Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Microsoft Office System 2016 Security Technical Implementation Guide

V2R1 · · · Released 23 Jul 2021 · 20 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 14 Nov 2016 +20 −20

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 20

  • V-238024 Medium The Help Improve Proofing Tools feature for Office must be configured.
  • V-238025 Medium Trust Bar notifications for Security messages must be enforced.
  • V-238026 Medium Rights managed Office Open XML files must be protected.
  • V-238027 Medium Document metadata for password protected files must be protected.
  • V-238028 Medium The encryption type for password protected Open XML files must be set.
  • V-238029 Medium The encryption type for password protected Office 97 thru Office 2003 must be set.
  • V-238030 Medium ActiveX control initialization must be disabled.
  • V-238031 Medium Load controls in forms3 must be disabled from loading.
  • V-238032 Medium Automation Security to enforce macro level security in Office documents must be configured.
  • V-238033 Medium A mix of policy and user locations for Office Products must be disallowed.
  • V-238034 Medium Smart Documents use of Manifests in Office must be disallowed.
  • V-238035 Medium Connection verification of permissions must be enforced.
  • V-238036 Medium Inclusion of document properties for PDF and XPS output must be disallowed.
  • V-238037 Medium Encrypt document properties must be configured for OLE documents.
  • V-238038 Medium Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
  • V-238039 Medium The ability to create an online presentation programmatically must be disabled.
  • V-238040 Medium When using the Office Feedback tool, the ability to include a screenshot must be disabled.
  • V-238041 Medium The ability to run unsecure Office web add-ins and Catalogs must be disabled.
  • V-238042 Medium The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
  • V-238043 Medium The ability to send personal information to Office must be disabled.

Removed rules 20

  • V-70855 Medium The Help Improve Proofing Tools feature for Office must be configured.
  • V-70859 Medium Trust Bar notifications for Security messages must be enforced.
  • V-70861 Medium Rights managed Office Open XML files must be protected.
  • V-70863 Medium Document metadata for password protected files must be protected.
  • V-70865 Medium The encryption type for password protected Open XML files must be set.
  • V-70867 Medium The encryption type for password protected Office 97 thru Office 2003 must be set.
  • V-70869 Medium ActiveX control initialization must be disabled.
  • V-70871 Medium Load controls in forms3 must be disabled from loading.
  • V-70873 Medium Automation Security to enforce macro level security in Office documents must be configured.
  • V-70875 Medium A mix of policy and user locations for Office Products must be disallowed.
  • V-70877 Medium Smart Documents use of Manifests in Office must be disallowed.
  • V-70881 Medium Connection verification of permissions must be enforced.
  • V-70883 Medium Inclusion of document properties for PDF and XPS output must be disallowed.
  • V-70885 Medium Encrypt document properties must be configured for OLE documents.
  • V-70889 Medium Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
  • V-70891 Medium The ability to create an online presentation programmatically must be disabled.
  • V-70893 Medium When using the Office Feedback tool, the ability to include a screenshot must be disabled.
  • V-70895 Medium The ability to run unsecure Office web add-ins and Catalogs must be disabled.
  • V-70897 Medium The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
  • V-70899 Medium The ability to send personal information to Office must be disabled.
Sort by
b
The Help Improve Proofing Tools feature for Office must be configured.
CM-6 - Medium - CCI-000366 - V-238024 - SV-238024r650639_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO182
Vuln IDs
  • V-238024
  • V-70855
Rule IDs
  • SV-238024r650639_rule
  • SV-85479
This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
Checks: C-41234r650637_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Tools \ Options \ Spelling -> Proofing Data Collection "Improve Proofing Tools" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\ptwatson Criteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.

Fix: F-41193r650638_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Tools \ Options \ Spelling -> Proofing Data Collection "Improve Proofing Tools" to "Disabled".

b
Trust Bar notifications for Security messages must be enforced.
SC-18 - Medium - CCI-001662 - V-238025 - SV-238025r650642_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO186
Vuln IDs
  • V-238025
  • V-70859
Rule IDs
  • SV-238025r650642_rule
  • SV-85483
This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer. If you enable this policy setting, Office 2016 applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked. If you disable this policy setting, Office 2016 applications display information in the Message Bar about content that has automatically been blocked. If you do not configure this policy setting, if an Office 2016 application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.
Checks: C-41235r650640_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Disable all Trust Bar notifications for security issues" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\trustcenter Criteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.

Fix: F-41194r650641_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Disable all Trust Bar notifications for security issues" to "Disabled".

b
Rights managed Office Open XML files must be protected.
SC-28 - Medium - CCI-002476 - V-238026 - SV-238026r650645_rule
RMF Control
SC-28
Severity
M
CCI
CCI-002476
Version
DTOO187
Vuln IDs
  • V-238026
  • V-70861
Rule IDs
  • SV-238026r650645_rule
  • SV-85485
This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in rights-managed Office Open XML files, which can reduce security. If you do not configure this policy setting, when Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted.
Checks: C-41236r650643_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for rights managed Office Open XML Files" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security Criteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.

Fix: F-41195r650644_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for rights managed Office Open XML Files" to "Enabled".

b
Document metadata for password protected files must be protected.
SC-28 - Medium - CCI-001199 - V-238027 - SV-238027r650648_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001199
Version
DTOO188
Vuln IDs
  • V-238027
  • V-70863
Rule IDs
  • SV-238027r650648_rule
  • SV-85487
This policy setting determines whether metadata is encrypted when an Office Open XML file is password protected. If you enable this policy setting, Excel 2016, PowerPoint 2016, and Word 2016 encrypt metadata stored in password-protected Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in password-protected Office Open XML files, which can reduce security. If you do not configure this policy setting, when an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people.
Checks: C-41237r650646_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for password protected files" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security Criteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.

Fix: F-41196r650647_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for password protected files" to "Enabled".

b
The encryption type for password protected Open XML files must be set.
SC-28 - Medium - CCI-001199 - V-238028 - SV-238028r650651_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001199
Version
DTOO189
Vuln IDs
  • V-238028
  • V-70865
Rule IDs
  • SV-238028r650651_rule
  • SV-85489
This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file formats used by Excel, PowerPoint, and Word. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:,,For example: Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you disable or do not configure this policy setting, the default CSP is used. The default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit.Note: This policy setting does not take effect unless the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\\Security\Crypto\CompatMode is set to 0. By default the CompatMode registry key is set to 1.
Checks: C-41238r650649_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office Open XML files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security Criteria: If the value OpenXMLEncryption is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.

Fix: F-41197r650650_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office Open XML files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".

b
The encryption type for password protected Office 97 thru Office 2003 must be set.
SC-28 - Medium - CCI-001199 - V-238029 - SV-238029r650654_rule
RMF Control
SC-28
Severity
M
CCI
CCI-001199
Version
DTOO190
Vuln IDs
  • V-238029
  • V-70867
Rule IDs
  • SV-238029r650654_rule
  • SV-85491
This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in the older Office 97-2003 file formats. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:,,.For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you do not configure this policy setting, Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files.
Checks: C-41239r650652_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office 97-2003 files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security Criteria: If the value DefaultEncryption12 is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.

Fix: F-41198r650653_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office 97-2003 files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".

b
ActiveX control initialization must be disabled.
SC-18 - Medium - CCI-002460 - V-238030 - SV-238030r650657_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO191
Vuln IDs
  • V-238030
  • V-70869
Rule IDs
  • SV-238030r650657_rule
  • SV-85493
This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.
Checks: C-41240r650655_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "ActiveX Control Initialization" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value UFIControls exists, this is a finding.

Fix: F-41199r650656_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "ActiveX Control Initialization" to "Disabled".

b
Load controls in forms3 must be disabled from loading.
SC-18 - Medium - CCI-001662 - V-238031 - SV-238031r766729_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO192
Vuln IDs
  • V-238031
  • V-70871
Rule IDs
  • SV-238031r766729_rule
  • SV-85495
This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1.
Checks: C-41241r766727_chk

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. (For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) Use the Windows Registry Editor to navigate to the following key: HKCU\keycupoliciesmsvbasecurity If the value LoadControlsInForms is REG_DWORD=1, this is not a finding.

Fix: F-41200r766728_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Load Controls in Forms3" to "Disabled".

b
Automation Security to enforce macro level security in Office documents must be configured.
SC-18 - Medium - CCI-001170 - V-238032 - SV-238032r650663_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO193
Vuln IDs
  • V-238032
  • V-70873
Rule IDs
  • SV-238032r650663_rule
  • SV-85497
This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPoint, and Word when the application is opened programmatically: - Disable macros by default - All macros are disabled in the programmatically opened application. - Macros enabled (default) - Macros can run in the programmatically opened application. This option enforces the default configuration in Excel, PowerPoint, and Word. - User application macro security level - Macro functionality is determined by the setting in the "Macro Settings" section of the Trust Center. If you disable or do not configure this policy setting, when a separate program is used to launch Microsoft Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.
Checks: C-41242r650661_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Automation Security" is set to "Enabled (Use application macro security level)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.

