{
"stig": {
"date": "2018-04-04",
"description": "Settings in this guidance assume a complete installation of Microsoft Office 2010 on the Windows 7 Platform. Registry paths and values identified in each control assume the use of Group Policy Administrative Templates. Installations not using Group Policies to administer Microsoft Office products may observe alternate registry paths for stored configuration values. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.",
"findings": {
"V-17547": {
"checkid": "C-33936r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cActiveX Control Initialization\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\Common\\Security\n\nCriteria: If the value UFIControls exists, this is a finding.\n",
"description": "ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates a control is safe to open and run, and it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. \nIf a control is not marked SFI, it is possible the control could adversely affect a computer\u2014or it could mean the developers did not test the control in all situations and are not sure whether it might be compromised in the future.\nBy default, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users the controls have been disabled and prompts them to respond.\n",
"fixid": "F-29625r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cActiveX Control Initialization\u201d to \u201cDisabled\u201d.\n\n",
"iacontrols": null,
"id": "V-17547",
"ruleID": "SV-33453r1_rule",
"severity": "medium",
"title": "ActiveX control initialization must be disabled.",
"version": "DTOO191 - Office System"
},
"V-17560": {
"checkid": "C-33953r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings -> Trust Center \u201cAllow mix of policy and user locations\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\\trusted locations\n\nCriteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.\n",
"description": "When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links to content on the Internet.\nBy default, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy\u2013created trusted locations.",
"fixid": "F-29642r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings -> Trust Center \u201cAllow mix of policy and user locations\u201d to \u201cDisabled\u201d.\n",
"iacontrols": null,
"id": "V-17560",
"ruleID": "SV-33470r1_rule",
"severity": "medium",
"title": "A mix of policy and user locations for Office Products must be disallowed.",
"version": "DTOO196 - Office System"
},
"V-17581": {
"checkid": "C-33947r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Miscellaneous \u201cControl Blogging\u201d must be \u201cEnabled (Only SharePoint blogs allowed)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\Common\\Blog\n\nCriteria: If the value DisableBlog is REG_DWORD = 1, this is not a finding.\n",
"description": "The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software.\nBy default, users can post blog entries to any compatible blogging service provider, including Windows Live Spaces, Blogger, a SharePoint or Community Server site, and others. If your organization has policies that govern the posting of blog entries, allowing users to access the blogging feature in Office might enable them to violate those policies.\n",
"fixid": "F-29636r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Miscellaneous \u201cControl Blogging\u201d to \u201cEnabled (Only SharePoint blogs allowed)\u201d.\n",
"iacontrols": null,
"id": "V-17581",
"ruleID": "SV-33464r1_rule",
"severity": "medium",
"title": "Blogging entries created from inside Office products must be configured for Sharepoint only.",
"version": "DTOO212 - Office System"
},
"V-17583": {
"checkid": "C-33942r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cAllow users with earlier versions of Office to read with browsers\u201d must be set to \u201cDisabled\u201d. \n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\drm\n\nCriteria: If the value IncludeHTML is REG_DWORD = 0, this is not a finding.\n",
"description": "The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2010 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed by using the Windows Rights Management Add-on. If this setting is enabled, an embedded rights-managed HTML version of the content is saved with each IRM-enabled file, which can be viewed in Internet Explorer using the add-on. This configuration increases the size of rights-managed files, in some cases significantly.",
"fixid": "F-29631r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cAllow users with earlier versions of Office to read with browsers\u201d to \u201cDisabled\u201d. \n\n\n",
"iacontrols": null,
"id": "V-17583",
"ruleID": "SV-33459r1_rule",
"severity": "medium",
"title": "Office must be configured to not allow read with browsers.",
"version": "DTOO200 - Office System"
},
"V-17588": {
"checkid": "C-33959r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... \u201cDisable access to updates, add-ins, and patches on Office.com\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value DisableDownloadCenterAccess is REG_DWORD = 1, this is not a finding.\n",
"description": "Having access to updates, add-ins, and patches on the Office Online Web site can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates are tested and applied in a consistent manner, many organizations prefer to roll out updates using a centralized mechanism such as Microsoft Systems Center or Windows Server Update Services.\nBy default, users are allowed to download updates, add-ins, and patches from the Office Online Web site to keep their Office applications running smoothly and securely. If your organization has policies that govern the use of external resources such as Office Online, allowing users to download updates might cause them to violate these policies.\n",
