| Finding ID |
Severity |
Title |
Description |
|
V-223418
|
Medium |
File validation in Word must be enabled. |
This policy setting allows the file validation feature to be turned off.
If this policy setting is enabled, file validation will be turned off.
If this policy setting is disabled or not configured, file validation will be turned on. Office Binary Documents (97-2003) are checked to see if they conform... |
|
V-223417
|
Medium |
VBA Macros not digitally signed must be blocked in Word. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223416
|
Medium |
Trusted Locations on the network must be disabled in Word. |
This policy setting controls whether trusted locations on the network can be used.
If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking the "Add new location" button in the Trusted Locations... |
|
V-223415
|
Medium |
In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center. |
This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust Center. Also, instead of having the... |
|
V-223414
|
Medium |
Open/Save of Word XP binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223413
|
Medium |
Open/Save of Word 97 binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223412
|
Medium |
Open/Save of Word 95 binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223411
|
Medium |
Open/Save of Word 6.0 binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223410
|
Medium |
Open/Save of Word 2007 and later binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223409
|
Medium |
Open/Save of Word 2003 binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223408
|
Medium |
Open/Save of Word 2000 binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223407
|
Medium |
Open/Save of Word 2 and earlier binary documents and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223406
|
Medium |
The default file block behavior must be set to not open blocked files in Word. |
This policy setting allows you to determine if users can open, view, or edit Word files.
If you enable this policy setting, you can set one of these options:
- Blocked files are not opened.
- Blocked files open in Protected View and cannot be edited.
- Blocked files open... |
|
V-223405
|
Medium |
Word attachments opened from Outlook must be in Protected View. |
This policy setting allows you to determine if Word files in Outlook attachments open in Protected View.
If you enable this policy setting, Outlook attachments do not open in Protected View.
If you disable or do not configure this policy setting, Outlook attachments open in Protected View. |
|
V-223404
|
Medium |
If file validation fails, files must be opened in Protected view in Word with ability to edit disabled. |
This policy setting controls how Office handles documents when they fail file validation.
If you enable this policy setting, you can configure the following options for files that fail file validation:
- Block files completely. Users cannot open the files.
- Open files in Protected View and disallow edit. Users... |
|
V-223403
|
Medium |
Files located in unsafe locations must be opened in Protected view in Word. |
This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations.
If you enable this policy setting, files located in unsafe locations do... |
|
V-223402
|
Medium |
Files downloaded from the Internet must be opened in Protected view in Word. |
This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View.
If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View.
If you disable or do not configure this policy setting, files downloaded from the... |
|
V-223401
|
Medium |
In Word, encrypted macros must be scanned. |
This policy setting controls whether encrypted macros in Open XML documents be are required to be scanned with anti-virus software before being opened.
If you enable this policy setting, you may choose one of these options:
- Scan encrypted macros: encrypted macros are disabled unless anti-virus software is installed. Encrypted... |
|
V-223400
|
Medium |
Word must automatically disable unsigned add-ins without informing users. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223399
|
Medium |
Macros must be blocked from running in Visio files from the Internet. |
This policy setting allows you to block macros from running in Office files that come from the Internet.
If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the Trust Center. Also, instead of having the... |
|
V-223398
|
Medium |
Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked. |
This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting.
If you enable this policy setting, you can specify whether users can open or save files.
The options that can be selected are below.... |
|
V-223397
|
Medium |
Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked. |
This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting.
If you enable this policy setting, you can specify whether users can open or save files.
The options that can be selected are below.... |
|
V-223396
|
Medium |
Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked. |
This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting.
If you enable this policy setting, you can specify whether users can open or save files.
The options that can be selected are below.... |
|
V-223395
|
Medium |
Visio must automatically disable unsigned add-ins without informing users. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223394
|
Medium |
Trusted Locations on the network must be disabled in Visio. |
This policy setting controls whether trusted locations on the network can be used.
