UCF STIG Viewer Logo

Microsoft Office System 2013 STIG


Overview

Date Finding Count (48)
2015-07-24 CAT I (High): 0 CAT II (Med): 48 CAT III (Low): 0
STIG Description
The Microsoft Office System 2013 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-17765 Medium Changing permissions on rights managed content for users must be enforced.
V-40859 Medium The Enable Updates and Disable Updates options in the UI must be hidden from users.
V-17583 Medium Office must be configured to not allow read with browsers.
V-17664 Medium The Opt-In Wizard must be disabled.
V-17665 Medium Passwords for secured documents must be enforced.
V-17749 Medium Legacy format signatures must be enabled.
V-17605 Medium Document Information panel Beaconing must show UI.
V-17660 Medium Inclusion of document properties for PDF and XPS output must be disallowed.
V-17661 Medium The Internet Fax Feature must be disabled.
V-40879 Medium The ability to create an online presentation programmatically must be disabled.
V-17768 Medium Document metadata for password protected files must be protected.
V-17741 Medium Automation Security to enforce macro level security in Office documents must be configured.
V-17627 Medium The Help Improve Proofing Tools feature for Office must be configured.
V-40875 Medium Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
V-17669 Medium Smart Documents use of Manifests in Office must be disallowed.
V-17561 Medium Choice of output to include PNG (Portable Network Graphics) must be disallowed.
V-40858 Medium Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site.
V-26704 Medium Encrypt document properties must be configured for OLE documents.
V-17740 Medium Automatic receiving of small updates to improve reliability must be disallowed.
V-17547 Medium ActiveX control initialization must be disabled.
V-17560 Medium A mix of policy and user locations for Office Products must be disallowed.
V-17773 Medium Relying on Vector markup Language (VML) for displaying graphics in browsers must be disallowed.
V-17590 Medium Trust Bar notifications for Security messages must be enforced.
V-17612 Medium The Customer Experience Improvement Program for Office must be disabled.
V-40862 Medium The ability to sign into Office365 must be disabled.
V-17759 Medium Documents must be configured to not open as Read Write when browsing.
V-17617 Medium The encryption type for password protected Office 97 thru Office 2003 must be set.
V-26630 Medium Online content options must be configured for offline content availability.
V-17750 Medium Load controls in forms3 must be disabled from loading.
V-17805 Medium External Signature Services Menu for Office must be suppressed.
V-40884 Medium Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.
V-40860 Medium The video informing a user about signing into Office365 must be disabled.
V-17659 Medium Hyperlink warnings for Office must be configured for use.
V-40861 Medium The first-run prompt to sign into Office365 must be disabled.
V-17670 Medium Office client polling of SharePoint servers published links must be disabled.
V-17731 Medium Connection verification of permissions must be enforced.
V-40863 Medium The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled.
V-40864 Medium The prompt to save to OneDrive (formerly SkyDrive must be disabled.
V-17619 Medium The encryption type for password protected Open XML files must be set.
V-17581 Medium Blogging entries created from inside Office products must be configured for SharePoint only.
V-40886 Medium The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
V-40887 Medium The Office Telemetry Agent and Office applications must be configured to collect telemetry data.
V-17769 Medium Rights managed Office Open XML files must be protected.
V-40885 Medium The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled.
V-40882 Medium The ability to run unsecure Office apps must be disabled.
V-40883 Medium Users must be prevented from using or inserting apps that come from the Office Store.
V-40880 Medium When using the Office Feedback tool, the ability to include a screenshot must be disabled.
V-40881 Medium The Office Feedback tool must be disabled.