Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Microsoft Access 2007 Security Technical Implementation Guide

V4R15 · · · Released 27 Oct 2017 · 12 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

The Microsoft Access 2007 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V4R14 · 22 Jul 2016 +1

Comparison against the immediately-prior release (V4R14). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 1

  • V-25884 High An unsupported Microsoft Office version must not be installed.
Sort by
b
Disable user name and password syntax from being used in URLs
Medium - V-17173 - SV-19429r2_rule
RMF Control
Severity
M
CCI
Version
DTOO104 - Access
Vuln IDs
  • V-17173
Rule IDs
  • SV-19429r2_rule
The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk. System AdministratorInformation Assurance Officer
Checks: C-19314r3_chk

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” is set to “Enabled” and ‘msaccess.exe’ check box is selected. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17763r4_fix

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” to “Enabled” and select the "msaccess.exe" check box.

b
Bind to Object - Access
Medium - V-17174 - SV-18190r2_rule
RMF Control
Severity
M
CCI
Version
DTOO111 - Access
Vuln IDs
  • V-17174
Rule IDs
  • SV-18190r2_rule
Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load. System AdministratorInformation Assurance Officer
Checks: C-17872r3_chk

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Fix: F-16966r3_fix

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” to “Enabled” and select the "msaccess.exe" check box.

b
Saved from URL - Access
Medium - V-17175 - SV-18205r2_rule
RMF Control
Severity
M
CCI
Version
DTOO117 - Access
Vuln IDs
  • V-17175
Rule IDs
  • SV-18205r2_rule
Typically, when Internet Explorer loads a web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.System AdministratorInformation Assurance Officer
Checks: C-17888r3_chk

Validate the policy value for Computer Configuration -> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17052r2_fix

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” to “Enabled” and select the ‘msaccess.exe’ check box.

b
Block navigation to URL embedded in Office products to protect against attack by malformed URL.
Medium - V-17183 - SV-18603r2_rule
RMF Control
Severity
M
CCI
Version
DTOO123 - Access
Vuln IDs
  • V-17183
Rule IDs
  • SV-18603r2_rule
To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.System AdministratorInformation Assurance Officer
Checks: C-18845r3_chk

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17445r3_fix

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” to “Enabled” and select the "msaccess.exe" check box.

b
No pop-ups - Access
Medium - V-17184 - SV-18215r2_rule
RMF Control
Severity
M
CCI
Version
DTOO129 - Access
Vuln IDs
  • V-17184
Rule IDs
  • SV-18215r2_rule
The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.System AdministratorInformation Assurance Officer
Checks: C-17900r3_chk

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17060r3_fix

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” to “Enabled” and select the "msaccess.exe" check box.

b
Disable Trust Bar Notification for unsigned application add-ins - Access
Medium - V-17187 - SV-18219r1_rule
RMF Control
Severity
M
CCI
Version
DTOO131 - Access
Vuln IDs
  • V-17187
Rule IDs
  • SV-18219r1_rule
By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.System AdministratorInformation Assurance Officer
Checks: C-17912r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.

Fix: F-17079r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”.

b
Enable Warning Bar settings for VBA macros contained in Access Files.
Medium - V-17545 - SV-18637r1_rule
RMF Control
Severity
M
CCI
Version
DTOO304 - Access
Vuln IDs
  • V-17545
Rule IDs
  • SV-18637r1_rule
By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised. System AdministratorInformation Assurance Officer
Checks: C-18854r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.

Fix: F-17465r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”.

b
Set the default saved file format for Access.
Medium - V-17584 - SV-18706r2_rule
RMF Control
Severity
M
CCI
Version
DTOO136 - Access
Vuln IDs
  • V-17584
Rule IDs
  • SV-18706r2_rule
By default, when users create new database files, Access 2007 saves them in the new Access 2007 format. Users can change this functionality by clicking the Office button, clicking Access Options, and then selecting a file format from the Default file format list. If a new database is created in an inappropriate format, some users might be unable to open or use it. System AdministratorInformation Assurance Officer
Checks: C-18884r13_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings Criteria: If the value Default File Format is REG_DWORD = c (hex) or 12 (Decimal), this is not a finding.

Fix: F-17502r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”.

b
Do not Prompt to convert when opening older databases - Access.
Medium - V-17603 - SV-18733r1_rule
RMF Control
Severity
M
CCI
Version
DTOO137 - Access
Vuln IDs
  • V-17603
Rule IDs
  • SV-18733r1_rule
By default, when users open databases that were created in the Access 97 file format, Access 2007 prompts them to convert the database to a newer file format. Users can choose to convert the database or leave it in the older format. If this configuration is changed, Access will leave Access 97-format databases unchanged. Access informs the user that the database is in the older format, but does not provide the user with an option to convert the database. Some features introduced in more recent versions of Access will not be available, and the user will not be able to make any design changes to the database. System AdministratorInformation Assurance Officer
Checks: C-18905r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings Criteria: If the value NoConvertDialog is REG_DWORD = 0, this is not a finding.

Fix: F-17521r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”.

b
Enable Modal Trust Decision Only - Access
Medium - V-17757 - SV-18952r1_rule
RMF Control
Severity
M
CCI
Version
DTOO135 - Access
Vuln IDs
  • V-17757
Rule IDs
  • SV-18952r1_rule
By default, when users open an untrusted Access 2007 database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action. The default configuration can be changed so that users see a dialog box when they open an untrusted database with executable components. Users must then choose whether to enable or disable the components before working with the database. In these circumstances users frequently enable the components, even if they do not require them. Executable components can be used to launch an attack against a computer environment. System AdministratorInformation Assurance Officer
Checks: C-19019r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value ModalTrustDecisionOnly is REG_DWORD = 0, this is not a finding.

Fix: F-17656r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”.

b
Enable the feature to underline hyperlinks in Access.
Medium - V-17810 - SV-19046r1_rule
RMF Control
Severity
M
CCI
Version
DTOO130 - Access
Vuln IDs
  • V-17810
Rule IDs
  • SV-19046r1_rule
By default, Access 2007 underlines hyperlinks that appear in tables, queries, forms, and reports. If this configuration is changed, users might click on dangerous hyperlinks without realizing it, which could pose a security riskSystem AdministratorInformation Assurance Officer
Checks: C-19077r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Internet Criteria: If the value DoNotUnderlineHyperlinks is REG_DWORD = 0, this is not a finding.

Fix: F-17711r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”.

c
An unsupported Microsoft Office version must not be installed.
High - V-25884 - SV-32370r3_rule
RMF Control
Severity
H
CCI
Version
DTOO287
Vuln IDs
  • V-25884
Rule IDs
  • SV-32370r3_rule
Failure to install the most current Office version leaves a system vulnerable to exploitation. Current service packs correct known security and system vulnerabilities. If Microsoft Office installation is not at the most current version and service pack level, this is a Category 1 finding since new vulnerabilities will not be patched. Office 2007 is End of Life. System Administrator
Checks: C-32765r4_chk

To determine what service pack level is installed, start the Office application. Click on the Office Menu Button (upper left), click "Options" at the bottom of the menu, and select "Resources" from the left column. The version number will be displayed alongside the "About" button on the right-hand side display. If the "About" box information displays an Office 2007 version, this is a finding.

Fix: F-28840r3_fix

Upgrade to Office 2010, Office 2013, or Office 2016.