Microsoft Office 365 ProPlus Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].
Details
Version / Release: V2R9
Published: 2023-03-17
Updated At: 2023-05-04 00:35:36
Compare/View Releases
Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-223280r879616_rule | O365-AC-000001 | CCI-001170 | MEDIUM | Macros must be blocked from running in Access files from the Internet. | This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the | ||||
| SV-223281r879584_rule | O365-AC-000002 | CCI-001749 | MEDIUM | Trust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223282r879587_rule | O365-AC-000003 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in Access. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223283r879628_rule | O365-AC-000004 | CCI-001662 | MEDIUM | Allowing Trusted Locations on the network must be disabled in Access. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting | ||||
| SV-223284r879630_rule | O365-CO-000001 | CCI-001170 | MEDIUM | The Macro Runtime Scan Scope must be enabled for all documents. | This policy setting specifies for which documents the VBA Runtime Scan feature is enabled. If the feature is disabled for all documents, no runtime scanning of enabled macros will be performed. If the feature is enabled for low trust documents, the feat | ||||
| SV-223285r879800_rule | O365-CO-000002 | CCI-002476 | MEDIUM | Document metadata for rights managed Office Open XML files must be protected. | This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Offic | ||||
| SV-223286r879587_rule | O365-CO-000003 | CCI-000381 | MEDIUM | The Office client must be prevented from polling the SharePoint Server for published links. | This policy setting controls whether Office 365 ProPlus applications can poll Office servers to retrieve lists of published links. If this policy setting is enabled, Office 365 ProPlus applications cannot poll an Office server for published links. If | ||||
| SV-223287r879887_rule | O365-CO-000004 | CCI-000366 | MEDIUM | Custom user interface (UI) code must be blocked from loading in all Office applications. | This policy setting controls whether Office 365 ProPlus applications load any custom user interface (UI) code included with a document or template. Office 365 ProPlus allows developers to extend the UI with customization code that is included in a documen | ||||
| SV-223288r879859_rule | O365-CO-000005 | CCI-002460 | MEDIUM | ActiveX Controls must be initialized in Safe Mode. | This policy setting specifies the Microsoft ActiveX initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control an | ||||
| SV-223289r879630_rule | O365-CO-000006 | CCI-001170 | MEDIUM | Macros in all Office applications that are opened programmatically by another application must be opened based upon macro security level. | This policy setting controls whether macros can run in an Office 365 ProPlus application that is opened programmatically by another application. If this policy setting is enabled, the user can choose from three options for controlling macro behavior in Ex | ||||
| SV-223290r879584_rule | O365-CO-000007 | CCI-001749 | MEDIUM | Trust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked. | This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 365 Pro | ||||
| SV-223291r879642_rule | O365-CO-000008 | CCI-001199 | MEDIUM | Office applications must be configured to specify encryption type in password-protected Office 97-2003 files. | This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in | ||||
| SV-223292r879642_rule | O365-CO-000009 | CCI-001199 | MEDIUM | Office applications must be configured to specify encryption type in password-protected Office Open XML files. | This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file | ||||
| SV-223293r879717_rule | O365-CO-000010 | CCI-002235 | MEDIUM | Users must be prevented from creating new trusted locations in the Trust Center. | This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as | ||||
| SV-223294r879887_rule | O365-CO-000012 | CCI-000366 | MEDIUM | Office applications must not load XML expansion packs with Smart Documents. | This policy setting controls whether Office 365 ProPlus applications can load an XML expansion pack manifest file with a Smart Document. | ||||
| SV-223295r879628_rule | O365-CO-000013 | CCI-001662 | MEDIUM | The load of controls in Forms3 must be blocked. | This policy setting allows the user to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe for Initialization (SFI) or Unsafe for Initialization (UFI). ActiveX controls are Component Object Model (COM) objec | ||||
| SV-223296r879628_rule | O365-CO-000014 | CCI-001662 | MEDIUM | Add-on Management must be enabled for all Office 365 ProPlus programs. | Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become | ||||
| SV-223297r879616_rule | O365-CO-000015 | CCI-000803 | MEDIUM | Consistent MIME handling must be enabled for all Office 365 ProPlus programs. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied on to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use o | ||||
