UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Microsoft Office 365 ProPlus Security Technical Implementation Guide


Overview

Date Finding Count (139)
2022-12-05 CAT I (High): 0 CAT II (Med): 139 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC I - Mission Critical Public)

Finding ID Severity Title
V-223378 Medium The ability to run programs from PowerPoint must be disabled.
V-223379 Medium Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.
V-223374 Medium Trusted Locations on the network must be disabled in Project.
V-223375 Medium Project must automatically disable unsigned add-ins without informing users.
V-223376 Medium VBA Macros not digitally signed must be blocked in Project.
V-223377 Medium VBA Macros not digitally signed must be blocked in PowerPoint.
V-223370 Medium When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.
V-223371 Medium When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.
V-223372 Medium Outlook must be configured to not allow hyperlinks in suspected phishing messages.
V-223373 Medium The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.
V-223369 Medium When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.
V-223368 Medium When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.
V-223367 Medium When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.
V-223366 Medium When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.
V-223365 Medium When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.
V-223364 Medium Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message.
V-223363 Medium Level 2 file attachments must be blocked from being delivered.
V-223362 Medium Level 1 file attachments must be blocked from being delivered.
V-223361 Medium The display of Level 1 attachments must be disabled in Outlook.
V-223360 Medium The ability to demote attachments from Level 2 to Level 1 must be disabled.
V-223324 Medium Open/save of Excel 95-97 workbooks and templates must be blocked.
V-223288 Medium ActiveX Controls must be initialized in Safe Mode.
V-223289 Medium Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.
V-223280 Medium Macros must be blocked from running in Access files from the Internet.
V-223281 Medium Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.
V-223406 Medium The default file block behavior must be set to not open blocked files in Word.
V-223283 Medium Allowing Trusted Locations on the network must be disabled in Access.
V-223284 Medium The Macro Runtime Scan Scope must be enabled for all documents.
V-223285 Medium Document metadata for rights managed Office Open XML files must be protected.
V-223286 Medium The Office client must be prevented from polling the SharePoint Server for published links.
V-223287 Medium Custom user interface (UI) code must be blocked from loading in all Office applications.
V-223352 Medium Active X One-Off forms must only be enabled to load with Outlook Controls.
V-223353 Medium Outlook must be configured to prevent users overriding attachment security settings.
V-223350 Medium Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
V-223351 Medium Junk email level must be enabled at a setting of High.
V-223356 Medium The minimum encryption key length in Outlook must be at least 168.
V-223357 Medium The warning about invalid digital signatures must be enabled to warn Outlook users.
V-223354 Medium Internet must not be included in Safe Zone for picture download in Outlook.
V-223355 Medium The Publish to Global Address List (GAL) button must be disabled in Outlook.
V-223358 Medium Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.
V-223359 Medium The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.
V-223408 Medium Open/Save of Word 2000 binary documents and templates must be blocked.
V-223409 Medium Open/Save of Word 2003 binary documents and templates must be blocked.
V-223299 Medium The Information Bar must be enabled in all Office programs.
V-223298 Medium User name and password must be disabled in all Office programs.
V-223293 Medium Users must be prevented from creating new trusted locations in the Trust Center.
V-223292 Medium Office applications must be configured to specify encryption type in password-protected Office Open XML files.
V-223291 Medium Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.
V-223290 Medium Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.
V-223297 Medium Consistent MIME handling must be enabled for all Office 365 ProPlus programs.
V-223296 Medium Add-on Management must be enabled for all Office 365 ProPlus programs.
V-223295 Medium The load of controls in Forms3 must be blocked.
V-223294 Medium Office applications must not load XML expansion packs with Smart Documents.
V-223418 Medium File validation in Word must be enabled.
V-223411 Medium Open/Save of Word 6.0 binary documents and templates must be blocked.
V-223410 Medium Open/Save of Word 2007 and later binary documents and templates must be blocked.
V-223413 Medium Open/Save of Word 97 binary documents and templates must be blocked.
V-223412 Medium Open/Save of Word 95 binary documents and templates must be blocked.
V-223415 Medium In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.
V-223414 Medium Open/Save of Word XP binary documents and templates must be blocked.
V-223417 Medium VBA Macros not digitally signed must be blocked in Word.
V-223416 Medium Trusted Locations on the network must be disabled in Word.
V-223345 Medium The HTTP fallback for SIP connection in Lync must be disabled.
V-223344 Medium The SIP security mode in Lync must be enabled.
V-223347 Medium Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
V-223346 Medium The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
V-223341 Medium Files from unsafe locations must be opened in Excel in Protected View mode.
V-223340 Medium Files from Internet zone must be opened in Excel in Protected View mode.
