Microsoft Office System 2010 STIG

Settings in this guidance assume a complete installation of Microsoft Office 2010 on the Windows 7 Platform. Registry paths and values identified in each control assume the use of Group Policy Administrative Templates. Installations not using Group Policies to administer Microsoft Office products may observe alternate registry paths for stored configuration values. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]


Version / Release: V1R12

Published: 2018-04-04

Updated At: 2018-09-23 19:14:35

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-33453r1_rule DTOO191 - Office System CCI-002460 MEDIUM ActiveX control initialization must be disabled. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization
    SV-33470r1_rule DTOO196 - Office System CCI-000366 MEDIUM A mix of policy and user locations for Office Products must be disallowed. When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links t
    SV-33464r1_rule DTOO212 - Office System CCI-000366 MEDIUM Blogging entries created from inside Office products must be configured for Sharepoint only. The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software. By default, users can post blog entries to any compatible blogging service provider, in
    SV-33459r1_rule DTOO200 - Office System CCI-002165 MEDIUM Office must be configured to not allow read with browsers. The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2010 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed
    SV-33476r1_rule DTOO177 - Office System CCI-001749 MEDIUM Access to updates, add-ins, and patches on must be disabled. Having access to updates, add-ins, and patches on the Office Online Web site can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates are tested and applied in a consistent manner, many organ
    SV-33455r1_rule DTOO186 - Office System CCI-001662 MEDIUM Trust Bar notifications for Security messages must be enforced. The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the to
    SV-33458r1_rule DTOO207 - Office System CCI-002460 MEDIUM Document Information panel Beaconing must show UI. For controlling whether users see a security warning when they open custom Document Information Panels that contain a Web beaconing threat. Web beacons can be used to contact an external server when users open forms. Information could be gathered by the
    SV-33452r1_rule DTOO184 - Office System CCI-000381 MEDIUM The Customer Experience Improvement Program for Office must be disabled. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsof
    SV-33457r2_rule DTOO190 - Office System CCI-001199 MEDIUM The encryption type for password protected Office 97 thru Office 2003 must be set. If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will
    SV-33465r3_rule DTOO189 - Office System CCI-001199 MEDIUM The encryption type for password protected Open XML files must be set. If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Office application files can be encrypted and password protected. Only users who know the correct password will be able to
    SV-33481r1_rule DTOO182 - Office System CCI-000366 MEDIUM The Help Improve Proofing Tools feature for Office must be configured. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collecti
    SV-33469r1_rule DTOO194 - Office System CCI-002460 MEDIUM Hyperlink warnings for Office must be configured for use. Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer. Links that Office considers unsafe include links to executable files, TIF
    SV-33463r1_rule DTOO206 - Office System CCI-000366 MEDIUM Inclusion of document properties for PDF and XPS output must be disallowed. If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access 2010, Excel 2010, InfoPath 2010,
    SV-33472r1_rule DTOO198 - Office System CCI-000381 MEDIUM The Internet Fax Feature must be disabled. Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature
    SV-33461r1_rule DTOO202 - Office System CCI-000381 MEDIUM Microsoft passport Service for content must be disallowed. This controls whether users can open protected content created with a Windows Live ID (formerly Microsoft .NET Passport) authenticated account. If your organization has policies that govern access to external services such as Windows Live ID, this capab
    SV-33931r1_rule DTOO183 - Office System CCI-000381 MEDIUM The Opt-In Wizard must be disabled. The Opt-in Wizard displays the first time users run a 2010 Microsoft Office application, which allows them to opt into Internet–based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement
    SV-33456r1_rule DTOO195 - Office System CCI-001199 MEDIUM Passwords for secured documents must be enforced. If 2010 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing docum
    SV-33475r1_rule DTOO197 - Office System CCI-000366 MEDIUM Smart Documents use of Manifests in Office must be disallowed. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of
    SV-33471r1_rule DTOO208 - Office System CCI-000213 MEDIUM Office client polling of Sharepoint servers published links must be disabled. Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regul