If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking the "Add new location" button in the Trusted Locations... |
|
V-223393
|
Medium |
VBA Macros not digitally signed must be blocked in Visio. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223392
|
Medium |
Publisher must disable all unsigned VBA macros. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If this policy setting is enabled, users can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223391
|
Medium |
Publisher must automatically disable unsigned add-ins without informing users. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223390
|
Medium |
Publisher must be configured to prompt the user when another application programmatically opens a macro. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that application add-ins are signed by Trusted Publisher" policy setting, which prevents users from changing this... |
|
V-223389
|
Medium |
The use of network locations must be ignored in PowerPoint. |
This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking the "Add new location" button in the Trusted Locations... |
|
V-223388
|
Medium |
If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled. |
This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation:
- Block files completely. Users cannot open the files.
- Open files in Protected View and disallow edit. Users... |
|
V-223387
|
Medium |
Files in unsafe locations must be opened in Protected view in PowerPoint. |
This policy setting determines whether files located in unsafe locations will open in Protected View. If unsafe locations have not been specified, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations. If enabling this policy setting, files located in unsafe locations do not open in... |
|
V-223386
|
Medium |
PowerPoint attachments opened from Outlook must be in Protected View. |
This policy setting allows for determining whether PowerPoint files in Outlook attachments open in Protected View. If enabling this policy setting, Outlook attachments do not open in Protected View. If disabling or not configuring this policy setting, Outlook attachments open in Protected View. |
|
V-223385
|
Medium |
Files downloaded from the Internet must be opened in Protected view in PowerPoint. |
This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure this policy setting, files downloaded from the... |
|
V-223384
|
Medium |
Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223383
|
Medium |
Macros from the Internet must be blocked from running in PowerPoint. |
This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust Center. Also, instead of having the... |
|
V-223382
|
Medium |
File validation in PowerPoint must be enabled. |
This policy setting allows you to turn off the file validation feature. If you enable this policy setting, file validation will be turned off. If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Documents (97-2003) are checked to see if they... |
|
V-223381
|
Medium |
Encrypted macros in PowerPoint Open XML presentations must be scanned. |
This policy setting controls whether encrypted macros in Open XML presentations are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options:
- Scan encrypted macros: Encrypted macros are disabled unless anti-virus software is installed. Encrypted macros... |
|
V-223380
|
Medium |
The default file block behavior must be set to not open blocked files in PowerPoint. |
This policy setting allows you to determine if users can open, view, or edit Word files. If you enable this policy setting, you can set one of these options:
- Blocked files are not opened.
- Blocked files open in Protected View and cannot be edited.
- Blocked files open... |
|
V-223379
|
Medium |
Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save PowerPoint files with the format specified by the title of this policy setting.
If you enable this policy setting, you can specify whether users can open, view, edit, or save files.
The options that can... |
|
V-223378
|
Medium |
The ability to run programs from PowerPoint must be disabled. |
This policy setting controls the prompting and activation behavior for the "Run Programs" option for action buttons in PowerPoint.
If you enable this policy setting, you can choose from three options to control how the "Run Programs" option functions:
- Disable (do not run any programs). If users click an... |
|
V-223377
|
Medium |
VBA Macros not digitally signed must be blocked in PowerPoint. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223376
|
Medium |
VBA Macros not digitally signed must be blocked in Project. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223375
|
Medium |
Project must automatically disable unsigned add-ins without informing users. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223374
|
Medium |
Trusted Locations on the network must be disabled in Project. |
This policy setting controls whether trusted locations on the network can be used.
If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking the "Add new location" button in the Trusted Locations... |
|
V-223373
|
Medium |
The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned. |
This policy setting controls the security level for macros in Outlook.
If you enable this policy setting, you can choose from four options for handling macros in Outlook:
- Always warn. This option corresponds to the "Warnings for all macros" option in the "Macro Security" section of the Outlook Trust... |
|
V-223372
|
Medium |
Outlook must be configured to not allow hyperlinks in suspected phishing messages. |
This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If you disable or do not configure this policy setting, Outlook will not... |
|
V-223371
|
Medium |
When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it. |
This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model.