| SV-223298r879630_rule | O365-CO-000016 | CCI-001170 | MEDIUM | User name and password must be disabled in all Office programs. | The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:[email protected]. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate websi | ||||
| SV-223299r879628_rule | O365-CO-000017 | CCI-001662 | MEDIUM | The Information Bar must be enabled in all Office programs. | This policy setting controls whether Office 365 ProPlus applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 appl | ||||
| SV-223300r879887_rule | O365-CO-000018 | CCI-000366 | MEDIUM | The Local Machine Zone Lockdown Security must be enabled in all Office programs. | Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio | ||||
| SV-223301r879616_rule | O365-CO-000019 | CCI-000803 | MEDIUM | The MIME Sniffing safety feature must be enabled in all Office programs. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use | ||||
| SV-223302r879630_rule | O365-CO-000020 | CCI-001170 | MEDIUM | Navigate URL must be enabled in all Office programs. | To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an | ||||
| SV-223303r879616_rule | O365-CO-000021 | CCI-000803 | MEDIUM | Object Caching Protection must be enabled in all Office programs. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and DoD data may be compromised due to weak algorithms. The use | ||||
| SV-223304r879573_rule | O365-CO-000022 | CCI-001695 | MEDIUM | Protection from zone elevation must be enabled in all Office programs. | Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio | ||||
| SV-223305r879859_rule | O365-CO-000023 | CCI-002460 | MEDIUM | ActiveX installation restriction must be enabled in all Office programs. | Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not confi | ||||
| SV-223306r879573_rule | O365-CO-000024 | CCI-001695 | MEDIUM | File Download Restriction must be enabled in all Office programs. | Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet | ||||
| SV-223307r879630_rule | O365-CO-000025 | CCI-001170 | MEDIUM | The Save from URL feature must be enabled in all Office programs. | Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet se | ||||
| SV-223308r879573_rule | O365-CO-000026 | CCI-001695 | MEDIUM | Scripted Windows Security restrictions must be enabled in all Office programs. | Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to: - Cre | ||||
| SV-223309r879859_rule | O365-CO-000027 | CCI-002460 | MEDIUM | Flash player activation must be disabled in all Office programs. | This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies only within Office processes. If you enable this policy setting, you can choose from three options to control whether | ||||
| SV-223310r879630_rule | O365-EX-000001 | CCI-001170 | MEDIUM | Trusted Locations on the network must be disabled in Excel. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting | ||||
| SV-223311r879587_rule | O365-EX-000002 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in Excel. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223312r879628_rule | O365-EX-000003 | CCI-001662 | MEDIUM | Dynamic Data Exchange (DDE) server launch in Excel must be blocked. | This policy setting allows you to control whether Dynamic Data Exchange (DDE) server launch is allowed. By default, DDE server launch is turned off, but users can turn on DDE server launch by going to File >> Options >> Trust Center >> Trust Center Setti | ||||
| SV-223313r879628_rule | O365-EX-000004 | CCI-001662 | MEDIUM | Dynamic Data Exchange (DDE) server lookup in Excel must be blocked. | This policy setting allows you to control whether Dynamic Data Exchange (DDE) server lookup is allowed. By default, DDE server lookup is turned on, but users can turn off DDE server lookup by going to File >> Options >> Trust Center >> Trust Center Setti | ||||
| SV-223314r879628_rule | O365-EX-000005 | CCI-001662 | MEDIUM | Open/save of dBase III / IV format files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or s | ||||
| SV-223315r879628_rule | O365-EX-000006 | CCI-001662 | MEDIUM | Open/save of Dif and Sylk format files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223316r879628_rule | O365-EX-000007 | CCI-001662 | MEDIUM | Open/save of Excel 2 macrosheets and add-in files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223317r879628_rule | O365-EX-000008 | CCI-001662 | MEDIUM | Open/save of Excel 2 worksheets must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223318r879628_rule | O365-EX-000009 | CCI-001662 | MEDIUM | Open/save of Excel 3 macrosheets and add-in files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223319r879628_rule | O365-EX-000010 | CCI-001662 | MEDIUM | Open/save of Excel 3 worksheets must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223320r879628_rule | O365-EX-000011 | CCI-001662 | MEDIUM | Open/save of Excel 4 macrosheets and add-in files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223321r879628_rule | O365-EX-000012 | CCI-001662 | MEDIUM | Open/save of Excel 4 workbooks must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223322r879628_rule | O365-EX-000013 | CCI-001662 | MEDIUM | Open/save of Excel 4 worksheets must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223323r880337_rule | O365-EX-000014 | CCI-001662 | MEDIUM | Open/save of Excel 95 workbooks must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223324r879628_rule | O365-EX-000015 | CCI-001662 | MEDIUM | Open/save of Excel 95-97 workbooks and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223325r879628_rule | O365-EX-000016 | CCI-001662 | MEDIUM | The default file block behavior must be set to not open blocked files in Excel. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223326r879628_rule | O365-EX-000017 | CCI-001662 | MEDIUM | Open/save of Web pages and Excel 2003 XML spreadsheets must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Excel files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sa | ||||
| SV-223327r879628_rule | O365-EX-000018 | CCI-001662 | MEDIUM | Extraction options must be blocked when opening corrupt Excel workbooks. | This policy setting controls whether Excel presents users with a list of data extraction options before beginning an Open and Repair operation when users choose to open a corrupt workbook in repair or extract mode. If you enable this policy setting, Exce | ||||
| SV-223328r879630_rule | O365-EX-000019 | CCI-001170 | MEDIUM | Updating of links in Excel must be prompted and not automatic. | This policy setting controls whether Excel prompts users to update automatic links, or whether the updates occur in the background with no prompt. If you enable or do not configure this policy setting, Excel will prompt users to update automatic links. I | ||||
| SV-223329r879859_rule | O365-EX-000020 | CCI-002460 | MEDIUM | Loading of pictures from Web pages not created in Excel must be disabled. | This policy setting controls whether Excel loads graphics when opening Web pages that were not created in Excel. It configures the "Load pictures from Web pages not created in Excel" option under the File tab >> Options >> Advanced >> General >> Web Optio | ||||
| SV-223330r879887_rule | O365-EX-000021 | CCI-000366 | MEDIUM | AutoRepublish in Excel must be disabled. | This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user sa | ||||
| SV-223331r879887_rule | O365-EX-000022 | CCI-000366 | MEDIUM | AutoRepublish warning alert in Excel must be enabled. | This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel data to a static Web page and enable the AutoRepublish feature, Excel saves a copy of the data to the Web page every time the user sa | ||||
| SV-223332r879887_rule | O365-EX-000023 | CCI-000366 | MEDIUM | File extensions must be enabled to match file types in Excel. | This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensions that do not match the files' type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls | ||||
| SV-223333r904327_rule | O365-EX-000024 | CCI-001170 | MEDIUM | Scan of encrypted macros in Excel Open XML workbooks must be enabled. | This policy setting controls whether encrypted macros in Open XML workbooks be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: encry | ||||
| SV-223334r879573_rule | O365-EX-000025 | CCI-001695 | MEDIUM | File validation in Excel must be enabled. | This policy setting allows you turn off the file validation feature. If you enable this policy setting, file validation will be turned off. If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Document | ||||
| SV-223335r879628_rule | O365-EX-000026 | CCI-001662 | MEDIUM | WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications. | This policy setting controls how Excel will warn users when WEBSERVICE functions are present. If you enable this policy setting, you can choose from three options for determining how the specified applications will warn the user about WEBSERVICE function | ||||
| SV-223336r879630_rule | O365-EX-000027 | CCI-001170 | MEDIUM | Macros must be blocked from running in Excel files from the Internet. | This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the | ||||
| SV-223337r879584_rule | O365-EX-000028 | CCI-001749 | MEDIUM | Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked. | This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the ''Require that | ||||
| SV-223338r879628_rule | O365-EX-000029 | CCI-001662 | MEDIUM | Untrusted Microsoft Query files must be blocked from opening in Excel. | This policy setting controls whether Microsoft Query files (.iqy, oqy, .dqy, and .rqy) in an untrusted location are prevented from opening. If you enable this policy setting, Microsoft Query files in an untrusted location are prevented from opening. User | ||||
| SV-223339r879628_rule | O365-EX-000030 | CCI-001662 | MEDIUM | Untrusted database files must be opened in Excel in Protected View mode. | This policy setting controls whether database files (.dbf) opened from an untrusted location are always opened in Protected View. If you enable this policy setting, database files opened from an untrusted location are always opened in Protected View. Use | ||||
| SV-223340r879628_rule | O365-EX-000031 | CCI-001662 | MEDIUM | Files from Internet zone must be opened in Excel in Protected View mode. | This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure t | ||||
| SV-223341r879630_rule | O365-EX-000032 | CCI-001170 | MEDIUM | Files from unsafe locations must be opened in Excel in Protected View mode. | This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations | ||||
| SV-223342r879630_rule | O365-EX-000033 | CCI-001170 | MEDIUM | Files failing file validation must be opened in Excel in Protected view mode and disallow edits. | This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the fil | ||||
| SV-223343r879630_rule | O365-EX-000034 | CCI-001170 | MEDIUM | File attachments from Outlook must be opened in Excel in Protected mode. | This policy setting allows you to determine if Excel files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If you disable or do not configure this policy setting, Outlo | ||||
| SV-223344r879636_rule | O365-LY-000001 | CCI-001184 | MEDIUM | The SIP security mode in Lync must be enabled. | When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify whether Digest and Basic authentication are supported. Disabled (default): NTLM/Kerberos/TLS-DSK/Digest/Basic Enabled: Authentication m | ||||
| SV-223345r879636_rule | O365-LY-000002 | CCI-001184 | MEDIUM | The HTTP fallback for SIP connection in Lync must be disabled. | Prevents from HTTP being used for SIP connection in case TLS or TCP fail. | ||||
| SV-223346r879892_rule | O365-OU-000001 | CCI-001967 | MEDIUM | The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication. | This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note: Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure | ||||
| SV-223347r879892_rule | O365-OU-000002 | CCI-001967 | MEDIUM | Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. | This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note: RPC | ||||
| SV-223348r879630_rule | O365-OU-000003 | CCI-001170 | MEDIUM | Scripts associated with public folders must be prevented from execution in Outlook. | This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. | ||||
| SV-223349r879630_rule | O365-OU-000004 | CCI-001170 | MEDIUM | Scripts associated with shared folders must be prevented from execution in Outlook. | This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. | ||||
| SV-223350r879887_rule | O365-OU-000005 | CCI-000366 | MEDIUM | Files dragged from an Outlook e-mail to the file system must be created in ANSI format. | This policy setting controls whether e-mail messages dragged from Outlook to the file system are saved in Unicode or ANSI format. | ||||
| SV-223351r879887_rule | O365-OU-000006 | CCI-000366 | MEDIUM | Junk email level must be enabled at a setting of High. | This policy setting controls your Junk E-mail protection level. The Junk E-mail Filter in Outlook helps to prevent junk e-mail messages, also known as spam, from cluttering user's Inbox. The filter evaluates each incoming message based on several factors, | ||||
| SV-223352r879630_rule | O365-OU-000007 | CCI-001170 | MEDIUM | Active X One-Off forms must only be enabled to load with Outlook Controls. | By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so | ||||
| SV-223353r879717_rule | O365-OU-000008 | CCI-002235 | MEDIUM | Outlook must be configured to prevent users overriding attachment security settings. | This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" regi | ||||
| SV-223354r879887_rule | O365-OU-000009 | CCI-000366 | MEDIUM | Internet must not be included in Safe Zone for picture download in Outlook. | This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automati | ||||
| SV-223355r879887_rule | O365-OU-000010 | CCI-000366 | MEDIUM | The Publish to Global Address List (GAL) button must be disabled in Outlook. | This policy setting controls whether Outlook users can publish e-mail certificates to the Global Address List (GAL). If you enable this policy setting, the "Publish to GAL" button does not display in the "E-mail Security" section of the Trust Center. | ||||
| SV-223356r879901_rule | O365-OU-000011 | CCI-002450 | MEDIUM | The minimum encryption key length in Outlook must be at least 168. | This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries t | ||||
| SV-223357r879628_rule | O365-OU-000012 | CCI-001662 | MEDIUM | The warning about invalid digital signatures must be enabled to warn Outlook users. | This policy setting controls how Outlook warns users about messages with invalid digital signatures. If you enable this policy setting, you can choose from three options for controlling how Outlook users are warned about invalid signatures: - Let user de | ||||
