ActiveX control initialization method to ensure save behavior.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17547	DTOO191 - Office	SV-18643r2_rule	ECSC-1	Medium

Description
ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer—or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. By default, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond.

Description

ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer—or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. By default, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond.

STIG	Date
Microsoft Office System 2007	2015-10-02

Details

Check Text ( C-18858r3_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “ActiveX Control Initialization” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value UFIControls exists, this is a finding.

Fix Text (F-17469r3_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “ActiveX Control Initialization” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

Fix Text (F-17469r3_fix)

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “ActiveX Control Initialization” will be set to “Disabled”.

"Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the
mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)."

"Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."