If you enable this policy setting, you can choose from four different options when an untrusted program attempts to send e-mail programmatically using the Outlook object model:
- Prompt user... |
|
V-223370
|
Medium |
When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it. |
This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request.
If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically send e-mail using... |
|
V-223369
|
Medium |
When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it. |
This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the ''To:'' field, using the Outlook object model.
If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access a recipient... |
|
V-223368
|
Medium |
When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it. |
This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item.
If you enable this policy setting, you can choose from four different options when an untrusted program attempts to use the Save As command to programmatically save an... |
|
V-223367
|
Medium |
When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it. |
This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access... |
|
V-223366
|
Medium |
When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it. |
This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model.
If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically access an Address Book using the Outlook... |
|
V-223365
|
Medium |
When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it. |
This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send... |
|
V-223364
|
Medium |
Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message. |
This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this policy setting, Outlook does not run scripts... |
|
V-223363
|
Medium |
Level 2 file attachments must be blocked from being delivered. |
This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open the file after saving it to disk).... |
|
V-223362
|
Medium |
Level 1 file attachments must be blocked from being delivered. |
This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files attached to email messages or other... |
|
V-223361
|
Medium |
The display of Level 1 attachments must be disabled in Outlook. |
This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2... |
|
V-223360
|
Medium |
The ability to demote attachments from Level 2 to Level 1 must be disabled. |
This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files attached to e-mail messages or other... |
|
V-223359
|
Medium |
The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy. |
This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:
- Outlook Default Security - This option is the default configuration in Outlook. Users can configure security themselves, and Outlook... |
|
V-223358
|
Medium |
Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online. |
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
If... |
|
V-223357
|
Medium |
The warning about invalid digital signatures must be enabled to warn Outlook users. |
This policy setting controls how Outlook warns users about messages with invalid digital signatures.
If you enable this policy setting, you can choose from three options for controlling how Outlook users are warned about invalid signatures:
- Let user decide if they want to be warned. This option enforces the... |
|
V-223356
|
Medium |
The minimum encryption key length in Outlook must be at least 168. |
This policy setting allows you to set the minimum key length for an encrypted e-mail message.
If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a message using an... |
|
V-223355
|
Medium |
The Publish to Global Address List (GAL) button must be disabled in Outlook. |
This policy setting controls whether Outlook users can publish e-mail certificates to the Global Address List (GAL).
If you enable this policy setting, the "Publish to GAL" button does not display in the "E-mail Security" section of the Trust Center.
If you disable or do not configure this policy setting,... |
|
V-223354
|
Medium |
Internet must not be included in Safe Zone for picture download in Outlook. |
This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so.
If you enable this policy setting, Outlook will automatically download external content in all e-mail messages sent over the Internet and... |
|
V-223353
|
Medium |
Outlook must be configured to prevent users overriding attachment security settings. |
This policy setting prevents users from overriding the set of attachments blocked by Outlook.
If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" registry key when this setting is specified.
If you disable or do... |
|
V-223352
|
Medium |
Active X One-Off forms must only be enabled to load with Outlook Controls. |
By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so that all ActiveX controls are allowed to run. |
|
V-223351
|
Medium |
The junk email protection level must be set to No Automatic Filtering. |
This policy setting controls the Junk E-mail protection level. The Junk E-mail Filter in Outlook helps to prevent junk email messages, also known as spam, from cluttering a user's Inbox. The filter evaluates each incoming message based on several factors, including the time when the message was sent and the... |
|
V-223350
|
Medium |
Files dragged from an Outlook e-mail to the file system must be created in ANSI format. |
This policy setting controls whether e-mail messages dragged from Outlook to the file system are saved in Unicode or ANSI format. |
|
V-223349
|
Medium |
Scripts associated with shared folders must be prevented from execution in Outlook. |
This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. |
|
V-223348
|
Medium |
Scripts associated with public folders must be prevented from execution in Outlook. |
This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. |
|
V-223347
|
Medium |
Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. |
This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note: RPC encryption only encrypts the data from the Outlook client computer to the Exchange server.... |
|
V-223346
|
Medium |
The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication. |
This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note: Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure authentication method and is supported on Windows 2000 Server and later versions. NTLM authentication is supported... |
|
V-223345
|
Medium |
The HTTP fallback for SIP connection in Lync must be disabled. |
Prevents from HTTP being used for SIP connection in case TLS or TCP fail. |
|
V-223344
|
Medium |
The SIP security mode in Lync must be enabled. |
When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication mechanisms: NTLM/Kerberos/TLS-DSK Gal Download: Requires HTTPS if user is not logged in as an internal user. |
|
V-223343
|
Medium |
File attachments from Outlook must be opened in Excel in Protected mode. |
This policy setting allows you to determine if Excel files in Outlook attachments open in Protected View.
