Office System 2007 V4R10

b

ActiveX control initialization method to ensure save behavior.

Medium - V-17547 - SV-18643r2_rule

RMF Control

Severity

M

CCI

Version

DTOO191 - Office

Vuln IDs

V-17547

Rule IDs

SV-18643r2_rule

ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer—or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. By default, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18858r3_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “ActiveX Control Initialization” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value UFIControls exists, this is a finding.

Fix: F-17469r3_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “ActiveX Control Initialization” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Do not allow a mix of policy and user locations for Office Products.

Medium - V-17560 - SV-18659r1_rule

RMF Control

Severity

M

CCI

Version

DTOO196 - Office

Vuln IDs

V-17560

Rule IDs

SV-18659r1_rule

When Microsoft Office Access™ 2007, Excel® 2007, PowerPoint® 2007, and Word 2007 files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the files, such as unsigned macros, ActiveX controls, or links to content on the Internet. By default, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy–created trusted locations.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18861r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings -> Trust Center “Allow mix of policy and user locations” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations Criteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.

Fix: F-17477r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings -> Trust Center “Allow mix of policy and user locations” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

a

Do not allow choice of output to include PNG (Portable Network Graphics)

CM-6 - Low - CCI-000366 - V-17561 - SV-18661r1_rule

RMF Control

CM-6

Severity

L

CCI

CCI-000366

Version

DTOO181 - Office

Vuln IDs

V-17561

Rule IDs

SV-18661r1_rule

Excel 2007, PowerPoint 2007, and Word 2007 can save graphic files in Portable Network Graphics (PNG) format to improve the quality of the graphics when documents are saved as Web pages. The PNG graphic file format (.png) is used for a wide range of graphics, from small images (such as bullets and banners) to complex images (such as photographs), and can offer better image fidelity and smaller file sizes than some other formats. However, PNG graphics cannot be displayed by many earlier Web browsers, such as Microsoft Internet Explorer® version 5 or earlier. By default, Office applications do not save graphics in the PNG format. To change this functionality, users can open the application's Options dialog box, click Advanced, click Web Options, and then select the Allow PNG as a graphics format check box. This setting can be used to guard against theoretical future zero-day attacks that might target PNG files. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18862r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Allow PNG as an output format” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value AllowPNG is REG_DWORD = 0, this is not a finding.

Fix: F-17478r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Allow PNG as an output format” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Block Office from receiving updates from the Office Update Site.

Medium - V-17565 - SV-18669r1_rule

RMF Control

Severity

M

CCI

Version

DTOO213 - Office 2007

Vuln IDs

V-17565

Rule IDs

SV-18669r1_rule

Obtaining updates from the Office Update site allows users to ensure that their 2007 Microsoft Office installation is kept up to date. However, in many situations administrators will want users to obtain their updates from a local server at the time of their choosing, often by pushing out the updates using a tool such as SMS. This approach allows administrators to ensure greater availability by testing updates, and using a change and configuration management process to ensure that updates are implemented consistently throughout the organization.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18866r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Miscellaneous “Block updates from the Office Update Site from applying” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\OfficeUpdate Criteria: If the value BlockUpdates is REG_DWORD = 1, this is not a finding.

Fix: F-17483r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Miscellaneous “Block updates from the Office Update Site from applying” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Control Blogging entries created from inside Office products.

Medium - V-17581 - SV-18701r1_rule

RMF Control

Severity

M

CCI

Version

DTOO212 - Office

Vuln IDs

V-17581

Rule IDs

SV-18701r1_rule

The blogging feature in Word 2007 enables users to compose blog entries and post them to their blogs directly from Word, without using any additional software. By default, users can post blog entries to any compatible blogging service provider, including Windows Live Spaces, Blogger, a SharePoint or Community Server site, and others. If your organization has policies that govern the posting of blog entries, allowing users to access the blogging feature in Word 2007 might enable them to violate those policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18882r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Miscellaneous “Control Blogging” will be set to “Enabled (Only SharePoint blogs allowed)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Blog Criteria: If the value DisableBlog is REG_DWORD = 1, this is not a finding.

Fix: F-17500r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Miscellaneous “Control Blogging” will be set to “Enabled (Only SharePoint blogs allowed)”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Allow users with earlier versions of Office to read with browsers - System

Medium - V-17583 - SV-18782r1_rule

RMF Control

Severity

M

CCI

Version

DTOO200 - Office 2007

Vuln IDs

V-17583

Rule IDs

SV-18782r1_rule

The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2007 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed by using the Windows Rights Management Add-on. If this setting is enabled, an embedded rights-managed HTML version of the content is saved with each IRM-enabled file, which can be viewed in Internet Explorer using the add-on. This configuration increases the size of rights-managed files, in some cases significantly.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18920r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Allow users with earlier versions of Office to read with browsers” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\DRM Criteria: If the value IncludeHTML is REG_DWORD = 0, this is not a finding.

Fix: F-17543r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Allow users with earlier versions of Office to read with browsers” will be set to "Disabled". "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable access to updates, add-ins, and patches on the Office Online Website - Office.

Medium - V-17588 - SV-18714r1_rule

RMF Control

Severity

M

CCI

Version

DTOO177 - Office

Vuln IDs

V-17588

Rule IDs

SV-18714r1_rule

Having access to updates, add-ins, and patches on the Office Online Web site can help users ensure that their computers are up to date and equipped with the latest security patches. However, to ensure that updates are tested and applied in a consistent manner, many organizations prefer to roll out updates using a centralized mechanism such as Microsoft Systems Center or Windows Server Update Services. By default, users are allowed to download updates, add-ins, and patches from the Office Online Web site to keep their 2007 Office applications running smoothly and securely. If your organization has policies that govern the use of external resources such as Office Online, allowing users to download updates might cause them to violate these policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18888r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options “Disable access to updates, add-ins, and patches on the Office Online website” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value DisableDownloadCenterAccess is REG_DWORD = 1, this is not a finding.

Fix: F-17506r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options “Disable access to updates, add-ins, and patches on the Office Online website” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable the ability for users to Disable Trust Bar notifications for Security messages - Office

Medium - V-17590 - SV-18717r1_rule

RMF Control

Severity

M

CCI

Version

DTOO186 - Office

Vuln IDs

V-17590

Rule IDs

SV-18717r1_rule

The Message Bar in 2007 Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer. By default, if a 2007 Office application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18890r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable all Trust Bar notifications for security issues” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\TrustCenter Criteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.

Fix: F-17508r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable all Trust Bar notifications for security issues” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Always show Document Information Panel Beaconing UI - Office

Medium - V-17605 - SV-18740r1_rule

RMF Control

Severity

M

CCI

Version

DTOO207 - Office 2007

Vuln IDs

V-17605

Rule IDs

SV-18740r1_rule

InfoPath 2007 can be used to create custom Document Information Panels that can be attached to Excel 2007 workbooks, PowerPoint 2007 presentations, and Word 2007 documents. A malicious user could insert a Web beacon into an InfoPath form that is used to create a custom Document Information Panel. Web beacons can be used to contact an external server when users open the form. Information could be gathered by the form, or information entered by users could be sent to an external server and cause them to be vulnerable to additional attacks. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18907r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Document Information Panel “Document Information Panel Beaconing UI” will be set to “Enabled (Always show UI)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel Criteria: If the value Beaconing is REG_DWORD = 1, this is not a finding.

Fix: F-17523r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Document Information Panel “Document Information Panel Beaconing UI” will be set to “Enabled (Always show UI)”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable the "Enable Customer Experience Improvement Program" for Office.

Medium - V-17612 - SV-18747r1_rule

RMF Control

Severity

M

CCI

Version

DTOO184 - Office 2007

Vuln IDs

V-17612

Rule IDs

SV-18747r1_rule

When users choose to participate in the Customer Experience Improvement Program (CEIP), 2007 Office applications automatically send information to Microsoft about how the applications are used. This information is combined with other CEIP data to help Microsoft solve problems and to improve the products and features customers use most often. This feature does not collect users' names, addresses, or any other identifying information except the IP address that is used to send the data. By default, users have the opportunity to opt into participation in the CEIP the first time they run an Office application. If your organization has policies that govern the use of external resources such as the CEIP, allowing users to opt in to the program might cause them to violate these policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18910r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Enable Customer Experience Improvement Program” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common Criteria: If the value QMEnable is REG_DWORD =0, this is not a finding.