"fixid": "F-29648r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... \u201cDisable access to updates, add-ins, and patches on Office.com\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17588",
"ruleID": "SV-33476r1_rule",
"severity": "medium",
"title": "Access to updates, add-ins, and patches on Office.com must be disabled.",
"version": "DTOO177 - Office System"
},
"V-17590": {
"checkid": "C-33938r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cDisable all Trust Bar notifications for security issues\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\trustcenter\n\nCriteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.\n",
"description": "The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer.\nBy default, if an Office application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.\n",
"fixid": "F-29627r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cDisable all Trust Bar notifications for security issues\u201d to \u201cDisabled\u201d.\n\n\n\n",
"iacontrols": null,
"id": "V-17590",
"ruleID": "SV-33455r1_rule",
"severity": "medium",
"title": "Trust Bar notifications for Security messages must be enforced.",
"version": "DTOO186 - Office System"
},
"V-17605": {
"checkid": "C-33941r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Document Information Panel \u201cDocument Information Panel Beaconing UI\u201d must be set to \u201cEnabled (Always show UI)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\documentinformationpanel\n\nCriteria: If the value Beaconing is REG_DWORD = 1, this is not a finding.\n",
"description": "For controlling whether users see a security warning when they open custom Document Information Panels that contain a Web beaconing threat. Web beacons can be used to contact an external server when users open forms. Information could be gathered by the form, or information entered by users could be sent to an external server and cause them to be vulnerable to additional attacks.",
"fixid": "F-29630r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Document Information Panel \u201cDocument Information Panel Beaconing UI\u201d to \u201cEnabled (Always show UI)\u201d.\n",
"iacontrols": null,
"id": "V-17605",
"ruleID": "SV-33458r1_rule",
"severity": "medium",
"title": "Document Information panel Beaconing must show UI.",
"version": "DTOO207 - Office System"
},
"V-17612": {
"checkid": "C-33935r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Privacy -> Trust Center \u201cEnable Customer Experience Improvement Program\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\n\nCriteria: If the value QMEnable is REG_DWORD =0, this is not a finding.\n",
"description": "When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data.\nBy default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies.\n",
"fixid": "F-29624r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Privacy -> Trust Center \u201cEnable Customer Experience Improvement Program\u201d to \u201cDisabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-17612",
"ruleID": "SV-33452r1_rule",
"severity": "medium",
"title": "The Customer Experience Improvement Program for Office must be disabled.",
"version": "DTOO184 - Office System"
},
"V-17617": {
"checkid": "C-33940r3_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncryption type for password protected Office 97-2003 files\u201d must be set to \u201cEnabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value DefaultEncryption12 is REG_SZ = \u201cMicrosoft Enhanced RSA and AES Cryptographic Provider,AES 256,256\", this is not a finding.\n",
"description": "If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files.\n",
"fixid": "F-29629r2_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncryption type for password protected Office 97-2003 files\u201d to \u201cEnabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)\u201d.\n\n\n",
"iacontrols": null,
"id": "V-17617",
"ruleID": "SV-33457r2_rule",
"severity": "medium",
"title": "The encryption type for password protected Office 97 thru Office 2003 must be set.",
"version": "DTOO190 - Office System"
},
"V-17619": {
"checkid": "C-33948r5_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncryption type for password protected Office Open XML files\u201d must be set to \u201cEnabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)\u201d. \n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value OpenXMLEncryption is REG_SZ = \u201cMicrosoft Enhanced RSA and AES Cryptographic Provider,AES 256,256\u201d, this is not a finding.\n",
"description": "If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files.\n",
"fixid": "F-29637r3_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncryption type for password protected Office Open XML files\u201d to \u201cEnabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)\u201d. \n",
"iacontrols": null,
"id": "V-17619",
"ruleID": "SV-33465r3_rule",
"severity": "medium",
"title": "The encryption type for password protected Open XML files must be set.",
"version": "DTOO189 - Office System "
},
"V-17627": {
"checkid": "C-33964r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ Spelling -> Proofing Data Collection \u201cImprove Proofing Tools\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\ptwatson\n\nCriteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.\n",