V-223343 Medium File attachments from Outlook must be opened in Excel in Protected mode.
V-223342 Medium Files failing file validation must be opened in Excel in Protected view mode and disallow edits.
V-223349 Medium Scripts associated with shared folders must be prevented from execution in Outlook.
V-223348 Medium Scripts associated with public folders must be prevented from execution in Outlook.
V-223282 Medium VBA Macros not digitally signed must be blocked in Access.
V-223330 Medium AutoRepublish in Excel must be disabled.
V-223331 Medium AutoRepublish warning alert in Excel must be enabled.
V-223332 Medium File extensions must be enabled to match file types in Excel.
V-223333 Medium Scan of encrypted macros in Excel Open XML workbooks must be enabled.
V-223334 Medium File validation in Excel must be enabled.
V-223335 Medium WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.
V-223336 Medium Macros must be blocked from running in Excel files from the Internet.
V-223337 Medium Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
V-223338 Medium Untrusted Microsoft Query files must be blocked from opening in Excel.
V-223339 Medium Untrusted database files must be opened in Excel in Protected View mode.
V-223323 Medium Open/save of Excel 95 workbooks must be blocked.
V-223322 Medium Open/save of Excel 4 worksheets must be blocked.
V-223321 Medium Open/save of Excel 4 workbooks must be blocked.
V-223320 Medium Open/save of Excel 4 macrosheets and add-in files must be blocked.
V-223327 Medium Extraction options must be blocked when opening corrupt Excel workbooks.
V-223326 Medium Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked.
V-223325 Medium The default file block behavior must be set to not open blocked files in Excel.
V-223407 Medium Open/Save of Word 2 and earlier binary documents and templates must be blocked.
V-223329 Medium Loading of pictures from Web pages not created in Excel must be disabled.
V-223328 Medium Updating of links in Excel must be prompted and not automatic.
V-223404 Medium If file validation fails, files must be opened in Protected view in Word with ability to edit disabled.
V-223405 Medium Word attachments opened from Outlook must be in Protected View.
V-223402 Medium Files downloaded from the Internet must be opened in Protected view in Word.
V-223403 Medium Files located in unsafe locations must be opened in Protected view in Word.
V-223400 Medium Word must automatically disable unsigned add-ins without informing users.
V-223401 Medium In Word, encrypted macros must be scanned.
V-223316 Medium Open/save of Excel 2 macrosheets and add-in files must be blocked.
V-223317 Medium Open/save of Excel 2 worksheets must be blocked.
V-223314 Medium Open/save of dBase III / IV format files must be blocked.
V-223315 Medium Open/save of Dif and Sylk format files must be blocked.
V-223312 Medium Dynamic Data Exchange (DDE) server launch in Excel must be blocked.
V-223313 Medium Dynamic Data Exchange (DDE) server lookup in Excel must be blocked.
V-223310 Medium Trusted Locations on the network must be disabled in Excel.
V-223311 Medium VBA Macros not digitally signed must be blocked in Excel.
V-223318 Medium Open/save of Excel 3 macrosheets and add-in files must be blocked.
V-223319 Medium Open/save of Excel 3 worksheets must be blocked.
V-223398 Medium Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked.
V-223399 Medium Macros must be blocked from running in Visio files from the Internet.
V-223396 Medium Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked.
V-223397 Medium Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked.
V-223394 Medium Trusted Locations on the network must be disabled in Visio.
V-223395 Medium Visio must automatically disable unsigned add-ins without informing users.
V-223392 Medium Publisher must disable all unsigned VBA macros.
V-223393 Medium VBA Macros not digitally signed must be blocked in Visio.
V-223390 Medium Publisher must be configured to prompt the user when another application programmatically opens a macro.
V-223391 Medium Publisher must automatically disable unsigned add-ins without informing users.
V-223309 Medium Flash player activation must be disabled in all Office programs.
V-223308 Medium Scripted Windows Security restrictions must be enabled in all Office programs.
V-223301 Medium The MIME Sniffing safety feature must be enabled in all Office programs.
V-223300 Medium The Local Machine Zone Lockdown Security must be enabled in all Office programs.
V-223303 Medium Object Caching Protection must be enabled in all Office programs.
V-223302 Medium Navigate URL must be enabled in all Office programs.
V-223305 Medium ActiveX installation restriction must be enabled in all Office programs.
V-223304 Medium Protection from zone elevation must be enabled in all Office programs.
V-223307 Medium The Save from URL feature must be enabled in all Office programs.
V-223306 Medium File Download Restriction must be enabled in all Office programs.
V-223381 Medium Encrypted macros in PowerPoint Open XML presentations must be scanned.
V-223380 Medium The default file block behavior must be set to not open blocked files in PowerPoint.
V-223383 Medium Macros from the Internet must be blocked from running in PowerPoint.
V-223382 Medium File validation in PowerPoint must be enabled.
V-223385 Medium Files downloaded from the Internet must be opened in Protected view in PowerPoint.
V-223384 Medium Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.
V-223387 Medium Files in unsafe locations must be opened in Protected view in PowerPoint.
V-223386 Medium PowerPoint attachments opened from Outlook must be in Protected View.
V-223389 Medium The use of network locations must be ignored in PowerPoint.
V-223388 Medium If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled.