Microsoft Office 365 ProPlus Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2020-04-16

Updated At: 2020-05-11 21:05:23

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-108737r1_rule O365-AC-000001 CCI-001170 MEDIUM Macros must be blocked from running in Access files from the Internet. This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the
    SV-108739r1_rule O365-AC-000002 CCI-001749 MEDIUM Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108741r1_rule O365-AC-000003 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in Access. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108743r1_rule O365-AC-000004 CCI-001662 MEDIUM Allowing Trusted Locations on the network must be disabled in Access. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting
    SV-108745r1_rule O365-CO-000001 CCI-001170 MEDIUM The Macro Runtime Scan Scope must be enabled for all documents. This policy setting specifies for which documents the VBA Runtime Scan feature is enabled. If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed. If the feature is enabled for low trust documents, the feat
    SV-108747r1_rule O365-CO-000002 CCI-002476 MEDIUM Document metadata for rights managed Office Open XML files must be protected. This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Offic
    SV-108749r1_rule O365-CO-000003 CCI-000381 MEDIUM The Office client must be prevented from polling the SharePoint Server for published links. This policy setting controls whether Office 2016 applications can poll Office servers to retrieve lists of published links. If you enable this policy setting, Office 2016 applications cannot poll an Office server for published links. If you disable or
    SV-108751r1_rule O365-CO-000004 CCI-000366 MEDIUM Custom user interface (UI) code must be blocked from loading in all Office applications. This policy setting controls whether Office 2016 applications load any custom user interface (UI) code included with a document or template. Office 2016 allows developers to extend the UI with customization code that is included in a document or template.
    SV-108753r1_rule O365-CO-000005 CCI-002460 MEDIUM ActiveX Controls must be initialized in Safe Mode. This policy setting specifies the Microsoft ActiveX initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control an
    SV-108755r1_rule O365-CO-000006 CCI-001170 MEDIUM Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level. This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPo
    SV-108757r1_rule O365-CO-000007 CCI-001749 MEDIUM Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked. This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applicati
    SV-108759r1_rule O365-CO-000008 CCI-001199 MEDIUM Office applications must be configured to specify encryption type in password-protected Office 97-2003 files. This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in
    SV-108761r1_rule O365-CO-000009 CCI-001199 MEDIUM Office applications must be configured to specify encryption type in password-protected Office Open XML files. This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file
    SV-108763r1_rule O365-CO-000010 CCI-002235 MEDIUM Users must be prevented from creating new trusted locations in the Trust Center. This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as
    SV-108765r1_rule O365-CO-000011 CCI-001662 MEDIUM Office clients must be prevented from polling Office servers for published links. This policy setting controls whether Office 2016 applications can poll Office servers to retrieve lists of published links. If you enable this policy setting, Office 2016 applications cannot poll an Office server for published links. If you disable or
    SV-108767r1_rule O365-CO-000012 CCI-000366 MEDIUM Office applications must not load XML expansion packs with Smart Documents. This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document.