"description": "The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. Although this feature does not intentionally collect personal information, some of the content sent could include items that were marked as spelling or grammar errors, such as proper names and account numbers. However, any numbers such as account numbers, street addresses, and phone numbers are converted to zeroes when the data is collected. Microsoft uses this information solely to improve the effectiveness of the Office Proofing Tools, not to identify users.\nBy default, this feature is enabled, if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies.\n",
"fixid": "F-29653r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ Spelling -> Proofing Data Collection \u201cImprove Proofing Tools\u201d to \u201cDisabled\u201d.\n",
"iacontrols": null,
"id": "V-17627",
"ruleID": "SV-33481r1_rule",
"severity": "medium",
"title": "The Help Improve Proofing Tools feature for Office must be configured.",
"version": "DTOO182 - Office System"
},
"V-17659": {
"checkid": "C-33952r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cSuppress hyperlink warnings\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value DisableHyperLinkWarning is REG_DWORD = 0, this is not a finding.\n",
"description": "Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer.\nLinks that Office considers unsafe include links to executable files, TIFF files, and Microsoft Document Imaging (MDI) files. Other unsafe links are those using protocols considered to be unsafe, including msn, nntp, mms, outlook, and stssync.\n",
"fixid": "F-29641r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cSuppress hyperlink warnings\u201d to \u201cDisabled\u201d.\n",
"iacontrols": null,
"id": "V-17659",
"ruleID": "SV-33469r1_rule",
"severity": "medium",
"title": "Hyperlink warnings for Office must be configured for use.",
"version": "DTOO194 - Office System"
},
"V-17660": {
"checkid": "C-33946r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Microsoft Save As PDF and XPS add-ins \u201cDisable inclusion of document properties in PDF and XPS output\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\fixedformat\n\nCriteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.\n",
"description": "If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access 2010, Excel 2010, InfoPath 2010, PowerPoint 2010, and Word 2010, unless the Document properties option is unchecked in the Options dialog box. If this metadata contains sensitive information, saving it with the file could compromise security.\n",
"fixid": "F-29635r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Microsoft Save As PDF and XPS add-ins \u201cDisable inclusion of document properties in PDF and XPS output\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17660",
"ruleID": "SV-33463r1_rule",
"severity": "medium",
"title": "Inclusion of document properties for PDF and XPS output must be disallowed.",
"version": "DTOO206 - Office System"
},
"V-17661": {
"checkid": "C-33955r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Services -> Fax \u201cDisable Internet Fax feature\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\services\\fax\n\nCriteria: If the value NoFax is REG_DWORD = 1, this is not a finding.\n\n",
"description": "Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature could help users evade those policies.\nBy default, Office users can use the Internet Fax feature. \n",
"fixid": "F-29644r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Services -> Fax \u201cDisable Internet Fax feature\u201d to \u201cEnabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-17661",
"ruleID": "SV-33472r1_rule",
"severity": "medium",
"title": "The Internet Fax Feature must be disabled.",
"version": "DTOO198 - Office System"
},
"V-17662": {
"checkid": "C-33944r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cDisable Microsoft Passport service for content with restricted permission\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\drm\n\nCriteria: If the value DisablePassportCertification is REG_DWORD = 1, this is not a finding.\n\n",
"description": "This controls whether users can open protected content created with a Windows Live ID (formerly Microsoft .NET Passport) authenticated account. If your organization has policies that govern access to external services such as Windows Live ID, this capability could allow users to violate those policies.\n",
"fixid": "F-29633r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cDisable Microsoft Passport service for content with restricted permission\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17662",
"ruleID": "SV-33461r1_rule",
"severity": "medium",
"title": "Microsoft passport Service for content must be disallowed.",
"version": "DTOO202 - Office System"
},
"V-17664": {
"checkid": "C-34373r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Privacy -> Trust Center \u201cDisable Opt-in Wizard on first run\u201d must be set to \u201cEnabled\u201d. \n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\general\n\nCriteria: If the value ShownFirstRunOptin is REG_DWORD = 1, this is not a finding. ",
"description": "The Opt-in Wizard displays the first time users run a 2010 Microsoft Office application, which allows them to opt into Internet\u2013based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies.",
"fixid": "F-30009r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Privacy -> Trust Center \u201cDisable Opt-in Wizard on first run\u201d to \u201cEnabled\u201d. \n",
"iacontrols": null,
"id": "V-17664",
"ruleID": "SV-33931r1_rule",