Fix: F-41201r650662_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Automation Security" to "Enabled (Use application macro security level)".

b
A mix of policy and user locations for Office Products must be disallowed.
CM-6 - Medium - CCI-000366 - V-238033 - SV-238033r650666_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO196
Vuln IDs
  • V-238033
  • V-70875
Rule IDs
  • SV-238033r650666_rule
  • SV-85499
This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations. If you disable this policy setting, all trusted locations that are not created by Group Policy are disabled and users cannot create new trusted locations in the Trust Center. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled. Note - InfoPath 2016 and Outlook 2016 do not recognize trusted locations, and therefore are unaffected by this policy setting.
Checks: C-41243r650664_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center "Allow mix of policy and user locations" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security\trusted locations Criteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.

Fix: F-41202r650665_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center "Allow mix of policy and user locations" to "Disabled".

b
Smart Documents use of Manifests in Office must be disallowed.
CM-6 - Medium - CCI-000366 - V-238034 - SV-238034r650669_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO197
Vuln IDs
  • V-238034
  • V-70877
Rule IDs
  • SV-238034r650669_rule
  • SV-85501
This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs Office 2016 how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. If you enable this policy setting, Office 2016 applications cannot load XML expansion packs with Smart Documents. If you disable or do not configure this policy setting, Office 2016 applications can load an XML expansion pack manifest file with a Smart Document.
Checks: C-41244r650667_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.

Fix: F-41203r650668_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" to "Enabled".

b
Connection verification of permissions must be enforced.
AC-6 - Medium - CCI-002235 - V-238035 - SV-238035r650672_rule
RMF Control
AC-6
Severity
M
CCI
CCI-002235
Version
DTOO201
Vuln IDs
  • V-238035
  • V-70881
Rule IDs
  • SV-238035r650672_rule
  • SV-85505
This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presentations, or Word documents that are protected by Information Rights Management (IRM). This policy is useful if you want to log the usage of files with restricted permissions on the server. If you enable this policy setting, users are required to connect to verify permissions. This policy setting will only affect protected files created on machines where the policy is enabled. If you disable or do not configure this policy setting, users are not required to connect to the network to verify permissions.
Checks: C-41245r650670_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Manage Restricted Permissions "Always require users to connect to verify permission" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\drm Criteria: If the value RequireConnection is REG_DWORD = 1, this is not a finding.

Fix: F-41204r650671_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Manage Restricted Permissions "Always require users to connect to verify permission" to "Enabled".

b
Inclusion of document properties for PDF and XPS output must be disallowed.
CM-6 - Medium - CCI-000366 - V-238036 - SV-238036r650675_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO206
Vuln IDs
  • V-238036
  • V-70883
Rule IDs
  • SV-238036r650675_rule
  • SV-85507
This policy setting controls whether document metadata can be saved in PDF and XPS documents. If you enable this policy setting, document properties metadata is not exported to PDF and XPS files. If you disable this policy setting, document properties metadata will always be saved with PDF and XPS files, and users will not be able to override this configuration. If you do not configure this policy setting, if the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access, Excel, InfoPath, PowerPoint, and Word, unless the "Document properties" option is unchecked in the Options dialog.
Checks: C-41246r650673_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\fixedformat Criteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.

Fix: F-41205r650674_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" to "Enabled".

b
Encrypt document properties must be configured for OLE documents.
SC-28 - Medium - CCI-002476 - V-238037 - SV-238037r650678_rule
RMF Control
SC-28
Severity
M
CCI
CCI-002476
Version
DTOO321
Vuln IDs
  • V-238037
  • V-70885
Rule IDs
  • SV-238037r650678_rule
  • SV-85509
This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. If you enable this policy setting, the document properties will be encrypted. If you disable or do not configure this policy setting, the document properties will not be encrypted.
Checks: C-41247r650676_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encrypt document properties" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security Criteria: If the value EncryptDocProps is REG_DWORD = 1, this is not a finding.

Fix: F-41206r650677_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encrypt document properties" to "Enabled".

b
Office Presentation Service must be removed as an option for presenting PowerPoint and Word online.
CM-7 - Medium - CCI-000381 - V-238038 - SV-238038r650681_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
DTOO408
Vuln IDs
  • V-238038
  • V-70889
Rule IDs
  • SV-238038r650681_rule
  • SV-85513
This policy setting allows you to remove Office Presentation Service from the list of online presentation services in PowerPoint and Word. This list appears when a user selects Present Online from the Share tab in Backstage view and in the ribbon in PowerPoint. If you enable this policy setting, Office Presentation Service is not shown as an option for presenting online. If you disable or do not configure this policy setting, users can select Office Presentation Service to present their PowerPoint or Word file to other users online.
Checks: C-41248r650679_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\broadcast Criteria: If the value disabledefaultservice is REG_DWORD = 1, this is not a finding.