Fix: F-17526r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Enable Customer Experience Improvement Program” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Set encryption type for password protected Office 97 thru Office 2003 files - Office

Medium - V-17617 - SV-18755r1_rule

RMF Control

Severity

M

CCI

Version

DTOO190 - Office 2007

Vuln IDs

V-17617

Rule IDs

SV-18755r1_rule

If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files. By default, Excel 2007, PowerPoint 2007, and Word 2007 use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18913r1_chk

If Office 2007 PRE SP2 NON XP OS: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office 97-2003 files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value DefaultEncryption is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128”, this is not a finding. If Office 2007 PRE SP2 with XP OS: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office 97-2003 files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value DefaultEncryption is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128”, this is not a finding. If Office 2007 SP2 NON XP OS's: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office 97-2003 files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value DefaultEncryption12 is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128”, this is not a finding. If Office 2007 SP2 on XP OS: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office 97-2003 files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value DefaultEncryption12 is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128”, this is not a finding. NOTE: “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128" or “Microsoft Enhanced RSA and AES Cryptographic Provider(Prototype),AES 128,128" is minimum setting required where can be up to key length of 256 if environment will support as “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)" or “Enabled Microsoft Enhanced RSA and AES Cryptographic Provider(Prototype),AES 256,256".

Fix: F-17530r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office 97-2003 files” will be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128)” for NON XP OS's or “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype?,AES 128,128)” for XP os. NOTE: “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128" is minimum setting required where can be up to key length of 256 if environment will support as “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)” or “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 256,256)”

b

Encryption type for password protected Open XML files - Office

Medium - V-17619 - SV-18758r1_rule

RMF Control

Severity

M

CCI

Version

DTOO189 - Office 2007

Vuln IDs

V-17619

Rule IDs

SV-18758r1_rule

If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, 2007 Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files. On computers that run Windows Vista, the default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit. On computers that run Windows XP, the default CSP is Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), AES-128, 128-bit. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18914r1_chk

If Office 2007 NON XP OS: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office Open XML files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value OpenXMLEncryption is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128”, this is not a finding. If Office 2007 with XP OS: The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office Open XML files” will minimally be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the minimum value OpenXMLEncryption is REG_SZ = “Microsoft Enhanced RSA and AES Cryptographic Provider(Prototype),AES 128,128”, this is not a finding. NOTE: “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128" or “Microsoft Enhanced RSA and AES Cryptographic Provider(Prototype),AES 128,128" is minimum setting required where can be up to key length of 256 if environment will support as “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)" or “Enabled Microsoft Enhanced RSA and AES Cryptographic Provider(Prototype),AES 256,256".

Fix: F-17531r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Encryption type for password protected Office Open XML files” will be set to “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128)” for NON XP OS's or “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 128,128)” for XP OS. NOTE: “Microsoft Enhanced RSA and AES Cryptographic Provider,AES 128,128" is minimum setting required where can be up to key length of 256 if environment will support as “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)” or “Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype),AES 256,256)”

b

Configure the Help Improve Proofing Tools feature for Office.

Medium - V-17627 - SV-18770r1_rule

RMF Control

Severity

M

CCI

Version

DTOO182 - Office

Vuln IDs

V-17627

Rule IDs

SV-18770r1_rule

The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. Although this feature does not intentionally collect personal information, some of the content that is sent could include items that were marked as spelling or grammar errors, such as proper names and account numbers. However, any numbers such as account numbers, street addresses, and phone numbers are converted to zeroes when the data is collected. Microsoft uses this information solely to improve the effectiveness of the Office Proofing Tools, not to identify users. By default, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18917r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ Spelling -> Proofing Data Collection “Improve Proofing Tools” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\PTWatson Criteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.

Fix: F-17537r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ Spelling -> Proofing Data Collection “Improve Proofing Tools” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Enable the "Disable Check for Solutions" in Office.