| SV-223358r879897_rule | O365-OU-000013 | CCI-000185 | MEDIUM | Outlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online. | This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authoriti | ||||
| SV-223359r879887_rule | O365-OU-000014 | CCI-000366 | MEDIUM | The Outlook Security Mode must be enabled to always use the Outlook Security Group Policy. | This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: - Outlook Default Security - This option is the default co | ||||
| SV-223360r879628_rule | O365-OU-000015 | CCI-001662 | MEDIUM | The ability to demote attachments from Level 2 to Level 1 must be disabled. | This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files att | ||||
| SV-223361r879628_rule | O365-OU-000016 | CCI-001662 | MEDIUM | The display of Level 1 attachments must be disabled in Outlook. | This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can | ||||
| SV-223362r879628_rule | O365-OU-000017 | CCI-001662 | MEDIUM | Level 1 file attachments must be blocked from being delivered. | This policy setting controls whether Outlook users can demote attachments to Level 2 by using a registry key, which will allow them to save files to disk and open them from that location. Outlook uses two levels of security to restrict access to files att | ||||
| SV-223363r879628_rule | O365-OU-000018 | CCI-001662 | MEDIUM | Level 2 file attachments must be blocked from being delivered. | This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open t | ||||
| SV-223364r879630_rule | O365-OU-000019 | CCI-001170 | MEDIUM | Outlook must be configured to not run scripts in forms in which the script and the layout are contained within the message. | This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this pol | ||||
| SV-223365r879859_rule | O365-OU-000020 | CCI-002460 | MEDIUM | When a custom action is executed that uses the Outlook object model, Outlook must automatically deny it. | This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to me | ||||
| SV-223366r879859_rule | O365-OU-000021 | CCI-002460 | MEDIUM | When an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it. | This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attemp | ||||
| SV-223367r879859_rule | O365-OU-000022 | CCI-002460 | MEDIUM | When a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it. | This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different option | ||||
| SV-223368r879859_rule | O365-OU-000023 | CCI-002460 | MEDIUM | When an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it. | This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to | ||||
| SV-223369r879859_rule | O365-OU-000024 | CCI-002460 | MEDIUM | When an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it. | This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the ''To:'' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options whe | ||||
| SV-223370r879859_rule | O365-OU-000025 | CCI-002460 | MEDIUM | When an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it. | This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options | ||||
| SV-223371r879859_rule | O365-OU-000026 | CCI-002460 | MEDIUM | When an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it. | This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts | ||||
| SV-223372r879887_rule | O365-OU-000027 | CCI-000366 | MEDIUM | Outlook must be configured to not allow hyperlinks in suspected phishing messages. | This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If y | ||||
| SV-223373r879628_rule | O365-OU-000028 | CCI-001662 | MEDIUM | The Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned. | This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in | ||||
| SV-223374r879630_rule | O365-PR-000001 | CCI-001170 | MEDIUM | Trusted Locations on the network must be disabled in Project. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t | ||||
| SV-223375r879584_rule | O365-PR-000002 | CCI-001749 | MEDIUM | Project must automatically disable unsigned add-ins without informing users. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223376r879587_rule | O365-PR-000003 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in Project. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223377r879587_rule | O365-PT-000001 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in PowerPoint. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223378r879630_rule | O365-PT-000002 | CCI-001170 | MEDIUM | The ability to run programs from PowerPoint must be disabled. | This policy setting controls the prompting and activation behavior for the "Run Programs" option for action buttons in PowerPoint. If you enable this policy setting, you can choose from three options to control how the "Run Programs" option functions: - | ||||
| SV-223379r879628_rule | O365-PT-000003 | CCI-001662 | MEDIUM | Open/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save PowerPoint files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, | ||||