Fix: F-41207r650680_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" to "Enabled".

b
The ability to create an online presentation programmatically must be disabled.
SC-18 - Medium - CCI-001170 - V-238039 - SV-238039r650684_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO409
Vuln IDs
  • V-238039
  • V-70891
Rule IDs
  • SV-238039r650684_rule
  • SV-85515
This policy setting allows you to restrict the ability to create an online presentation programmatically in PowerPoint and Word. If you enable this policy setting, an online presentation cannot be created programmatically. If you disable or do not configure this policy setting, an online presentation can be created programmatically.
Checks: C-41249r650682_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Restrict programmatic access for creating online presentations in PowerPoint and Word" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\broadcast Criteria: If the value disableprogrammaticaccess is REG_DWORD = 1, this is not a finding.

Fix: F-41208r650683_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Restrict programmatic access for creating online presentations in PowerPoint and Word" to "Enabled".

b
When using the Office Feedback tool, the ability to include a screenshot must be disabled.
CM-6 - Medium - CCI-000366 - V-238040 - SV-238040r650687_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO410
Vuln IDs
  • V-238040
  • V-70893
Rule IDs
  • SV-238040r650687_rule
  • SV-85517
This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. If you enable this policy setting, the Office Feedback Tool will allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you disable this policy setting, the Office Feedback Tool will not allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
Checks: C-41250r650685_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\feedback Criteria: If the value includescreenshot is REG_DWORD = 0, this is not a finding.

Fix: F-41209r650686_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" to "Disabled".

b
The ability to run unsecure Office web add-ins and Catalogs must be disabled.
CM-6 - Medium - CCI-000366 - V-238041 - SV-238041r650690_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO412
Vuln IDs
  • V-238041
  • V-70895
Rule IDs
  • SV-238041r650690_rule
  • SV-85519
This policy setting allows users to run unsecure web add-in, which are add-ins that have web page or catalog locations that are not SSL-secured (https://), and are not in users' Internet zones. If you enable this policy setting, users can run unsecure apps. To enable specific unsecure web add-ins, you must also configure the Trusted Web add-in Catalog policy settings to trust the catalogs that contains those Add-ins. If you disable or do not configure this policy setting, unsecure web add-ins are not allowed.
Checks: C-41251r650688_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center -> Trusted Catalogs "Allow Unsecure web add-ins and Catalogs" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\wef\trustedcatalogs Criteria: If the value requireserververification is REG_DWORD = 1, this is not a finding.

Fix: F-41210r650689_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center -> Trusted Catalogs "Allow Unsecure web add-ins and Catalogs" to "Disabled".

b
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
CM-6 - Medium - CCI-000366 - V-238042 - SV-238042r650693_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO416
Vuln IDs
  • V-238042
  • V-70897
Rule IDs
  • SV-238042r650693_rule
  • SV-85521
This policy setting configures Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If you enable this policy setting, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If you disable or do not configure this policy setting, Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.
Checks: C-41252r650691_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Telemetry Dashboard -> "Turn on privacy setting in Office Telemetry Agent" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\osm Criteria: If the value enablefileobfuscation is REG_DWORD = 1, this is not a finding.

Fix: F-41211r650692_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Telemetry Dashboard -> "Turn on privacy setting in Office Telemetry Agent" to "Enabled".

b
The ability to send personal information to Office must be disabled.
CM-6 - Medium - CCI-000366 - V-238043 - SV-238043r650696_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO601
Vuln IDs
  • V-238043
  • V-70899
Rule IDs
  • SV-238043r650696_rule
  • SV-85523
This policy setting controls whether users can send personal information to Office. When users choose to send information Office 2016 applications automatically send information to Office. If you enable this policy setting, users will opt into sending personal information to Office. If your organization has policies that govern the use of external resources, opting users into the program might cause them to violate these policies. If you disable this policy setting, Office 2016 users cannot send personal information to Office. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
Checks: C-41253r650694_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Send personal information" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common Criteria: If the value sendcustomerdata is REG_DWORD = 0, this is not a finding.

Fix: F-41212r650695_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Send personal information" to "Disabled".