If you enable this policy setting, Outlook attachments do not open in Protected View.
If you disable or do not configure this policy setting, Outlook attachments open in Protected View. |
|
V-223342
|
Medium |
Files failing file validation must be opened in Excel in Protected view mode and disallow edits. |
This policy setting controls how Office handles documents when they fail file validation.
If you enable this policy setting, you can configure the following options for files that fail file validation:
- Block files completely. Users cannot open the files.
- Open files in Protected View and disallow edit. Users... |
|
V-223341
|
Medium |
Files from unsafe locations must be opened in Excel in Protected View mode. |
This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations.
If you enable this policy setting, files located in unsafe locations do... |
|
V-223340
|
Medium |
Files from Internet zone must be opened in Excel in Protected View mode. |
This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View.
If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View.
If you disable or do not configure this policy setting, files downloaded from the... |
|
V-223339
|
Medium |
Untrusted database files must be opened in Excel in Protected View mode. |
This policy setting controls whether database files (.dbf) opened from an untrusted location are always opened in Protected View.
If you enable this policy setting, database files opened from an untrusted location are always opened in Protected View. Users will not be able to change this setting under File >>... |
|
V-223338
|
Medium |
Untrusted Microsoft Query files must be blocked from opening in Excel. |
This policy setting controls whether Microsoft Query files (.iqy, oqy, .dqy, and .rqy) in an untrusted location are prevented from opening.
If you enable this policy setting, Microsoft Query files in an untrusted location are prevented from opening. Users will not be able to change this setting under File >>... |
|
V-223337
|
Medium |
Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked. |
This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the ''Require that application add-ins are signed by Trusted Publisher'' policy setting is enabled, which prevents users from changing... |
|
V-223336
|
Medium |
Macros must be blocked from running in Excel files from the Internet. |
This policy setting allows you to block macros from running in Office files that come from the Internet.
If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the Trust Center. Also, instead of having the... |
|
V-223335
|
Medium |
WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications. |
This policy setting controls how Excel will warn users when WEBSERVICE functions are present.
If you enable this policy setting, you can choose from three options for determining how the specified applications will warn the user about WEBSERVICE functions:
- Disable all with notification: The application displays the Trust Bar... |
|
V-223334
|
Medium |
File validation in Excel must be enabled. |
This policy setting allows you turn off the file validation feature.
If you enable this policy setting, file validation will be turned off.
If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Documents (97-2003) are checked to see if they conform... |
|
V-223333
|
Medium |
Scan of encrypted macros in Excel Open XML workbooks must be enabled. |
This policy setting controls whether encrypted macros in Open XML workbooks be are required to be scanned with anti-virus software before being opened.
If you enable this policy setting, you may choose one of these options:
- Scan encrypted macros: encrypted macros are disabled unless anti-virus software is installed. Encrypted... |
|
V-223332
|
Medium |
File extensions must be enabled to match file types in Excel. |
This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensions that do not match the files' type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls (or any other file extension supported by Excel 2003... |
|
V-223331
|
Medium |
AutoRepublish warning alert in Excel must be enabled. |
This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user saves the workbook. By default, a... |
|
V-223330
|
Medium |
AutoRepublish in Excel must be disabled. |
This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user saves the workbook. By default, a... |
|
V-223329
|
Medium |
Loading of pictures from Web pages not created in Excel must be disabled. |
This policy setting controls whether Excel loads graphics when opening Web pages that were not created in Excel. It configures the "Load pictures from Web pages not created in Excel" option under the File tab >> Options >> Advanced >> General >> Web Options... >> General tab.