    SV-108769r1_rule O365-CO-000013 CCI-001662 MEDIUM The load of controls in Forms3 must be blocked. This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe for Initialization (SFI) or Unsafe for Initialization (UFI). ActiveX controls are Component Object Model (COM) objects an
    SV-108771r1_rule O365-CO-000014 CCI-001662 MEDIUM Add-on Management must be enabled for all Office 365 ProPlus programs. Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become
    SV-108773r1_rule O365-CO-000015 CCI-000803 MEDIUM Consistent MIME handling must be enabled for all Office 365 ProPlus programs. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use o
    SV-108775r1_rule O365-CO-000016 CCI-001170 MEDIUM User name and password must be disabled in all Office programs. The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:[email protected] A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate websi
    SV-108777r1_rule O365-CO-000017 CCI-001662 MEDIUM The Information Bar must be enabled in all Office programs. This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 application
    SV-108779r1_rule O365-CO-000018 CCI-000366 MEDIUM The Local Machine Zone Lockdown Security must be enabled in all Office programs. Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio
    SV-108781r1_rule O365-CO-000019 CCI-000803 MEDIUM The MIME Sniffing safety feature must be enabled in all Office programs. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use
    SV-108783r1_rule O365-CO-000020 CCI-001170 MEDIUM Navigate URL must be enabled in all Office programs. To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an
    SV-108785r1_rule O365-CO-000021 CCI-000803 MEDIUM Object Caching Protection must be enabled in all Office programs. Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use
    SV-108787r1_rule O365-CO-000022 CCI-001695 MEDIUM Protection from zone elevation must be enabled in all Office programs. Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio
    SV-108789r1_rule O365-CO-000023 CCI-002460 MEDIUM ActiveX installation restriction must be enabled in all Office programs. Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not confi
    SV-108791r1_rule O365-CO-000024 CCI-001695 MEDIUM File Download Restriction must be enabled in all Office programs. Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet
    SV-108793r1_rule O365-CO-000025 CCI-001170 MEDIUM The Save from URL feature must be enabled in all Office programs. Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet se
    SV-108795r1_rule O365-CO-000026 CCI-001695 MEDIUM Scripted Windows Security restrictions must be enabled in all Office programs. Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to: - Cre
    SV-108797r1_rule O365-CO-000027 CCI-002460 MEDIUM Flash player activation must be disabled in all Office programs. This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies only within Office processes. If you enable this policy setting, you can choose from three options to control whether
    SV-108799r1_rule O365-EX-000001 CCI-001170 MEDIUM Trusted Locations on the network must be disabled in Excel. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting
    SV-108801r1_rule O365-EX-000002 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in Excel. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108803r1_rule O365-EX-000003 CCI-001662 MEDIUM Dynamic Data Exchange (DDE) server launch in Excel must be blocked. This policy setting allows you to control whether Dynamic Data Exchange (DDE) server launch is allowed. By default, DDE server launch is turned off, but users can turn on DDE server launch by going to File >> Options >> Trust Center >> Trust Center Setti
    SV-108805r1_rule O365-EX-000004 CCI-001662 MEDIUM Dynamic Data Exchange (DDE) server lookup in Excel must be blocked. This policy setting allows you to control whether Dynamic Data Exchange (DDE) server lookup is allowed. By default, DDE server lookup is turned on, but users can turn off DDE server lookup by going to File >> Options >> Trust Center >> Trust Center Setti
    SV-108807r1_rule O365-EX-000005 CCI-001662 MEDIUM Open/save of dBase III / IV format files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or s
    SV-108809r1_rule O365-EX-000006 CCI-001662 MEDIUM Open/save of Dif and Sylk format files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108811r1_rule O365-EX-000007 CCI-001662 MEDIUM Open/save of Excel 2 macrosheets and add-in files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108813r1_rule O365-EX-000008 CCI-001662 MEDIUM Open/save of Excel 2 worksheets must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108815r1_rule O365-EX-000009 CCI-001662 MEDIUM Open/save of Excel 3 macrosheets and add-in files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108817r1_rule O365-EX-000010 CCI-001662 MEDIUM Open/save of Excel 3 worksheets must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108819r1_rule O365-EX-000011 CCI-001662 MEDIUM Open/save of Excel 4 macrosheets and add-in files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108821r1_rule O365-EX-000012 CCI-001662 MEDIUM Open/save of Excel 4 workbooks must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108823r1_rule O365-EX-000013 CCI-001662 MEDIUM Open/save of Excel 4 worksheets must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108825r1_rule O365-EX-000014 CCI-001662 MEDIUM Open/save of Excel 95 workbooks must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108827r1_rule O365-EX-000015 CCI-001662 MEDIUM Open/save of Excel 95-97 workbooks and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108829r1_rule O365-EX-000016 CCI-001662 MEDIUM The default file block behavior must be set to not open blocked files in Excel. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108831r1_rule O365-EX-000017 CCI-001662 MEDIUM Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa
    SV-108833r1_rule O365-EX-000018 CCI-001662 MEDIUM Extraction options must be blocked when opening corrupt Excel workbooks. This policy setting controls whether Excel presents users with a list of data extraction options before beginning an Open and Repair operation when users choose to open a corrupt workbook in repair or extract mode. If you enable this policy setting, Exce
    SV-108835r1_rule O365-EX-000019 CCI-001170 MEDIUM Updating of links in Excel must be prompted and not automatic. This policy setting controls whether Excel prompts users to update automatic links, or whether the updates occur in the background with no prompt. If you enable or do not configure this policy setting, Excel will prompt users to update automatic links. I
    SV-108837r1_rule O365-EX-000020 CCI-002460 MEDIUM Loading of pictures from Web pages not created in Excel must be disabled. This policy setting controls whether Excel loads graphics when opening Web pages that were not created in Excel. It configures the "Load pictures from Web pages not created in Excel" option under the File tab >> Options >> Advanced >> General >> Web Optio
    SV-108839r1_rule O365-EX-000021 CCI-000366 MEDIUM AutoRepublish in Excel must be disabled. This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user sa
    SV-108841r1_rule O365-EX-000022 CCI-000366 MEDIUM AutoRepublish warning alert in Excel must be enabled. This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user sa
    SV-108843r1_rule O365-EX-000023 CCI-000366 MEDIUM File extensions must be enabled to match file types in Excel. This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensions that do not match the files' type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls
    SV-108845r1_rule O365-EX-000024 CCI-001170 MEDIUM Scan of encrypted macros in Excel Open XML workbooks must be enabled. This policy setting controls whether encrypted macros in Open XML workbooks be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: encry
    SV-108847r1_rule O365-EX-000025 CCI-001695 MEDIUM File validation in Excel must be enabled. This policy setting allows you turn off the file validation feature. If you enable this policy setting, file validation will be turned off. If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Document
    SV-108849r1_rule O365-EX-000026 CCI-001662 MEDIUM WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications. This policy setting controls how Excel will warn users when WEBSERVICE functions are present. If you enable this policy setting, you can choose from three options for determining how the specified applications will warn the user about WEBSERVICE function
    SV-108851r1_rule O365-EX-000027 CCI-001170 MEDIUM Macros must be blocked from running in Excel files from the Internet. This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the
    SV-108853r1_rule O365-EX-000028 CCI-001749 MEDIUM Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked. This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the ''Require that
    SV-108855r1_rule O365-EX-000029 CCI-001662 MEDIUM Untrusted Microsoft Query files must be blocked from opening in Excel. This policy setting controls whether Microsoft Query files (.iqy, oqy, .dqy, and .rqy) in an untrusted location are prevented from opening. If you enable this policy setting, Microsoft Query files in an untrusted location are prevented from opening. User
    SV-108857r1_rule O365-EX-000030 CCI-001662 MEDIUM Untrusted database files must be opened in Excel in Protected View mode. This policy setting controls whether database files (.dbf) opened from an untrusted location are always opened in Protected View. If you enable this policy setting, database files opened from an untrusted location are always opened in Protected View. Use
    SV-108859r1_rule O365-EX-000031 CCI-001662 MEDIUM Files from Internet zone must be opened in Excel in Protected View mode. This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure t
    SV-108861r1_rule O365-EX-000032 CCI-001170 MEDIUM Files from unsafe locations must be opened in Excel in Protected View mode. This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations
    SV-108863r1_rule O365-EX-000033 CCI-001170 MEDIUM Files failing file validation must be opened in Excel in Protected view mode and disallow edits. This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the fil
    SV-108865r1_rule O365-EX-000034 CCI-001170 MEDIUM File attachments from Outlook must be opened in Excel in Protected mode. This policy setting allows you to determine if Excel files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If you disable or do not configure this policy setting, Outlo
    SV-108867r1_rule O365-LY-000001 CCI-001184 MEDIUM The SIP security mode in Lync must be enabled. When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication m
    SV-108869r1_rule O365-LY-000002 CCI-001184 MEDIUM The HTTP fallback for SIP connection in Lync must be disabled. Prevents from HTTP being used for SIP connection in case TLS or TCP fail.
    SV-108871r1_rule O365-OU-000001 CCI-001967 MEDIUM The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication. This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note: Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure
    SV-108873r1_rule O365-OU-000002 CCI-001967 MEDIUM Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note: RPC
    SV-108875r1_rule O365-OU-000003 CCI-001170 MEDIUM Scripts associated with public folders must be prevented from execution in Outlook. This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders.
    SV-108877r1_rule O365-OU-000004 CCI-001170 MEDIUM Scripts associated with shared folders must be prevented from execution in Outlook. This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders.
    SV-108879r1_rule O365-OU-000005 CCI-000366 MEDIUM Files dragged from an Outlook e-mail to the file system must be created in ANSI format. This policy setting controls whether e-mail messages dragged from Outlook to the file system are saved in Unicode or ANSI format.
    SV-108881r1_rule O365-OU-000006 CCI-000366 MEDIUM Junk e-mail level must be enabled at a setting of High. This policy setting controls your Junk E-mail protection level. The Junk E-mail Filter in Outlook helps to prevent junk e-mail messages, also known as spam, from cluttering user's Inbox. The filter evaluates each incoming message based on several factors,
    SV-108883r1_rule O365-OU-000007 CCI-001170 MEDIUM Active X One-Off forms must only be enabled to load with Outlook Controls. By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so
    SV-108885r1_rule O365-OU-000008 CCI-002235 MEDIUM Outlook must be configured to prevent users overriding attachment security settings. This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" regi
    SV-108887r1_rule O365-OU-000009 CCI-000366 MEDIUM Internet must not be included in Safe Zone for picture download in Outlook. This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automati
    SV-108889r1_rule O365-OU-000010 CCI-000366 MEDIUM The Publish to Global Address List (GAL) button must be disabled in Outlook. This policy setting controls whether Outlook users can publish e-mail certificates to the Global Address List (GAL). If you enable this policy setting, the "Publish to GAL" button does not display in the "E-mail Security" section of the Trust Center.
    SV-108891r1_rule O365-OU-000011 CCI-002450 MEDIUM The minimum encryption key length in Outlook must be at least 168. This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries t
    SV-108893r1_rule O365-OU-000012 CCI-001662 MEDIUM The warning about invalid digital signatures must be enabled to warn Outlook users. This policy setting controls how Outlook warns users about messages with invalid digital signatures. If you enable this policy setting, you can choose from three options for controlling how Outlook users are warned about invalid signatures: - Let user de
    SV-108895r1_rule O365-OU-000013 CCI-000185 MEDIUM Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online. This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authoriti
    SV-108897r1_rule O365-OU-000014 CCI-000366 MEDIUM The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy. This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: - Outlook Default Security - This option is the default co
    SV-108899r1_rule O365-OU-000015 CCI-001662 MEDIUM The ability to demote attachments from Level 2 to Level 1 must be disabled. This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files att
    SV-108901r1_rule O365-OU-000016 CCI-001662 MEDIUM The display of Level 1 attachments must be disabled in Outlook. This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can
    SV-108903r1_rule O365-OU-000017 CCI-001662 MEDIUM Level 1 file attachments must be blocked from being delivered. This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files att
    SV-108905r1_rule O365-OU-000018 CCI-001662 MEDIUM Level 2 file attachments must be blocked from being delivered. This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open t
    SV-108907r1_rule O365-OU-000019 CCI-001170 MEDIUM Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message. This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this pol
    SV-108909r1_rule O365-OU-000020 CCI-002460 MEDIUM When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it. This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to me