| SV-223380r879628_rule | O365-PT-000004 | CCI-001662 | MEDIUM | The default file block behavior must be set to not open blocked files in PowerPoint. | This policy setting allows you to determine if users can open, view, or edit Word files. If you enable this policy setting, you can set one of these options: - Blocked files are not opened. - Blocked files open in Protected View and cannot be edited. - Bl | ||||
| SV-223381r879630_rule | O365-PT-000005 | CCI-001170 | MEDIUM | Encrypted macros in PowerPoint Open XML presentations must be scanned. | This policy setting controls whether encrypted macros in Open XML presentations are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: Encr | ||||
| SV-223382r879630_rule | O365-PT-000006 | CCI-001170 | MEDIUM | File validation in PowerPoint must be enabled. | This policy setting allows you to turn off the file validation feature. If you enable this policy setting, file validation will be turned off. If you disable or do not configure this policy setting, file validation will be turned on. Office Binary Documen | ||||
| SV-223383r879630_rule | O365-PT-000007 | CCI-001170 | MEDIUM | Macros from the Internet must be blocked from running in PowerPoint. | This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust | ||||
| SV-223384r879584_rule | O365-PT-000008 | CCI-001749 | MEDIUM | Unsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223385r879628_rule | O365-PT-000009 | CCI-001662 | MEDIUM | Files downloaded from the Internet must be opened in Protected view in PowerPoint. | This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure thi | ||||
| SV-223386r879628_rule | O365-PT-000010 | CCI-001662 | MEDIUM | PowerPoint attachments opened from Outlook must be in Protected View. | This policy setting allows for determining whether PowerPoint files in Outlook attachments open in Protected View. If enabling this policy setting, Outlook attachments do not open in Protected View. If disabling or not configuring this policy setting, Out | ||||
| SV-223387r879628_rule | O365-PT-000011 | CCI-001662 | MEDIUM | Files in unsafe locations must be opened in Protected view in PowerPoint. | This policy setting determines whether files located in unsafe locations will open in Protected View. If unsafe locations have not been specified, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations. | ||||
| SV-223388r879630_rule | O365-PT-000012 | CCI-001170 | MEDIUM | If file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled. | This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the file | ||||
| SV-223389r879630_rule | O365-PT-000013 | CCI-001170 | MEDIUM | The use of network locations must be ignored in PowerPoint. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking th | ||||
| SV-223390r879628_rule | O365-PU-000001 | CCI-001662 | MEDIUM | Publisher must be configured to prompt the user when another application programmatically opens a macro. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223391r879584_rule | O365-PU-000002 | CCI-001749 | MEDIUM | Publisher must automatically disable unsigned add-ins without informing users. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223392r879584_rule | O365-PU-000003 | CCI-001749 | MEDIUM | Publisher must disable all unsigned VBA macros. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223393r879587_rule | O365-VI-000001 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in Visio. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223394r879630_rule | O365-VI-000002 | CCI-001170 | MEDIUM | Trusted Locations on the network must be disabled in Visio. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t | ||||
| SV-223395r879584_rule | O365-VI-000003 | CCI-001749 | MEDIUM | Visio must automatically disable unsigned add-ins without informing users. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223396r879628_rule | O365-VI-000004 | CCI-001662 | MEDIUM | Visio 2000-2002 Binary Drawings, Templates and Stencils must be blocked. | This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th | ||||
| SV-223397r879628_rule | O365-VI-000005 | CCI-001662 | MEDIUM | Visio 2003-2010 Binary Drawings, Templates and Stencils must be blocked. | This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th | ||||
| SV-223398r879628_rule | O365-VI-000006 | CCI-001662 | MEDIUM | Visio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked. | This policy setting allows you to determine whether users can open or save Visio files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open or save files. The options th | ||||
| SV-223399r879630_rule | O365-VI-000007 | CCI-001170 | MEDIUM | Macros must be blocked from running in Visio files from the Internet. | This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if “Enable all macros” is selected in the Macro Settings section of the | ||||
| SV-223400r879584_rule | O365-WD-000001 | CCI-001749 | MEDIUM | Word must automatically disable unsigned add-ins without informing users. | This policy setting controls whether the specified Office application notifies users when unsigned application add-ins are loaded or silently disable such add-ins without notification. This policy setting only applies if you enable the "Require that appli | ||||