If you enable... |
|
V-223328
|
Medium |
Updating of links in Excel must be prompted and not automatic. |
This policy setting controls whether Excel prompts users to update automatic links, or whether the updates occur in the background with no prompt.
If you enable or do not configure this policy setting, Excel will prompt users to update automatic links. In addition, the "Ask to update automatic links" user... |
|
V-223327
|
Medium |
Extraction options must be blocked when opening corrupt Excel workbooks. |
This policy setting controls whether Excel presents users with a list of data extraction options before beginning an Open and Repair operation when users choose to open a corrupt workbook in repair or extract mode.
If you enable this policy setting, Excel opens the file using the Safe Load process... |
|
V-223326
|
Medium |
Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223325
|
Medium |
The default file block behavior must be set to not open blocked files in Excel. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223324
|
Medium |
Open/save of Excel 95-97 workbooks and templates must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223323
|
Medium |
Open/save of Excel 95 workbooks must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223322
|
Medium |
Open/save of Excel 4 worksheets must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223321
|
Medium |
Open/save of Excel 4 workbooks must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223320
|
Medium |
Open/save of Excel 4 macrosheets and add-in files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223319
|
Medium |
Open/save of Excel 3 worksheets must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223318
|
Medium |
Open/save of Excel 3 macrosheets and add-in files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223317
|
Medium |
Open/save of Excel 2 worksheets must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223316
|
Medium |
Open/save of Excel 2 macrosheets and add-in files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223315
|
Medium |
Open/save of Dif and Sylk format files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or save files. The options that can... |
|
V-223314
|
Medium |
Open/save of dBase III / IV format files must be blocked. |
This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting.
If you enable this policy setting, you can specify whether users can open, view, edit, or save files.
The options that can... |
|
V-223313
|
Medium |
Dynamic Data Exchange (DDE) server lookup in Excel must be blocked. |
This policy setting allows you to control whether Dynamic Data Exchange (DDE) server lookup is allowed.
By default, DDE server lookup is turned on, but users can turn off DDE server lookup by going to File >> Options >> Trust Center >> Trust Center Settings >> External Content.
If you... |
|
V-223312
|
Medium |
Dynamic Data Exchange (DDE) server launch in Excel must be blocked. |
This policy setting allows you to control whether Dynamic Data Exchange (DDE) server launch is allowed.
By default, DDE server launch is turned off, but users can turn on DDE server launch by going to File >> Options >> Trust Center >> Trust Center Settings >> External Content.
For security... |
|
V-223311
|
Medium |
VBA Macros not digitally signed must be blocked in Excel. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If you enable this policy setting, you can choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application... |
|
V-223310
|
Medium |
Trusted Locations on the network must be disabled in Excel. |
This policy setting controls whether trusted locations on the network can be used.
If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting the "Allow Trusted Locations on my network (not recommended)"... |
|
V-223309
|
Medium |
Flash player activation must be disabled in all Office programs. |
This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies only within Office processes.