Medium - V-17653 - SV-18802r1_rule

RMF Control

Severity

M

CCI

Version

DTOO205 - Office 2007

Vuln IDs

V-17653

Rule IDs

SV-18802r1_rule

Office Diagnostics collects relevant diagnostic information when Office applications crash and prompts users to transmit the data to Microsoft, directs them to a Web page that contains information about the crash and, if possible, advice about resolving the issue and preventing future crashes. Any data transmitted to Microsoft is anonymous and includes no personally identifiable information, in accordance with the Microsoft Office privacy statement. However, some organizations might have security policies that prevent information about their computers from being sent externally under any circumstances. By default, when a 2007 Office application crashes, Office Diagnostics prompts users and then connects to Microsoft servers to transmit information about the crash. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18924r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Office Diagnostics “Disable Check For Solutions” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\OffDiag Criteria: If the value DisableCheckForSolutions is REG_DWORD = 1, this is not a finding.

Fix: F-17551r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Office Diagnostics “Disable Check For Solutions” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Configure the "disable hyperlink warnings" for Office to Disable.

Medium - V-17659 - SV-18814r1_rule

RMF Control

Severity

M

CCI

Version

DTOO194 - Office

Vuln IDs

V-17659

Rule IDs

SV-18814r1_rule

Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer. Links that 2007 Office considers unsafe include links to executable files, TIFF files, and Microsoft Document Imaging (MDI) files. Other unsafe links are those that use protocols considered to be unsafe, including msn, nntp, mms, outlook, and stssync. By default, 2007 Office applications notify users about unsafe hyperlinks and disable them until users enable them. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18930r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable hyperlink warnings” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the value DisableHyperLinkWarning is REG_DWORD = 0, this is not a finding.

Fix: F-17557r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable hyperlink warnings” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable inclusion of document properties for PDF and XPS output - Office.

Medium - V-17660 - SV-18816r1_rule

RMF Control

Severity

M

CCI

Version

DTOO206 - Office

Vuln IDs

V-17660

Rule IDs

SV-18816r1_rule

By default, if the Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access 2007, Excel 2007, InfoPath 2007, PowerPoint 2007, and Word 2007, unless the Document properties option is unchecked in the Options dialog box. If this metadata contains sensitive information, saving it with the file could compromise security.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18931r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Microsoft Save As PDF and XPS add-ins “Disable inclusion of document properties in PDF and XPS output” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\FixedFormat Criteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.

Fix: F-17558r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Microsoft Save As PDF and XPS add-ins “Disable inclusion of document properties in PDF and XPS output” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable the ability for Office users to use the Internet Fax Feature.

Medium - V-17661 - SV-18818r1_rule

RMF Control

Severity

M

CCI

Version

DTOO198 - Office

Vuln IDs

V-17661

Rule IDs

SV-18818r1_rule

Excel 2007, PowerPoint 2007, and Word 2007 users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature could help users evade those policies. By default, 2007 Office users can use the Internet Fax feature. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18932r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Services -> Fax “Disable Internet Fax feature” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Services\Fax Criteria: If the value NoFax is REG_DWORD = 1, this is not a finding.

Fix: F-17559r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Services -> Fax “Disable Internet Fax feature” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable Microsoft passport Service for content with restricted permissions - Office.

Medium - V-17662 - SV-18820r1_rule

RMF Control

Severity

M

CCI

Version

DTOO202 - Office

Vuln IDs

V-17662

Rule IDs

SV-18820r1_rule

The Information Rights Management feature of the 2007 Microsoft Office release allows individuals and administrators to specify access permissions to Word 2007 documents, Excel 2007 workbooks, PowerPoint 2007 presentations, and Outlook 2007 e-mail messages. This capability helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. Users protect content using digital certificates obtained through Windows Rights Management Services (RMS) or by using a Windows Live ID (formerly Microsoft .NET Passport) account. By default, when a user opens a rights-managed file created with a Windows Live ID, the application connects to a licensing server to verify the user's credentials and to download a license that defines the level of access the user has to the file. If your organization has policies that govern access to external services such as Windows Live ID, this capability could allow users to violate those policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18933r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Disable Microsoft Passport service for content with restricted permission” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\DRM Criteria: If the value DisablePassportCertification is REG_DWORD = 1, this is not a finding.

