Microsoft Office System 2013 STIG

The Microsoft Office System 2013 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R9

Published: 2019-09-30

Updated At: 2019-11-11 10:45:54

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-52728r4_rule DTOO191 CCI-002460 MEDIUM ActiveX control initialization must be disabled. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization
    SV-52745r4_rule DTOO196 CCI-000366 MEDIUM A mix of policy and user locations for Office Products must be disallowed. When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links t
    SV-52756r4_rule DTOO212 CCI-000366 MEDIUM Blogging entries created from inside Office products must be configured for SharePoint only. The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software. By default, users can post blog entries to any compatible blogging service provider, in
    SV-52749r4_rule DTOO200 CCI-002165 MEDIUM Office must be configured to not allow read with browsers. The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2013 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed
    SV-52723r4_rule DTOO186 CCI-001662 MEDIUM Trust Bar notifications for Security messages must be enforced. The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the to
    SV-52754r4_rule DTOO207 CCI-002460 MEDIUM Document Information panel Beaconing must show UI. This policy setting controls whether users see a security warning when they open custom Document Information Panels that contain a web beaconing threat. Web beacons can be used to contact an external server when users open forms. Information could be gat
    SV-52721r4_rule DTOO184 CCI-000381 MEDIUM The Customer Experience Improvement Program for Office must be disabled. When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsof
    SV-52727r5_rule DTOO190 CCI-001199 MEDIUM The encryption type for password protected Office 97 thru Office 2003 must be set. If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will
    SV-52726r5_rule DTOO189 CCI-001199 MEDIUM The encryption type for password protected Open XML files must be set. If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will
    SV-52719r5_rule DTOO182 CCI-000366 MEDIUM The Help Improve Proofing Tools feature for Office must be configured. The "Help Improve Proofing Tools" feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collec
    SV-52731r4_rule DTOO194 CCI-002460 MEDIUM Hyperlink warnings for Office must be configured for use. Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer. Links that Office considers unsafe include links to executable files, TIF
    SV-52753r4_rule DTOO206 CCI-000366 MEDIUM Inclusion of document properties for PDF and XPS output must be disallowed. If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs is installed, document properties are saved as metadata when users save or publish files using the PDF or XPS commands in Access 2013, Excel 2013, InfoPath 2013, PowerPoint 2013, and
    SV-52747r4_rule DTOO198 CCI-000381 MEDIUM The Internet Fax Feature must be disabled. Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature
    SV-52720r5_rule DTOO183 CCI-000381 MEDIUM The Opt-In Wizard must be disabled. The Opt-in Wizard displays the first time users run a 2013 Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Pr
    SV-52744r2_rule DTOO195 CCI-001199 MEDIUM Passwords for secured documents must be enforced. If 2013 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing docum
    SV-52746r4_rule DTOO197 CCI-000366 MEDIUM Smart Documents use of Manifests in Office must be disallowed. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. One or more components that provide the logic needed for a Smart Document are packaged by using an XML expansion pack. These components can include any type o
    SV-52755r4_rule DTOO208 CCI-000213 MEDIUM Office client polling of SharePoint servers published links must be disabled. Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regul
    SV-52750r4_rule DTOO201 CCI-002235 MEDIUM Connection verification of permissions must be enforced. Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access documents after their licenses have been revoked. Also, it is not
    SV-52722r4_rule DTOO185 CCI-000381 MEDIUM Automatic receiving of small updates to improve reliability must be disallowed. Having access to updates, add-ins, and patches on the Office Online website can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates are tested and applied in a consistent manner, many organi
    SV-52730r3_rule DTOO193 CCI-001170 MEDIUM Automation Security to enforce macro level security in Office documents must be configured. When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked. This functionality could allow an attacker to use automation to ru
    SV-52751r4_rule DTOO203 CCI-000366 MEDIUM Legacy format signatures must be enabled. Office applications use the XML-based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office user opens an E
    SV-52729r4_rule DTOO192 CCI-001662 MEDIUM Load controls in forms3 must be disabled from loading. ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an Activ
    SV-52714r6_rule DTOO179 CCI-001170 MEDIUM Documents must be configured to not open as Read Write when browsing. By default, when an Office 2013 document on a web server is opened using Internet Explorer, the appropriate application opens the file in read-only mode. However, if the default configuration is changed, the document is opened as read/write. Users could p
    SV-52748r3_rule DTOO199 CCI-002165 MEDIUM Changing permissions on rights managed content for users must be enforced. This setting controls whether Office 2013 users can change permissions for content that is protected with Information Rights Management (IRM). The Information Rights Management feature of Office 2013 allows individuals and administrators to specify access
    SV-52725r4_rule DTOO188 CCI-001199 MEDIUM Document metadata for password protected files must be protected. When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the
    SV-52724r4_rule DTOO187 CCI-002476 MEDIUM Rights managed Office Open XML files must be protected. When Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted. This configuration could allow potentially sensitive information such as the document author an
    SV-52715r4_rule DTOO180 CCI-001170 MEDIUM Relying on Vector markup Language (VML) for displaying graphics in browsers must be disallowed. When saving documents as web pages, Excel, PowerPoint, and Word can save vector-based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, Office applic
    SV-52752r4_rule DTOO204 CCI-000366 MEDIUM External Signature Services Menu for Office must be suppressed. Users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2013, PowerPoint 2013, and Word 2013) to see a list of signature service providers on the Microsoft Office website. If an organization
    SV-52758r5_rule DTOO345 CCI-000381 MEDIUM Online content options must be configured for offline content availability. The Office 2013 Help system automatically searches MicrosoftOffice.com for content when a computer is connected to the Internet. Users can change this default by clearing the Search Microsoft Office.com for Help content when I'm connected to the Internet
    SV-52757r4_rule DTOO321 CCI-002476 MEDIUM Encrypt document properties must be configured for OLE documents. This policy setting allows a document's properties to be encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. Disabling this setting will prevent the encryption of document properties, which
    SV-53190r1_rule DTOO401 CCI-001238 MEDIUM Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site. This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed via Windows Installer. If this policy setting is enabled,
    SV-53191r1_rule DTOO402 CCI-000366 MEDIUM The Enable Updates and Disable Updates options in the UI must be hidden from users. This policy setting allows the user interface (UI) options to enable or disable Office automatic updates to be hidden from users. These options are found in the Product Information area of all Office applications installed via Click-to-Run. This policy se
    SV-53192r4_rule DTOO403 CCI-000381 MEDIUM The video informing a user about signing into Office365 must be disabled. Office 365 is a subscription-based service which offers access to various Microsoft Office applications. Access to Office 365 will not be permitted; only locally installed and configured Office 2013 installations will be used. Since the ability to sign i
    SV-53193r4_rule DTOO404 CCI-000381 MEDIUM The first-run prompt to sign into Office365 must be disabled. Office 365 functionality allows users to provide credentials for accessing Office 365 using either their Microsoft Account, or the user ID assigned by the organization. Access to Office 365 will not be permitted; only locally installed and configured Offi
    SV-53194r4_rule DTOO405 CCI-000381 MEDIUM The ability to sign into Office365 must be disabled. Office 2013 can be configured to prompt users for credentials to Office365 using either their Microsoft Account or the user ID assigned by an organization for accessing Office 365. Access to Office 365 will not be permitted and only locally installed and
    SV-53195r4_rule DTOO406 CCI-000381 MEDIUM The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled. The ability to automatically bind hyperlink to a screenshot inserted through the Insert Screenshot tool introduces the possibility of a malicious URL or website being imbedded in the Word, PowerPoint, Excel or Outlook document. Disabling the hyperlink in
    SV-53196r6_rule DTOO407 CCI-000381 MEDIUM The prompt to save to OneDrive (formerly SkyDrive) must be disabled. OneDrive (formerly SkyDrive) is a cloud based storage feature that introduces the capability for users to save documents to locations outside of protected enclaves. This feature introduces the risk that FOUO and PII data, as well as other DoD protected da
    SV-53207r4_rule DTOO408 CCI-000381 MEDIUM Office Presentation Service must be removed as an option for presenting PowerPoint and Word online. The Office Presentation Service is a free, public service that allows others to follow along in a web browser. Allowing this feature could result in presentations with DoD FOUO, PII and other protected data to be viewed in a nonsecure location. By disabl
    SV-53211r4_rule DTOO409 CCI-001170 MEDIUM The ability to create an online presentation programmatically must be disabled. Allowing online presentations to be created programmatically allows for the capability of malicious content to become imbedded in those programmatically created presentations.System AdministratorInformation Assurance Officer
    SV-53212r4_rule DTOO410 CCI-000366 MEDIUM When using the Office Feedback tool, the ability to include a screenshot must be disabled. The "Office Feedback" tool, also called "Send-a-Smile", allows a user to click on an icon and send feedback to Microsoft. The "Office Feedback" Tool must be configured to be disabled. In the event that the Office Feedback Tool has not been configured corr
    SV-53213r5_rule DTOO411 CCI-000381 MEDIUM The Office Feedback tool must be disabled. The "Office Feedback" tool, also called "Send-a-Smile", allows a user to click on an icon and send feedback to Microsoft. Applications used by DoD users should not be able to provide feedback to commercial vendors regarding their positive and negative exp
    SV-53214r5_rule DTOO412 CCI-000366 MEDIUM The ability to run unsecure Office apps must be disabled. Unsecure apps for Office, which are apps that have web page or catalog locations that are not SSL-secured (https://), and/or are not in users' Internet zones may allow data to be transmitted/accessed via clear text to outside sources. By configuring this
    SV-53215r5_rule DTOO413 CCI-001749 MEDIUM Users must be prevented from using or inserting apps that come from the Office Store. This policy setting allows users to be prevented from using or inserting apps that come from the Office Store. If this policy setting is enabled, apps from the Office Store are blocked. If this policy setting is disabled or not configured, apps from the O
    SV-53216r5_rule DTOO414 CCI-000381 MEDIUM Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service. Microsoft Office includes the ability to roam settings for specific Office features amongst devices by storing this data in the cloud. This data includes user activity such as the list of most recently used documents as well as user preferences such as th
    SV-53217r5_rule DTOO415 CCI-000381 MEDIUM The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled. Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office 2013 applications, the Office Telemetry application adds a record about the event to a local da
    SV-53218r5_rule DTOO416 CCI-000366 MEDIUM The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. This policy setting configures the Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If this policy setting is enabled, Office Telemetry Agent obfuscates the file name, file path, and title of O
    SV-53219r5_rule DTOO417 CCI-000381 MEDIUM The Office Telemetry Agent and Office applications must be configured to collect telemetry data. Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office 2013 applications, the Office Telemetry application adds a record about the event to a local da