If you enable this policy setting, you can choose from three options to control whether and how Flash is blocked from activation:
1. "Block all activation"... |
|
V-223308
|
Medium |
Scripted Windows Security restrictions must be enabled in all Office programs. |
Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
- Create browser windows appearing to be from the... |
|
V-223307
|
Medium |
The Save from URL feature must be enabled in all Office programs. |
Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive... |
|
V-223306
|
Medium |
File Download Restriction must be enabled in all Office programs. |
Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this... |
|
V-223305
|
Medium |
ActiveX installation restriction must be enabled in all Office programs. |
Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations, and... |
|
V-223304
|
Medium |
Protection from zone elevation must be enabled in all Office programs. |
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring... |
|
V-223303
|
Medium |
Object Caching Protection must be enabled in all Office programs. |
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application... |
|
V-223302
|
Medium |
Navigate URL must be enabled in all Office programs. |
To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a... |
|
V-223301
|
Medium |
The MIME Sniffing safety feature must be enabled in all Office programs. |
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application... |
|
V-223300
|
Medium |
The Local Machine Zone Lockdown Security must be enabled in all Office programs. |
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring... |
|
V-223299
|
Medium |
The Information Bar must be enabled in all Office programs. |
This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applications is used to identify security issues, such as unsigned macros or potentially unsafe... |
|
V-223298
|
Medium |
User name and password must be disabled in all Office programs. |
The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com... |
|
V-223297
|
Medium |
Consistent MIME handling must be enabled for all Office 365 ProPlus programs. |
Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use of TLS provides confidentiality of data in transit between the application... |
|
V-223296
|
Medium |
Add-on Management must be enabled for all Office 365 ProPlus programs. |
Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user... |
|
V-223295
|
Medium |
The load of controls in Forms3 must be blocked. |
This policy setting allows the user to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe for Initialization (SFI) or Unsafe for Initialization (UFI).
ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the... |
|
V-223294
|
Medium |
Office applications must not load XML expansion packs with Smart Documents. |
This policy setting controls whether Office 365 ProPlus applications can load an XML expansion pack manifest file with a Smart Document. |
|
V-223293
|
Medium |
Users must be prevented from creating new trusted locations in the Trust Center. |
This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone.
If you enable this policy setting, users can specify any location as a trusted location, and a computer can have... |
|
V-223292
|
Medium |
Office applications must be configured to specify encryption type in password-protected Office Open XML files. |
|
|
V-223291
|
Medium |
Office applications must be configured to specify encryption type in password-protected Office 97-2003 files. |
|
|
V-223290
|
Medium |
Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked. |
This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification.
The Message Bar in Office 365 ProPlus applications is used to identify security issues, such as unsigned macros or potentially... |
|
V-223289
|
Medium |
Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level. |
This policy setting controls whether macros can run in an Office 365 ProPlus application that is opened programmatically by another application. If this policy setting is enabled, the user can choose from three options for controlling macro behavior in Excel, PowerPoint, and Word when the application is opened programmatically:
-... |
|
V-223288
|
Medium |
ActiveX Controls must be initialized in Safe Mode. |
This policy setting specifies the Microsoft ActiveX initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer.
To indicate the safety of an ActiveX control, developers can denote... |
|
V-223287
|
Medium |
Custom user interface (UI) code must be blocked from loading in all Office applications. |
This policy setting controls whether Office 365 ProPlus applications load any custom user interface (UI) code included with a document or template. Office 365 ProPlus allows developers to extend the UI with customization code that is included in a document or template.
If this policy setting is enabled, Office 365... |
|
V-223286
|
Medium |
The Office client must be prevented from polling the SharePoint Server for published links. |
This policy setting controls whether Office 365 ProPlus applications can poll Office servers to retrieve lists of published links.
If this policy setting is enabled, Office 365 ProPlus applications cannot poll an Office server for published links.
If this policy setting is disabled or not configured, users of Office 365... |
|
V-223285
|
Medium |
Document metadata for rights managed Office Open XML files must be protected. |
This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Office Open XML files and override any configuration changes on users' computers.
If you... |
|
V-223284
|
Medium |
The Macro Runtime Scan Scope must be enabled for all documents. |
This policy setting specifies for which documents the VBA Runtime Scan feature is enabled.
If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed.
If the feature is enabled for low trust documents, the feature will be enabled for all documents for which... |
|
V-223282
|
Medium |
VBA Macros not digitally signed must be blocked in Access. |
This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present.
If this policy setting is enabled, choose from four options for determining how the specified applications will warn the user about macros:
- Disable all with notification: The application displays the... |
|
V-223281
|
Medium |
Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked. |
This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if the "Require that application add-ins are signed by Trusted Publisher" policy setting is enabled, which prevents users from changing this... |
|
V-223280
|
Medium |
Macros must be blocked from running in Access files from the Internet. |
This policy setting allows you to block macros from running in Office files that come from the Internet.
If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the Trust Center. Also, instead of having the... |