Fix: F-17560r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Disable Microsoft Passport service for content with restricted permission” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable the Opt-In Wizard that enables first time users to opt into Internet–based Microsoft services.

Medium - V-17664 - SV-18824r1_rule

RMF Control

Severity

M

CCI

Version

DTOO183 - Office

Vuln IDs

V-17664

Rule IDs

SV-18824r1_rule

By default, the Opt-in Wizard displays the first time users run a 2007 Microsoft Office application, which allows them to opt into Internet–based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help. If your organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18935r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Disable Opt-in Wizard on first run” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\General Criteria: If the value ShownOptIn is REG_DWORD = 1, this is not a finding.

Fix: F-17562r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Disable Opt-in Wizard on first run” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Configure the "Disable Password to Open UI" for password secured documents.

Medium - V-17665 - SV-18826r1_rule

RMF Control

Severity

M

CCI

Version

DTOO195 - Office

Vuln IDs

V-17665

Rule IDs

SV-18826r1_rule

If 2007 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents that are already protected by access control lists, or provide a means of securing documents that are not protected by file-level security. By default, users can add passwords to Excel 2007 workbooks, PowerPoint 2007 presentations, and Word 2007 documents from the Save or Save As dialog box by clicking Tools, clicking General Options, and entering appropriate passwords to open or modify the documents. If this configuration is changed, users will not be able to enter passwords in the General Options dialog box, which means they will not be able to password protect documents. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18936r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable password to open UI” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the value DisablePasswordUI is REG_DWORD = 0, this is not a finding.

Fix: F-17563r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Disable password to open UI” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable Smart Documents use of Manifests in Office

Medium - V-17669 - SV-18834r1_rule

RMF Control

Severity

M

CCI

Version

DTOO197 - Office

Vuln IDs

V-17669

Rule IDs

SV-18834r1_rule

An XML expansion pack is the group of files that constitutes a Smart Document in Excel 2007 and Word 2007. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs 2007 Office how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. XML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. By default, 2007 Office applications can load an XML expansion pack manifest file with a Smart Document. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18940r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Smart Documents (Word, Excel) “Disable Smart Document's use of manifests” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.

Fix: F-17567r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Smart Documents (Word, Excel) “Disable Smart Document's use of manifests” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable the Office client from polling the Sharepoint server for published links.

Medium - V-17670 - SV-18836r1_rule

RMF Control

Severity

M

CCI

Version

DTOO208 - Office

Vuln IDs

V-17670

Rule IDs

SV-18836r1_rule

By default, users of 2007 Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications. Links can be targeted so that they only appear to users who are members of particular audiences. If a malicious person gains access to the list of published links, they could modify the links to point to unapproved sites, which could make sensitive data vulnerable to exposure. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18941r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Server Settings “Disable the Office client from polling the Office server for published links” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Portal Criteria: If the value LinkPublishingDisabled is REG_DWORD = 1, this is not a finding.

Fix: F-17568r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Server Settings “Disable the Office client from polling the Office server for published links” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Always require users to connect to verify permissions - Office.

Medium - V-17731 - SV-18906r1_rule

RMF Control

Severity

M

CCI

Version

DTOO201 - Office

Vuln IDs

V-17731

Rule IDs

SV-18906r1_rule

By default, users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open 2007 Office documents, they might be able to access documents after their licenses have been revoked. Also, it is not possible to log the usage of files with restricted permissions if users' licenses are not confirmed.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18997r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Always require users to connect to verify permission” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\DRM Criteria: If the value requireConnection is REG_DWORD = 1, this is not a finding.

Fix: F-17631r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Always require users to connect to verify permission” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable Automatic receiving of small updates to improve reliability - Office.