    SV-108911r1_rule O365-OU-000021 CCI-002460 MEDIUM When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it. This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attemp
    SV-108913r1_rule O365-OU-000022 CCI-002460 MEDIUM When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it. This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different option
    SV-108915r1_rule O365-OU-000023 CCI-002460 MEDIUM When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it. This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to
    SV-108917r1_rule O365-OU-000024 CCI-002460 MEDIUM When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it. This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the ''To:'' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options whe
    SV-108919r1_rule O365-OU-000025 CCI-002460 MEDIUM When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it. This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options
    SV-108921r1_rule O365-OU-000026 CCI-002460 MEDIUM When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it. This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts
    SV-108923r1_rule O365-OU-000027 CCI-000366 MEDIUM Outlook must be configured to not allow hyperlinks in suspected phishing messages. This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If y
    SV-108925r1_rule O365-OU-000028 CCI-001662 MEDIUM The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned. This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in
    SV-108929r1_rule O365-PT-000001 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in PowerPoint. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108931r1_rule O365-PT-000002 CCI-001170 MEDIUM The ability to run programs from PowerPoint must be disabled. This policy setting controls the prompting and activation behavior for the "Run Programs" option for action buttons in PowerPoint. If you enable this policy setting, you can choose from three options to control how the "Run Programs" option functions: -
    SV-108933r1_rule O365-PT-000003 CCI-001662 MEDIUM Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save PowerPoint files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit,
    SV-108935r1_rule O365-PT-000004 CCI-001662 MEDIUM The default file block behavior must be set to not open blocked files in PowerPoint. This policy setting allows you to determine if users can open, view, or edit Word files. If you enable this policy setting, you can set one of these options: - Blocked files are not opened. - Blocked files open in Protected View and cannot be edited. - Bl
    SV-108937r1_rule O365-PT-000005 CCI-001170 MEDIUM Encrypted macros in PowerPoint Open XML presentations must be scanned. This policy setting controls whether encrypted macros in Open XML presentations are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: Encr
    SV-108939r1_rule O365-PT-000006 CCI-001170 MEDIUM File validation in PowerPoint must be enabled. This policy setting allows you to turn off the file validation feature. If you enable this policy setting, file validation will be turned off. If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Documen
    SV-108941r1_rule O365-PT-000007 CCI-001170 MEDIUM Macros from the Internet must be blocked from running in PowerPoint. This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust
    SV-108943r1_rule O365-PT-000008 CCI-001749 MEDIUM Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108945r1_rule O365-PT-000009 CCI-001662 MEDIUM Files downloaded from the Internet must be opened in Protected view in PowerPoint. This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure thi
    SV-108947r1_rule O365-PT-000010 CCI-001662 MEDIUM PowerPoint attachments opened from Outlook must be in Protected View. This policy setting allows for determining whether PowerPoint files in Outlook attachments open in Protected View. If enabling this policy setting, Outlook attachments do not open in Protected View. If disabling or not configuring this policy setting, Out
    SV-108949r1_rule O365-PT-000011 CCI-001662 MEDIUM Files in unsafe locations must be opened in Protected view in PowerPoint. This policy setting determines whether files located in unsafe locations will open in Protected View. If unsafe locations have not been specified, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations.
