UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223326 O365-EX-000017 SV-223326r879628_rule Medium
Description
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can be selected are below. Note: Not all options may be available for this policy setting. - Do not block: The file type will not be blocked. - Save blocked: Saving of the file type will be blocked. - Open/Save blocked, use open policy: Both opening and saving of the file type will be blocked. The file will open based on the policy setting configured in the "default file block behavior" key. - Block: Both opening and saving of the file type will be blocked, and the file will not open. - Open in Protected View: Both opening and saving of the file type will be blocked, and the option to edit the file type will not be enabled. - Allow editing and open in Protected View: Both opening and saving of the file type will be blocked, and the option to edit will be enabled. If you disable or do not configure this policy setting, the file type will not be blocked.
STIG Date
Microsoft Office 365 ProPlus Security Technical Implementation Guide 2024-02-21

Details

Check Text ( C-24999r442197_chk )
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings >> Web pages and Excel 2003 XML spreadsheets is set to "Open/Save blocked, use open policy".

Use the Windows Registry Editor to navigate to the following key:

HKCU\software\policies\microsoft\office\16.0\excel\security\fileblock

If the value for htmlandxmlssfiles is REG_DWORD = 2, this is not a finding.
Fix Text (F-24987r442198_fix)
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> File Block Settings >> Web pages and Excel 2003 XML spreadsheets to "Open/Save blocked, use open policy".