    SV-33460r1_rule DTOO201 - Office System CCI-002235 MEDIUM Connection verification of permissions must be enforced. Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access documents after their licenses have been revoked. Also, it is not
    SV-33451r1_rule DTOO185 - Office System CCI-000381 MEDIUM Automatic receiving of small updates to improve reliability must be disallowed. Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and t
    SV-33454r1_rule DTOO193 - Office System CCI-001170 MEDIUM Automation Security to enforce macro level security in Office documents must be configured. When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked. This functionality could allow an attacker to use automation to ru
    SV-33473r1_rule DTOO203 - Office System CCI-000366 MEDIUM Legacy format signatures must be enabled. Office applications use the XML–based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office user opens an
    SV-33466r1_rule DTOO192 - Office System CCI-001662 MEDIUM Load controls in forms3 must be disabled from loading. ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an Activ
    SV-33480r1_rule DTOO179 - Office System CCI-001170 MEDIUM Documents must be configured to not open as Read Write when browsing. Office document on a Web server using Internet Explorer, the appropriate application opens the file in read-only mode. However, if the default configuration is changed, the document is opened as read/write. Users could potentially make changes to document
    SV-33462r1_rule DTOO199 - Office System CCI-002165 MEDIUM Changing permissions on rights managed content for users must be enforced. This setting controls whether Office 2010 users can change permissions for content that is protected with Information Rights Management (IRM). The Information Rights Management feature of Office 2010 allows individuals and administrators to specify acce
    SV-33477r1_rule DTOO178 - Office System CCI-000366 MEDIUM Upload of document templates to Office Online must be prevented. Office users can share Excel, PowerPoint, and Word templates they create with other Microsoft Office users around the world by uploading them to the community area of the Microsoft Office Online Web site. If your organization has policies that govern the
    SV-33467r1_rule DTOO188 - Office System CCI-001199 MEDIUM Document metadata for password protected files must be protected. When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the
    SV-33468r1_rule DTOO187 - Office System CCI-002476 MEDIUM Rights managed Office Open XML files must be protected. When Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted. This configuration could allow potentially sensitive information such as the document author an
    SV-33479r1_rule DTOO180 - Office System CCI-001170 MEDIUM Vector markup Language (VML) for displaying graphics in browsers must be disallowed. When saving documents as Web pages, Excel, PowerPoint, and Word can save vector–based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, Office appl
    SV-33474r1_rule DTOO204 - Office System CCI-000366 MEDIUM External Signature Services Menu for Office must be suppressed. Users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2010, PowerPoint 2010, and Word 2010) to see a list of signature service providers on the Microsoft Office Web site. If your organizat
    SV-34082r1_rule DTOO306 - Office System CCI-000381 MEDIUM Hyperlinks to web templates in File | New and task panes must be disabled. This setting controls whether users can follow hyperlinks to templates on from within Office 2010 applications. System AdministratorInformation Assurance Officer
    SV-34083r1_rule DTOO307 - Office System CCI-000381 MEDIUM Office Live Workspace Integration must be off. This setting controls the exposing of entry points for Office Live Workspace Integration features. System AdministratorInformation Assurance Officer
    SV-34085r1_rule DTOO311 - Office System CCI-000366 MEDIUM Key Usage Filtering must be allowed. This policy setting allows you to filter a list of digital certificates for signing Excel, PowerPoint, and Word documents, based on the Key Usage field. The Key Usage field in a certificate is used to represent a series of basic constraints about the broa
    SV-34086r1_rule DTOO345 - Office System CCI-000381 MEDIUM Online content options must be configured for offline content availability. The Office 2010 Help system automatically searches Microsoft for content when a computer is connected to the Internet. Users can change this default by clearing the Search Microsoft for Help content when I'm connected to the Interne
    SV-34087r1_rule DTOO312 - Office System CCI-001170 MEDIUM Customer-submitted templates downloads from must be disallowed. This policy setting controls whether Office 2010 users can download templates from the community area of by clicking New on the Microsoft Office menu. If you enable this policy setting, Office 2010 users cannot download customer-submitted templ
    SV-34089r1_rule DTOO321 - Office System CCI-002476 MEDIUM Encrypt document properties must be configured for OLE documents. This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. Disabling this setting will prevent the encryption of document pr