    SV-108951r1_rule O365-PT-000012 CCI-001170 MEDIUM If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled. This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the file
    SV-108953r1_rule O365-PT-000013 CCI-001170 MEDIUM The use of network locations must be ignored in PowerPoint. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking th
    SV-108955r1_rule O365-PR-000001 CCI-001170 MEDIUM Trusted Locations on the network must be disabled in Project. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t
    SV-108957r1_rule O365-PR-000002 CCI-001749 MEDIUM Project must automatically disable unsigned add-ins without informing users. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108959r1_rule O365-PR-000003 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in Project. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108961r1_rule O365-PU-000001 CCI-001662 MEDIUM Publisher must be configured to prompt the user when another application programmatically opens a macro. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108963r1_rule O365-PU-000002 CCI-001749 MEDIUM Publisher must automatically disable unsigned add-ins without informing users. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108965r1_rule O365-PU-000003 CCI-001749 MEDIUM Publisher must disable all unsigned VBA macros. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108967r1_rule O365-VI-000001 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in Visio. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-108969r1_rule O365-VI-000002 CCI-001170 MEDIUM Trusted Locations on the network must be disabled in Visio. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t
    SV-108971r1_rule O365-VI-000003 CCI-001749 MEDIUM Visio must automatically disable unsigned add-ins without informing users. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108973r1_rule O365-VI-000004 CCI-001662 MEDIUM Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked. This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th
    SV-108975r1_rule O365-VI-000005 CCI-001662 MEDIUM Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked. This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th
    SV-108977r1_rule O365-VI-000006 CCI-001662 MEDIUM Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked. This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th
    SV-108979r1_rule O365-VI-000007 CCI-001170 MEDIUM Macros must be blocked from running in Visio files from the Internet. This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the
    SV-108981r1_rule O365-WD-000001 CCI-001749 MEDIUM Word must automatically disable unsigned add-ins without informing users. This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli
    SV-108983r1_rule O365-WD-000002 CCI-001170 MEDIUM In Word, encrypted macros must be scanned. This policy setting controls whether encrypted macros in Open XML documents be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: encry
    SV-108985r1_rule O365-WD-000003 CCI-001662 MEDIUM Files downloaded from the Internet must be opened in Protected view in Word. This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure t
    SV-108987r1_rule O365-WD-000004 CCI-001662 MEDIUM Files located in unsafe locations must be opened in Protected view in Word. This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations
    SV-108989r1_rule O365-WD-000005 CCI-001662 MEDIUM If file validation fails, files must be opened in Protected view in Word with ability to edit disabled. This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the fil
    SV-108991r1_rule O365-WD-000006 CCI-001662 MEDIUM Word attachments opened from Outlook must be in Protected View. This policy setting allows you to determine if Word files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If you disable or do not configure this policy setting, Outloo
    SV-108993r1_rule O365-WD-000007 CCI-001662 MEDIUM The default file block behavior must be set to not open blocked files in Word. This policy setting allows you to determine if users can open, view, or edit Word files. If you enable this policy setting, you can set one of these options: - Blocked files are not opened. - Blocked files open in Protected View and cannot be edited. - B
    SV-108995r1_rule O365-WD-000008 CCI-001662 MEDIUM Open/Save of Word 2 and earlier binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-108997r1_rule O365-WD-000009 CCI-001662 MEDIUM Open/Save of Word 2000 binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-108999r1_rule O365-WD-000010 CCI-001662 MEDIUM Open/Save of Word 2003 binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109001r1_rule O365-WD-000011 CCI-001662 MEDIUM Open/Save of Word 2007 and later binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109003r1_rule O365-WD-000012 CCI-001662 MEDIUM Open/Save of Word 6.0 binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109005r1_rule O365-WD-000013 CCI-001662 MEDIUM Open/Save of Word 95 binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109007r1_rule O365-WD-000014 CCI-001662 MEDIUM Open/Save of Word 97 binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109009r1_rule O365-WD-000015 CCI-001662 MEDIUM Open/Save of Word XP binary documents and templates must be blocked. This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav
    SV-109011r1_rule O365-WD-000016 CCI-001170 MEDIUM In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center. This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust
    SV-109013r1_rule O365-WD-000017 CCI-001170 MEDIUM Trusted Locations on the network must be disabled in Word. This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t
    SV-109015r1_rule O365-WD-000018 CCI-000381 MEDIUM VBA Macros not digitally signed must be blocked in Word. This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa
    SV-109621r1_rule O365-WD-000019 CCI-001695 MEDIUM File validation in Word must be enabled. This policy setting allows the file validation feature to be turned off. If this policy setting is enabled, file validation will be turned off. If this policy setting is disabled or not configured, file validation will be turned on. Office Binary Docume