Medium - V-17740 - SV-18922r1_rule

RMF Control

Severity

M

CCI

Version

DTOO185 - Office

Vuln IDs

V-17740

Rule IDs

SV-18922r1_rule

Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updated help information about specific problems. If Office Diagnostics is enabled, it collects information about specific errors and the IP address of the computer. When new help information is available, that help information is downloaded to the computer that experienced the related problems. Office Diagnostics does not transmit any personally identifiable information to Microsoft other than the IP address of the computer requesting the update. By default, users have the opportunity to opt into receiving updates from Office Diagnostics the first time they run a 2007 Office application. If your organization has policies that govern the use of external resources such as Office Diagnostics, allowing users to opt in to this feature might cause them to violate these policies. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19004r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Automatically receive small updates to improve reliability” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common Criteria: If the value UpdateReliabilityData is REG_DWORD = 0, this is not a finding.

Fix: F-17640r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Privacy -> Trust Center “Automatically receive small updates to improve reliability” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Enable Automation Security to enforce macro level security in Office documents

Medium - V-17741 - SV-18924r1_rule

RMF Control

Severity

M

CCI

Version

DTOO193 - Office

Vuln IDs

V-17741

Rule IDs

SV-18924r1_rule

By default, when a separate program is used to launch Microsoft Office Excel 2007, PowerPoint 2007, or Word 2007 programmatically, any macros can run in the programmatically opened application without being blocked. This functionality could allow an attacker to use automation to run malicious code in Excel, PowerPoint, or Word.System AdministratorInformation Assurance OfficerECPC-1

Checks: C-19005r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Automation Security” will be set to “Enabled (Use application macro security level)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.

Fix: F-17641r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Automation Security” will be set to “Enabled (Use application macro security level)”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Legacy format signatures should be enabled - Office

Medium - V-17749 - SV-18937r1_rule

RMF Control

Severity

M

CCI

Version

DTOO203 - Office

Vuln IDs

V-17749

Rule IDs

SV-18937r1_rule

By default, 2007 Office applications use the XML–based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 applications or previous versions. If an Office 2003 user opens an Excel, PowerPoint, or Word binary document with an XMLDSIG signature attached, the signature will be lost.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19011r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Signing “Legacy format signatures” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Signatures Criteria: If the value XPCompatibleSignatureFormat is REG_DWORD = 1, this is not a finding.

Fix: F-17648r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Signing “Legacy format signatures” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable Load controls in forms3 - Office

Medium - V-17750 - SV-18939r2_rule

RMF Control

Severity

M

CCI

Version

DTOO192 - Office

Vuln IDs

V-17750

Rule IDs

SV-18939r2_rule

ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer—or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date. SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. This setting allows administrators to control how ActiveX controls in UserForms should be initialized based upon whether they are SFI or UFI. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19012r4_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Load Controls in Forms3” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\VBA\Security Criteria: If the value LoadControlsInForms exists, this is a finding.

Fix: F-17649r4_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Load Controls in Forms3” will be set to “Diabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Disable "Open documents as Read Write when browsing" feature. - Office

Medium - V-17759 - SV-18956r1_rule

RMF Control

Severity

M

CCI

Version

DTOO179 - Office

Vuln IDs

V-17759

Rule IDs

SV-18956r1_rule

By default, when users browse to an 2007 Office document on a Web server using Internet Explorer, the appropriate application opens the file in read-only mode. However, if the default configuration is changed, the document is opened as read/write. Users could potentially make changes to documents and resave them in situations where the Web server security is not configured to prevent such changes.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19022r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Files “Open Office documents as read/write while browsing” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value OpenDocumentsReadWriteWhileBrowsing is REG_DWORD = 0, this is not a finding.

Fix: F-17658r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Files “Open Office documents as read/write while browsing” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Prevent permissions change on 'rights managed' content - Office

Medium - V-17765 - SV-18968r1_rule

RMF Control

Severity

M

CCI

Version

DTOO199 - Office

Vuln IDs

V-17765

Rule IDs

SV-18968r1_rule

The Information Rights Management feature of the 2007 Office release allows individuals and administrators to specify access permissions to Word 2007 documents, Excel 2007 workbooks, PowerPoint 2007 presentations, InfoPath 2007 templates and forms, and Outlook 2007 e-mail messages. This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. This setting can be used to prevent 2007 Office users from changing the IRM permissions of a document. If this setting is Enabled, users can open and edit documents for which they have the appropriate permissions, but they cannot create new rights-managed content, add IRM to existing documents, change existing IRM permissions, or remove IRM from documents. This configuration can prevent users from making effective use of IRM to protect documents System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19028r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Prevent users from changing permissions on rights managed content” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\DRM Criteria: If the value DisableCreation is REG_DWORD = 0, this is not a finding.

