Word.
V-223416 Medium Trusted Locations on the network must be disabled in Word.
V-223345 Medium The HTTP fallback for SIP connection in Lync must be disabled.
V-223344 Medium The SIP security mode in Lync must be enabled.
V-223347 Medium Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
V-223346 Medium The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
V-223341 Medium Files from unsafe locations must be opened in Excel in Protected View mode.
V-223340 Medium Files from Internet zone must be opened in Excel in Protected View mode.
V-223343 Medium File attachments from Outlook must be opened in Excel in Protected mode.
V-223342 Medium Files failing file validation must be opened in Excel in Protected view mode and disallow edits.
V-223349 Medium Scripts associated with shared folders must be prevented from execution in Outlook.
V-223348 Medium Scripts associated with public folders must be prevented from execution in Outlook.
V-223282 Medium VBA Macros not digitally signed must be blocked in Access.
V-223330 Medium AutoRepublish in Excel must be disabled.
V-223331 Medium AutoRepublish warning alert in Excel must be enabled.
V-223332 Medium File extensions must be enabled to match file types in Excel.
V-223333 Medium Scan of encrypted macros in Excel Open XML workbooks must be enabled.
V-223334 Medium File validation in Excel must be enabled.
V-223335 Medium WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.
V-223336 Medium Macros must be blocked from running in Excel files from the Internet.
V-223337 Medium Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
V-223338 Medium Untrusted Microsoft Query files must be blocked from opening in Excel.
V-223339 Medium Untrusted database files must be opened in Excel in Protected View mode.
V-223323 Medium Open/save of Excel 95 workbooks must be blocked.
V-223322 Medium Open/save of Excel 4 worksheets must be blocked.
V-223321 Medium Open/save of Excel 4 workbooks must be blocked.
V-223320 Medium Open/save of Excel 4 macrosheets and add-in files must be blocked.
V-223327 Medium Extraction options must be blocked when opening corrupt Excel workbooks.
V-223326 Medium Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked.
V-223325 Medium The default file block behavior must be set to not open blocked files in Excel.
V-223407 Medium Open/Save of Word 2 and earlier binary documents and templates must be blocked.
V-223329 Medium Loading of pictures from Web pages not created in Excel must be disabled.
V-223328 Medium Updating of links in Excel must be prompted and not automatic.
V-223404 Medium If file validation fails, files must be opened in Protected view in Word with ability to edit disabled.
V-223405 Medium Word attachments opened from Outlook must be in Protected View.
V-223402 Medium Files downloaded from the Internet must be opened in Protected view in Word.
V-223403 Medium Files located in unsafe locations must be opened in Protected view in Word.
V-223400 Medium Word must automatically disable unsigned add-ins without informing users.
V-223401 Medium In Word, encrypted macros must be scanned.
V-223316 Medium Open/save of Excel 2 macrosheets and add-in files must be blocked.
V-223317 Medium Open/save of Excel 2 worksheets must be blocked.
V-223314 Medium Open/save of dBase III / IV format files must be blocked.
V-223315 Medium Open/save of Dif and Sylk format files must be blocked.
V-223312 Medium Dynamic Data Exchange (DDE) server launch in Excel must be blocked.
V-223313 Medium Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.
V-223310 Medium Trusted Locations on the network must be disabled in Excel.
V-223311 Medium VBA Macros not digitally signed must be blocked in Excel.
V-223318 Medium Open/save of Excel 3 macrosheets and add-in files must be blocked.
V-223319 Medium Open/save of Excel 3 worksheets must be blocked.
V-223398 Medium Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked.
V-223399 Medium Macros must be blocked from running in Visio files from the Internet.
V-223396 Medium Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked.
V-223397 Medium Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked.
V-223394 Medium Trusted Locations on the network must be disabled in Visio.
V-223395 Medium Visio must automatically disable unsigned add-ins without informing users.
V-223392 Medium Publisher must disable all unsigned VBA macros.
V-223393 Medium VBA Macros not digitally signed must be blocked in Visio.
V-223390 Medium Publisher must be configured to prompt the user when another application programmatically opens a macro.
V-223391 Medium Publisher must automatically disable unsigned add-ins without informing users.
V-223309 Medium Flash player activation must be disabled in all Office programs.
V-223308 Medium Scripted Windows Security restrictions must be enabled in all Office programs.
V-223301 Medium The MIME Sniffing safety feature must be enabled in all Office programs.
V-223300 Medium The Local Machine Zone Lockdown Security must be enabled in all Office programs.
V-223303 Medium Object Caching Protection must be enabled in all Office programs.
V-223302 Medium Navigate URL must be enabled in all Office programs.
V-223305 Medium ActiveX installation restriction must be enabled in all Office programs.
V-223304 Medium Protection from zone elevation must be enabled in all Office programs.
V-223307 Medium The Save from URL feature must be enabled in all Office programs.
V-223306 Medium File Download Restriction must be enabled in all Office programs.
V-223381 Medium Encrypted macros in PowerPoint Open XML presentations must be scanned.
V-223380 Medium The default file block behavior must be set to not open blocked files in PowerPoint.
V-223383 Medium Macros from the Internet must be blocked from running in PowerPoint.
V-223382 Medium File validation in PowerPoint must be enabled.
V-223385 Medium Files downloaded from the Internet must be opened in Protected view in PowerPoint.
V-223384 Medium Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.
V-223387 Medium Files in unsafe locations must be opened in Protected view in PowerPoint.
V-223386 Medium PowerPoint attachments opened from Outlook must be in Protected View.
V-223389 Medium The use of network locations must be ignored in PowerPoint.
V-223388 Medium If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled.