Microsoft Office System 2016 Security Technical Implementation Guide

The Microsoft Office System 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2016-11-02

Updated At: 2019-03-19 22:47:01

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-85479r1_rule DTOO182 CCI-000366 MEDIUM The Help Improve Proofing Tools feature for Office must be configured. This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to
    SV-85483r1_rule DTOO186 CCI-001662 MEDIUM Trust Bar notifications for Security messages must be enforced. This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 application
    SV-85485r1_rule DTOO187 CCI-002476 MEDIUM Rights managed Office Open XML files must be protected. This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Offic
    SV-85487r1_rule DTOO188 CCI-001199 MEDIUM Document metadata for password protected files must be protected. This policy setting determines whether metadata is encrypted when an Office Open XML file is password protected. If you enable this policy setting, Excel 2016, PowerPoint 2016, and Word 2016 encrypt metadata stored in password-protected Office Open XML fi
    SV-85489r1_rule DTOO189 CCI-001199 MEDIUM The encryption type for password protected Open XML files must be set. This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file
    SV-85491r1_rule DTOO190 CCI-001199 MEDIUM The encryption type for password protected Office 97 thru Office 2003 must be set. This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in t
    SV-85493r1_rule DTOO191 CCI-002460 MEDIUM ActiveX control initialization must be disabled. This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control
    SV-85495r1_rule DTOO192 CCI-001662 MEDIUM Load controls in forms3 must be disabled from loading. This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and
    SV-85497r1_rule DTOO193 CCI-001170 MEDIUM Automation Security to enforce macro level security in Office documents must be configured. This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPo
    SV-85499r1_rule DTOO196 CCI-000366 MEDIUM A mix of policy and user locations for Office Products must be disallowed. This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as a
    SV-85501r1_rule DTOO197 CCI-000366 MEDIUM Smart Documents use of Manifests in Office must be disallowed. This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more comp
    SV-85505r1_rule DTOO201 CCI-002235 MEDIUM Connection verification of permissions must be enforced. This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presen
    SV-85507r1_rule DTOO206 CCI-000366 MEDIUM Inclusion of document properties for PDF and XPS output must be disallowed. This policy setting controls whether document metadata can be saved in PDF and XPS documents. If you enable this policy setting, document properties metadata is not exported to PDF and XPS files. If you disable this policy setting, document properties met
    SV-85509r1_rule DTOO321 CCI-002476 MEDIUM Encrypt document properties must be configured for OLE documents. This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. If you enable this policy setting, the document properties will be
    SV-85513r1_rule DTOO408 CCI-000381 MEDIUM Office Presentation Service must be removed as an option for presenting PowerPoint and Word online. This policy setting allows you to remove Office Presentation Service from the list of online presentation services in PowerPoint and Word. This list appears when a user selects Present Online from the Share tab in Backstage view and in the ribbon in Power
    SV-85515r1_rule DTOO409 CCI-001170 MEDIUM The ability to create an online presentation programmatically must be disabled. This policy setting allows you to restrict the ability to create an online presentation programmatically in PowerPoint and Word. If you enable this policy setting, an online presentation cannot be created programmatically. If you disable or do not configu
    SV-85517r1_rule DTOO410 CCI-000366 MEDIUM When using the Office Feedback tool, the ability to include a screenshot must be disabled. This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their
    SV-85519r1_rule DTOO412 CCI-000366 MEDIUM The ability to run unsecure Office web add-ins and Catalogs must be disabled. This policy setting allows users to run unsecure web add-in, which are add-ins that have web page or catalog locations that are not SSL-secured (https://), and are not in users' Internet zones. If you enable this policy setting, users can run unsecure app
    SV-85521r1_rule DTOO416 CCI-000366 MEDIUM The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. This policy setting configures Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If you enable this policy setting, Office Telemetry Agent obfuscates the file name, file path, and title of Offic
    SV-85523r1_rule DTOO601 CCI-000366 MEDIUM The ability to send personal information to Office must be disabled. This policy setting controls whether users can send personal information to Office. When users choose to send information Office 2016 applications automatically send information to Office. If you enable this policy setting, users will opt into sending per