"severity": "medium",
"title": "The Opt-In Wizard must be disabled.",
"version": "DTOO183 - Office System"
},
"V-17665": {
"checkid": "C-33939r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cDisable password to open UI\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value DisablePasswordUI is REG_DWORD = 0, this is not a finding.\n",
"description": "If 2010 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing documents not protected by file-level security.\nBy default, users can add passwords to Excel 2010 workbooks, PowerPoint 2010 presentations, and Word 2010 documents from the Save or Save As dialog box by clicking Tools, clicking General Options, and entering appropriate passwords to open or modify the documents. If this configuration is changed, users will not be able to enter passwords in the General Options dialog box, which means they will not be able to password protect documents.\n",
"fixid": "F-29628r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cDisable password to open UI\u201d to \u201cDisabled\u201d.\n\n\n ",
"iacontrols": null,
"id": "V-17665",
"ruleID": "SV-33456r1_rule",
"severity": "medium",
"title": "Passwords for secured documents must be enforced.",
"version": "DTOO195 - Office System"
},
"V-17669": {
"checkid": "C-33958r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Smart Documents (Word, Excel) \u201cDisable Smart Document's use of manifests\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\Common\\Smart Tag\n\nCriteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.\n",
"description": "An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files.\nThe key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs 2007 Office how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack.\nXML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. Office applications can load an XML expansion pack manifest file with a Smart Document.\n",
"fixid": "F-29647r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Smart Documents (Word, Excel) \u201cDisable Smart Document's use of manifests\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17669",
"ruleID": "SV-33475r1_rule",
"severity": "medium",
"title": "Smart Documents use of Manifests in Office must be disallowed.",
"version": "DTOO197 - Office System"
},
"V-17670": {
"checkid": "C-33954r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Server Settings \u201cDisable the Office client from polling the SharePoint Server for published links\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\portal\n\nCriteria: If the value LinkPublishingDisabled is REG_DWORD = 1, this is not a finding.\n",
"description": "Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications. Links can be targeted so that they only appear to users who are members of particular audiences.\nIf a malicious person gains access to the list of published links, they could modify the links to point to unapproved sites, which could make sensitive data vulnerable to exposure.\n",
"fixid": "F-29643r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Server Settings \u201cDisable the Office client from polling the SharePoint Server for published links\" to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17670",
"ruleID": "SV-33471r1_rule",
"severity": "medium",
"title": "Office client polling of Sharepoint servers published links must be disabled.",
"version": "DTOO208 - Office System"
},
"V-17731": {
"checkid": "C-33943r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cAlways require users to connect to verify permission\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\drm\n\nCriteria: If the value RequireConnection is REG_DWORD = 1, this is not a finding.\n",
"description": "Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access documents after their licenses have been revoked. Also, it is not possible to log the usage of files with restricted permissions if users' licenses are not confirmed.",
"fixid": "F-29632r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cAlways require users to connect to verify permission\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17731",
"ruleID": "SV-33460r1_rule",
"severity": "medium",
"title": "Connection verification of permissions must be enforced.",
"version": "DTOO201 - Office System"
},
"V-17740": {
"checkid": "C-33934r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Privacy -> Trust Center \u201cAutomatically receive small updates to improve reliability\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key:\n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\n\nCriteria: If the value UpdateReliabilityData is REG_DWORD = 0, this is not a finding.\n",
"description": "Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. \nBy default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a 2010 Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies.\n",
"fixid": "F-29623r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Privacy -> Trust Center \u201cAutomatically receive small updates to improve reliability\u201d to \u201cDisabled\u201d.\n\n\n ",
"iacontrols": null,
"id": "V-17740",
"ruleID": "SV-33451r1_rule",
"severity": "medium",
"title": "Automatic receiving of small updates to improve reliability must be disallowed.",
"version": "DTOO185 - Office System"
},
"V-17741": {
"checkid": "C-33937r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cAutomation Security\u201d must be \"Enabled (Use application macro security level)\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\Common\\Security\n\nCriteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.\n",
"description": "When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked. This functionality could allow an attacker to use automation to run malicious code in Excel, PowerPoint, or Word.\n",
"fixid": "F-29626r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cAutomation Security\u201d to \u201cEnabled (Use application macro security level)\u201d.\n",
"iacontrols": null,
"id": "V-17741",
"ruleID": "SV-33454r1_rule",
"severity": "medium",
"title": "Automation Security to enforce macro level security in Office documents must be configured.",
"version": "DTOO193 - Office System"
},
"V-17749": {
"checkid": "C-33956r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cLegacy format signatures\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\signatures\n\nCriteria: If the value XPCompatibleSignatureFormat is REG_DWORD = 1, this is not a finding.\n",
"description": "Office applications use the XML\u2013based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office user opens an Excel, PowerPoint, or Word binary document with an XMLDSIG signature attached, the signature will be lost.",
"fixid": "F-29645r1_fix",
"fixtext": "Set he policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cLegacy format signatures\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17749",
"ruleID": "SV-33473r1_rule",
"severity": "medium",
"title": "Legacy format signatures must be enabled.",
"version": "DTOO203 - Office System"
},
"V-17750": {
"checkid": "C-33949r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cLoad Controls in Forms3\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\VBA\\Security\n\nCriteria: If the value LoadControlsInForms exists, this is a finding.\n",
"description": "ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant.\nTo help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer\u2014or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.\nSFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page.\nIf a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode.\n",
"fixid": "F-29638r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010-> Security Settings \u201cLoad Controls in Forms3\u201d to \u201cDisabled\u201d.\n\n\n ",
"iacontrols": null,
"id": "V-17750",
"ruleID": "SV-33466r1_rule",
"severity": "medium",
"title": "Load controls in forms3 must be disabled from loading.",
"version": "DTOO192 - Office System"
},
"V-17759": {
"checkid": "C-33963r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... -> Files \u201cOpen Office documents as read/write while browsing\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value OpenDocumentsReadWriteWhileBrowsing is REG_DWORD = 0, this is not a finding.\n\n",
"description": "Office document on a Web server using Internet Explorer, the appropriate application opens the file in read-only mode. However, if the default configuration is changed, the document is opened as read/write. Users could potentially make changes to documents and resave them in situations where the Web server security is not configured to prevent such changes.",
"fixid": "F-29652r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... -> Files \u201cOpen Office documents as read/write while browsing\u201d to \u201cDisabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-17759",
"ruleID": "SV-33480r1_rule",
"severity": "medium",
"title": "Documents must be configured to not open as Read Write when browsing.",
"version": "DTOO179 - Office System"
},
"V-17765": {
"checkid": "C-33945r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cPrevent users from changing permissions on rights managed content\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\drm\n\nCriteria: If the value DisableCreation is REG_DWORD = 0, this is not a finding.\n",
"description": "This setting controls whether Office 2010 users can change permissions for content that is protected with Information Rights Management (IRM). The Information Rights Management feature of Office 2010 allows individuals and administrators to specify access permissions to Word documents, Excel workbooks, PowerPoint presentations, InfoPath templates and forms, and Outlook e-mail messages. This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. ",
"fixid": "F-29634r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions \u201cPrevent users from changing permissions on rights managed content\u201d to \u201cDisabled\u201d.\n",
"iacontrols": null,
"id": "V-17765",
"ruleID": "SV-33462r1_rule",
"severity": "medium",
"title": "Changing permissions on rights managed content for users must be enforced.",
"version": "DTOO199 - Office System "
},
"V-17767": {
"checkid": "C-33960r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... \u201cPrevent users from uploading document templates to the Office.com Community\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value DisableCustomerSubmittedUpload is REG_DWORD = 1, this is not a finding.\n",
"description": "Office users can share Excel, PowerPoint, and Word templates they create with other Microsoft Office users around the world by uploading them to the community area of the Microsoft Office Online Web site. If your organization has policies that govern the use of external resources such as Office Online, allowing users to upload templates might enable them to violate those policies.",
"fixid": "F-29649r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options... \u201cPrevent users from uploading document templates to the Office.com Community\u201d to \u201cEnabled\u201d.\n\n",
"iacontrols": null,
"id": "V-17767",
"ruleID": "SV-33477r1_rule",
"severity": "medium",
"title": "Upload of document templates to Office Online must be prevented.",
"version": "DTOO178 - Office System"
},
"V-17768": {
"checkid": "C-33950r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cProtect document metadata for password protected files\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.\n",
"description": "When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people. ",
"fixid": "F-29639r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cProtect document metadata for password protected files\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17768",
"ruleID": "SV-33467r1_rule",
"severity": "medium",
"title": "Document metadata for password protected files must be protected.",
"version": "DTOO188 - Office System"
},
"V-17769": {
"checkid": "C-33951r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cProtect document metadata for rights managed Office Open XML Files\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.\n",
"description": "When Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted. This configuration could allow potentially sensitive information such as the document author and hyperlink references to be exposed to unauthorized people.",
"fixid": "F-29640r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cProtect document metadata for rights managed Office Open XML Files\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17769",
"ruleID": "SV-33468r1_rule",
"severity": "medium",
"title": "Rights managed Office Open XML files must be protected.",
"version": "DTOO187 - Office System"
},
"V-17773": {
"checkid": "C-33962r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options -> Browsers \u201cRely on VML for displaying graphics in browsers\u201d must be set to \u201cDisabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value RelyOnVML is REG_DWORD = 0, this is not a finding.\n",
"description": "When saving documents as Web pages, Excel, PowerPoint, and Word can save vector\u2013based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, Office applications also save copies of the graphics in a standard raster file format (GIF or PNG) for use by browsers that cannot display VML. If the Rely on VML for displaying graphics in browsers check box in the Web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers.\n",
"fixid": "F-29651r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \\ Options \\ General \\ Web Options -> Browsers \u201cRely on VML for displaying graphics in browsers\u201d to \u201cDisabled\u201d.\n",
"iacontrols": null,
"id": "V-17773",
"ruleID": "SV-33479r1_rule",
"severity": "medium",
"title": "Vector markup Language (VML) for displaying graphics in browsers must be disallowed.",
"version": "DTOO180 - Office System"
},
"V-17805": {
"checkid": "C-33957r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cSuppress external signature services menu item\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\signatures\n\nCriteria: If the value SuppressExtSigningSvcs is REG_DWORD = 1, this is not a finding.\n",
"description": "Users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2010, PowerPoint 2010, and Word 2010) to see a list of signature service providers on the Microsoft Office Web site. If your organization has policies that govern the use of external resources such as signature providers or Office Marketplace, allowing users to access the Add Signature Services menu item might enable them to violate those policies.",
"fixid": "F-29646r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cSuppress external signature services menu item\u201d to \u201cEnabled\u201d.\n",
"iacontrols": null,
"id": "V-17805",
"ruleID": "SV-33474r1_rule",
"severity": "medium",
"title": "External Signature Services Menu for Office must be suppressed.",
"version": "DTOO204 - Office System"
},
"V-26626": {
"checkid": "C-34221r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Miscellaneous \u201cDisable hyperlinks to web templates in File | New and task panes\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value DisableTemplatesOnTheWeb is REG_DWORD = 1, this is not a finding.\n",
"description": "This setting controls whether users can follow hyperlinks to templates on Office.com from within Office 2010 applications. ",
"fixid": "F-29912r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Miscellaneous \u201cDisable hyperlinks to web templates in File | New and task panes\u201d to \u201cEnabled\u201d.\n\n",
"iacontrols": null,
"id": "V-26626",
"ruleID": "SV-34082r1_rule",
"severity": "medium",
"title": "Hyperlinks to web templates in File | New and task panes must be disabled.\n",
"version": "DTOO306 - Office System"
},
"V-26627": {
"checkid": "C-34222r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Office Live Workspace \u201cTurn Off Office Live Workspace Integration\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\officeliveworkspace\n\nCriteria: If the value TurnOffOfficeLiveWorkspaceIntegration is REG_DWORD = 1, this is not a finding.\n",
"description": "This setting controls the exposing of entry points for Office Live Workspace Integration features. ",
"fixid": "F-29913r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Office Live Workspace \u201cTurn Off Office Live Workspace Integration\u201d to \u201cEnabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-26627",
"ruleID": "SV-34083r1_rule",
"severity": "medium",
"title": "Office Live Workspace Integration must be off.\n",
"version": "DTOO307 - Office System"
},
"V-26629": {
"checkid": "C-34225r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cKey Usage Filtering\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\general\n\nCriteria: If the value FilterDigitalSignatureCert is REG_DWORD = 1, this is not a finding.\n",
"description": "This policy setting allows you to filter a list of digital certificates for signing Excel, PowerPoint, and Word documents, based on the Key Usage field. The Key Usage field in a certificate is used to represent a series of basic constraints about the broad types of operations that can be performed with the certificate. Key usage filtering allows you to filter the list of installed certificates that can be used for signing documents. The filtered list will appear when users attempt to select a certificate for digitally signing a document. ",
"fixid": "F-29915r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Signing \u201cKey Usage Filtering\u201d to \u201cEnabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-26629",
"ruleID": "SV-34085r1_rule",
"severity": "medium",
"title": "Key Usage Filtering must be allowed.\n",
"version": "DTOO311 - Office System"
},
"V-26630": {
"checkid": "C-34226r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools | Options | General | Service Options... -> Online Content \u201cOnline content options\u201d must be set to \u201cEnabled: Search only offline content whenever available\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value UseOnlineContent is REG_DWORD = 1, this is not a finding.\n",
"description": "The Office 2010 Help system automatically searches Microsoft Office.com for content when a computer is connected to the Internet. Users can change this default by clearing the Search Microsoft Office.com for Help content when I'm connected to the Internet check box in the Privacy Options section of the Trust Center. If your organization has policies that govern the use of external resources such as Office.com, allowing the Help system to download content might cause users to violate these policies. ",
"fixid": "F-29916r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools | Options | General | Service Options... -> Online Content \u201cOnline content options\u201d to \u201cEnabled: Search only offline content whenever available\u201d.\n\n\n",
"iacontrols": null,
"id": "V-26630",
"ruleID": "SV-34086r1_rule",
"severity": "medium",
"title": "Online content options must be configured for offline content availability.\n",
"version": "DTOO345 - Office System"
},
"V-26631": {
"checkid": "C-34227r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools | Options | General | Web Options... \u201cDisable customer-submitted templates downloads from Office.com\u201d must be set to \u201cEnabled\u201d.\n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\internet\n\nCriteria: If the value DisableCustomerSubmittedDownload is REG_DWORD = 1, this is not a finding.\n",
"description": "This policy setting controls whether Office 2010 users can download templates from the community area of Office.com by clicking New on the Microsoft Office menu. If you enable this policy setting, Office 2010 users cannot download customer-submitted templates from Office.com. However, access to templates posted by Microsoft and its partners are not affected.\n",
"fixid": "F-29917r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools | Options | General | Web Options... \u201cDisable customer-submitted templates downloads from Office.com\u201d to \u201cEnabled\u201d.\n\n\n",
"iacontrols": null,
"id": "V-26631",
"ruleID": "SV-34087r1_rule",
"severity": "medium",
"title": "Customer-submitted templates downloads from Office.com must be disallowed.",
"version": "DTOO312 - Office System"
},
"V-26704": {
"checkid": "C-34449r1_chk",
"checktext": "The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncrypt document properties\u201d must be set to \u201cEnabled\". \n\nProcedure: Use the Windows Registry Editor to navigate to the following key: \n\nHKCU\\Software\\Policies\\Microsoft\\Office\\14.0\\common\\security\n\nCriteria: If the value EncryptDocProps is REG_DWORD = 1, this is not a finding.\n\n",
"description": "This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. Disabling this setting will prevent the encryption of document properties, which may expose sensitive data. ",
"fixid": "F-30018r1_fix",
"fixtext": "Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Security Settings \u201cEncrypt document properties\u201d to \u201cEnabled\". \n",
"iacontrols": null,
"id": "V-26704",
"ruleID": "SV-34089r1_rule",
"severity": "medium",
"title": "Encrypt document properties must be configured for OLE documents.\n",
"version": "DTOO321 - Office System"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-17547": "true",
"V-17560": "true",
"V-17581": "true",
"V-17583": "true",
"V-17588": "true",
"V-17590": "true",
"V-17605": "true",
"V-17612": "true",
"V-17617": "true",
"V-17619": "true",
"V-17627": "true",
"V-17659": "true",
"V-17660": "true",
"V-17661": "true",
"V-17662": "true",
"V-17664": "true",
"V-17665": "true",
"V-17669": "true",
"V-17670": "true",
"V-17731": "true",
"V-17740": "true",
"V-17741": "true",
"V-17749": "true",
"V-17750": "true",
"V-17759": "true",
"V-17765": "true",
"V-17767": "true",
"V-17768": "true",
"V-17769": "true",
"V-17773": "true",
"V-17805": "true",
"V-26626": "true",
"V-26627": "true",
"V-26629": "true",
"V-26630": "true",
"V-26631": "true",
"V-26704": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "microsoft_office_system_2010",
"title": "Microsoft Office System 2010 STIG",
"version": "1"
}
}