| SV-223401r879630_rule | O365-WD-000002 | CCI-001170 | MEDIUM | In Word, encrypted macros must be scanned. | This policy setting controls whether encrypted macros in Open XML documents be are required to be scanned with anti-virus software before being opened. If you enable this policy setting, you may choose one of these options: - Scan encrypted macros: encry | ||||
| SV-223402r879628_rule | O365-WD-000003 | CCI-001662 | MEDIUM | Files downloaded from the Internet must be opened in Protected view in Word. | This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable this policy setting, files downloaded from the Internet zone do not open in Protected View. If you disable or do not configure t | ||||
| SV-223403r879628_rule | O365-WD-000004 | CCI-001662 | MEDIUM | Files located in unsafe locations must be opened in Protected view in Word. | This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not specified unsafe locations, only the "Downloaded Program Files" and "Temporary Internet Files" folders are considered unsafe locations | ||||
| SV-223404r879628_rule | O365-WD-000005 | CCI-001662 | MEDIUM | If file validation fails, files must be opened in Protected view in Word with ability to edit disabled. | This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the fil | ||||
| SV-223405r879628_rule | O365-WD-000006 | CCI-001662 | MEDIUM | Word attachments opened from Outlook must be in Protected View. | This policy setting allows you to determine if Word files in Outlook attachments open in Protected View. If you enable this policy setting, Outlook attachments do not open in Protected View. If you disable or do not configure this policy setting, Outloo | ||||
| SV-223406r879628_rule | O365-WD-000007 | CCI-001662 | MEDIUM | The default file block behavior must be set to not open blocked files in Word. | This policy setting allows you to determine if users can open, view, or edit Word files. If you enable this policy setting, you can set one of these options: - Blocked files are not opened. - Blocked files open in Protected View and cannot be edited. - B | ||||
| SV-223407r879628_rule | O365-WD-000008 | CCI-001662 | MEDIUM | Open/Save of Word 2 and earlier binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223408r879628_rule | O365-WD-000009 | CCI-001662 | MEDIUM | Open/Save of Word 2000 binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223409r879628_rule | O365-WD-000010 | CCI-001662 | MEDIUM | Open/Save of Word 2003 binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223410r879628_rule | O365-WD-000011 | CCI-001662 | MEDIUM | Open/Save of Word 2007 and later binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223411r879628_rule | O365-WD-000012 | CCI-001662 | MEDIUM | Open/Save of Word 6.0 binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223412r879628_rule | O365-WD-000013 | CCI-001662 | MEDIUM | Open/Save of Word 95 binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223413r879628_rule | O365-WD-000014 | CCI-001662 | MEDIUM | Open/Save of Word 97 binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223414r879628_rule | O365-WD-000015 | CCI-001662 | MEDIUM | Open/Save of Word XP binary documents and templates must be blocked. | This policy setting allows you to determine whether users can open, view, edit, or save Word files with the format specified by the title of this policy setting. If you enable this policy setting, you can specify whether users can open, view, edit, or sav | ||||
| SV-223415r879630_rule | O365-WD-000016 | CCI-001170 | MEDIUM | In Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center. | This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this policy setting, macros are blocked from running, even if "Enable all macros" is selected in the Macro Settings section of the Trust | ||||
| SV-223416r879630_rule | O365-WD-000017 | CCI-001170 | MEDIUM | Trusted Locations on the network must be disabled in Word. | This policy setting controls whether trusted locations on the network can be used. If you enable this policy setting, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by clicking t | ||||
| SV-223417r879587_rule | O365-WD-000018 | CCI-000381 | MEDIUM | VBA Macros not digitally signed must be blocked in Word. | This policy setting controls how the specified applications warn users when Visual Basic for Applications (VBA) macros are present. If you enable this policy setting, you can choose from four options for determining how the specified applications will wa | ||||
| SV-223418r879573_rule | O365-WD-000019 | CCI-001695 | MEDIUM | File validation in Word must be enabled. | This policy setting allows the file validation feature to be turned off. If this policy setting is enabled, file validation will be turned off. If this policy setting is disabled or not configured, file validation will be turned on. Office Binary Docume | ||||