Fix: F-17664r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Manage Restricted Permissions “Prevent users from changing permissions on rights managed content” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Prevent upload of document templates to Office Online.

Medium - V-17767 - SV-18972r1_rule

RMF Control

Severity

M

CCI

Version

DTOO178 - Office

Vuln IDs

V-17767

Rule IDs

SV-18972r1_rule

By default, 2007 Office users can share Excel 2007, PowerPoint 2007, and Word 2007 templates they create with other Microsoft Office users around the world by uploading them to the community area of the Microsoft Office Online Web site. If your organization has policies that govern the use of external resources such as Office Online, allowing users to upload templates might enable them to violate those policies.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19030r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options “Prevents users from uploading document templates to the Office Online community” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value DisableCustomerSubmittedUpload is REG_DWORD = 1, this is not a finding.

Fix: F-17666r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options “Prevents users from uploading document templates to the Office Online community” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Protect document metadata for password protected files - Office

Medium - V-17768 - SV-18974r1_rule

RMF Control

Severity

M

CCI

Version

DTOO188 - Office

Vuln IDs

V-17768

Rule IDs

SV-18974r1_rule

By default, when an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19031r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Protect document metadata for password protected files” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.

Fix: F-17667r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Protect document metadata for password protected files” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Protect document metadata for rights managed Office Open XML fiiles - Office

Medium - V-17769 - SV-18976r1_rule

RMF Control

Severity

M

CCI

Version

DTOO187 - Office

Vuln IDs

V-17769

Rule IDs

SV-18976r1_rule

By default, when Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted. This configuration could allow potentially sensitive information such as the document author and hyperlink references to be exposed to unauthorized people.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19032r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Protect document metadata for rights managed Office Open XML Files” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Security Criteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.

Fix: F-17668r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Security Settings “Protect document metadata for rights managed Office Open XML Files” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Do Not rely on Vector markup Language (VML) for displaying graphics in browsers.

Medium - V-17773 - SV-18983r1_rule

RMF Control

Severity

M

CCI

Version

DTOO180 - Office

Vuln IDs

V-17773

Rule IDs

SV-18983r1_rule

When saving documents as Web pages, Excel 2007, PowerPoint 2007, and Word 2007 can save vector–based graphics in Vector Markup Language (VML), which enables Internet Explorer to display them smoothly at any resolution. By default, when saving VML graphics, 2007 Office applications also save copies of the graphics in a standard raster file format (GIF or PNG) for use by browsers that cannot display VML. If the Rely on VML for displaying graphics in browsers check box in the Web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19036r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Internet Criteria: If the value RelyOnVML is REG_DWORD = 0, this is not a finding.

Fix: F-17672r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Tools \ Options \ General \ Web Options -> Browsers “Rely on VML for displaying graphics in browsers” will be set to “Disabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

Enable the feature to suppress external Signature Services Menu for Office.

Medium - V-17805 - SV-19036r1_rule

RMF Control

Severity

M

CCI

Version

DTOO204 - Office

Vuln IDs

V-17805

Rule IDs

SV-19036r1_rule

By default, users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2007, PowerPoint 2007, and Word 2007) to see a list of signature service providers on the Microsoft Office Web site. If your organization has policies that govern the use of external resources such as signature providers or Office Marketplace, allowing users to access the Add Signature Services menu item might enable them to violate those policies.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19063r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Signing “Suppress external signature services menu item” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Common\Signatures Criteria: If the value SuppressExtSigningSvcs is REG_DWORD = 1, this is not a finding.

Fix: F-17706r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Signing “Suppress external signature services menu item” will be set to “Enabled”. "Note: Group Policy Administrative Templates are available from the www.microsoft.com download site. The MS Office 2007 System (Office12.adm) is included in the AdminTemplates.exe file. This template provides the mechanisms to incorporate Microsoft Office 2007 System policies via the Microsoft Group Policy Editor (gpedit.msc)." "Note: If the Microsoft Group Policy Editor (gpedit.msc) is not used to incorporate the remediation to this vulnerability the Microsoft Registry Editor (regedit.exe) may be used to create the registry key and value required."

b

The most current Office 2007 service pack is not installed.

Medium - V-25884 - SV-32370r1_rule

RMF Control

Severity

M

CCI

Version

DTOO287

Vuln IDs

V-25884

Rule IDs

SV-32370r1_rule

Failure to install the most current Office service pack leaves a system vulnerable to exploitation. Current service packs correct known security and system vulnerabilities. If Microsoft Office installation is not at most current service pack this is a Category II finding. If Microsoft Office installation is at an unsupported service pack this will be upgraded to a Category I finding since new vulnerabilities may not be patched.Unsupported Service Packs will be upgraded to a Category I finding.System AdministratorVIVM-1

Checks: C-32765r1_chk

To determine what SP level is installed, Start any Office application, such as Word. Click on the Office Menu Button (upper left), Click "Word options" at the bottom of the menu, select "Resources" from the left column: The version number will be displayed alongside the "About" button on the right hand side display. If the "About" box information does not display a most current service pack, then this is a finding. Current Supported Service Pack Office 2007 – SP2 (See Severity Override). Severity Override: Unsupported Service Packs will be upgraded to a Category I finding. This includes the following: Office 2007 - prior to SP2.

Fix: F-28840r1_fix

Install the most current Office 2007 service pack.

Checks: C-18858r3_chk

Fix: F-17469r3_fix

Generate Mitigation Statement:

Checks: C-18861r1_chk

Fix: F-17477r1_fix

Generate Mitigation Statement:

Checks: C-18862r1_chk

Fix: F-17478r1_fix

Generate Mitigation Statement:

Checks: C-18866r1_chk

Fix: F-17483r1_fix

Generate Mitigation Statement:

Checks: C-18882r1_chk

Fix: F-17500r1_fix

Generate Mitigation Statement:

Checks: C-18920r1_chk

Fix: F-17543r1_fix

Generate Mitigation Statement:

Checks: C-18888r1_chk

Fix: F-17506r1_fix

Generate Mitigation Statement:

Checks: C-18890r1_chk

Fix: F-17508r1_fix

Generate Mitigation Statement:

Checks: C-18907r1_chk

Fix: F-17523r1_fix

Generate Mitigation Statement:

Checks: C-18910r1_chk

Fix: F-17526r1_fix

Generate Mitigation Statement:

Checks: C-18913r1_chk

Fix: F-17530r1_fix

Generate Mitigation Statement:

Checks: C-18914r1_chk

Fix: F-17531r1_fix

Generate Mitigation Statement:

Checks: C-18917r1_chk

Fix: F-17537r1_fix

Generate Mitigation Statement:

Checks: C-18924r1_chk

Fix: F-17551r1_fix

Generate Mitigation Statement:

Checks: C-18930r1_chk

Fix: F-17557r1_fix

Generate Mitigation Statement:

Checks: C-18931r1_chk

Fix: F-17558r1_fix

Generate Mitigation Statement:

Checks: C-18932r1_chk

Fix: F-17559r1_fix

Generate Mitigation Statement:

Checks: C-18933r1_chk

Fix: F-17560r1_fix

Generate Mitigation Statement:

Checks: C-18935r1_chk

Fix: F-17562r1_fix

Generate Mitigation Statement:

Checks: C-18936r1_chk

Fix: F-17563r1_fix

Generate Mitigation Statement:

Checks: C-18940r1_chk

Fix: F-17567r1_fix

Generate Mitigation Statement:

Checks: C-18941r1_chk

Fix: F-17568r1_fix

Generate Mitigation Statement:

Checks: C-18997r1_chk

Fix: F-17631r1_fix

Generate Mitigation Statement:

Checks: C-19004r1_chk

Fix: F-17640r1_fix

Generate Mitigation Statement:

Checks: C-19005r1_chk

Fix: F-17641r1_fix

Generate Mitigation Statement:

Checks: C-19011r1_chk

Fix: F-17648r1_fix

Generate Mitigation Statement:

Checks: C-19012r4_chk

Fix: F-17649r4_fix