Microsoft Access 2007

U_MicrosoftAccess2007_V4R10_Manual-xccdf.xml

Details

Version / Release: V4R10

Published: 2014-01-07

Updated At: 2018-09-23 04:08:48

Actions

Download

Filter

Vuln Rule Version CCI Severity Title Description
SV-19429r1_rule DTOO104 - Access MEDIUM Disable user name and password syntax from being used in URLs The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:[email protected] A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://[email protected] appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk. System AdministratorInformation Assurance OfficerECSC-1
SV-18190r1_rule DTOO111 - Access MEDIUM Bind to Object - Access Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load. System AdministratorInformation Assurance OfficerECSC-1
SV-18205r1_rule DTOO117 - Access MEDIUM Saved from URL - Access Typically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.System AdministratorInformation Assurance OfficerECSC-1
SV-18603r1_rule DTOO123 - Access MEDIUM Block navigation to URL embedded in Office products to protect against attack by malformed URL. To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.System AdministratorInformation Assurance OfficerECSC-1
SV-18215r1_rule DTOO129 - Access MEDIUM No pop-ups - Access The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.System AdministratorInformation Assurance OfficerECSC-1
SV-18219r1_rule DTOO131 - Access MEDIUM Disable Trust Bar Notification for unsigned application add-ins - Access By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.System AdministratorInformation Assurance OfficerECSC-1
SV-18358r1_rule DTOO134 - Access MEDIUM Allow Trusted Locations not on the computer - Access By default, files located in trusted locations and specified in the Trust Center are assumed to be safe. Content, code, and add-ins are allowed to load from trusted locations with minimal security and without prompting the user for permission. By default, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting the Allow Trusted Locations on my network (not recommended) check box in the Trusted Locations section of the Trust Center. If a dangerous file is opened from a trusted location, it will not be subject to typical security measures and could affect users' computers or data. System AdministratorInformation Assurance OfficerECSC-1
SV-18637r1_rule DTOO304 - Access MEDIUM Enable Warning Bar settings for VBA macros contained in Access Files. By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised. System AdministratorInformation Assurance OfficerECSC-1
SV-18706r1_rule DTOO136 - Access MEDIUM Set the default saved file format for Access. By default, when users create new database files, Access 2007 saves them in the new Access 2007 format. Users can change this functionality by clicking the Office button, clicking Access Options, and then selecting a file format from the Default file format list. If a new database is created in an inappropriate format, some users might be unable to open or use it. System AdministratorInformation Assurance OfficerECSC-1
SV-18733r1_rule DTOO137 - Access MEDIUM Do not Prompt to convert when opening older databases - Access. By default, when users open databases that were created in the Access 97 file format, Access 2007 prompts them to convert the database to a newer file format. Users can choose to convert the database or leave it in the older format. If this configuration is changed, Access will leave Access 97-format databases unchanged. Access informs the user that the database is in the older format, but does not provide the user with an option to convert the database. Some features introduced in more recent versions of Access will not be available, and the user will not be able to make any design changes to the database. System AdministratorInformation Assurance OfficerECSC-1
SV-18952r1_rule DTOO135 - Access MEDIUM Enable Modal Trust Decision Only - Access By default, when users open an untrusted Access 2007 database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action. The default configuration can be changed so that users see a dialog box when they open an untrusted database with executable components. Users must then choose whether to enable or disable the components before working with the database. In these circumstances users frequently enable the components, even if they do not require them. Executable components can be used to launch an attack against a computer environment. System AdministratorInformation Assurance OfficerECSC-1
SV-19046r1_rule DTOO130 - Access MEDIUM Enable the feature to underline hyperlinks in Access. By default, Access 2007 underlines hyperlinks that appear in tables, queries, forms, and reports. If this configuration is changed, users might click on dangerous hyperlinks without realizing it, which could pose a security riskSystem AdministratorInformation Assurance OfficerECSC-1