Word 2007 V4R13

b

Disable user name and password for Word.

Medium - V-17173 - SV-18180r1_rule

RMF Control

Severity

M

CCI

Version

DTOO104 - Word

Vuln IDs

V-17173

Rule IDs

SV-18180r1_rule

The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-17854r1_chk

If Office 2007 PRE SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Disable user name and password” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding. If Office 2007 SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Disable user name and password” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding.

Fix: F-16957r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Disable user name and password” will be set to “Enabled” and ‘winword.exe’ is checked. Note: In Office SP2 adm use, filtering in GPEDIT.MSC should have deselected any checks in "Only show configured policy settings" box, and "Only show policy settings that can be fully managed" box, in order to view the hive within the GP Console for policy use.

b

Enable IE Bind to Object functionality for instances of IE launched from Word.

Medium - V-17174 - SV-18187r1_rule

RMF Control

Severity

M

CCI

Version

DTOO111 - Word

Vuln IDs

V-17174

Rule IDs

SV-18187r1_rule

Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). A security risk could occur if potentially dangerous controls are allowed to load. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-17865r1_chk

If Office 2007 PRE SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Bind to Object” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding. If Office 2007 SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Bind to Object” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding.

Fix: F-16963r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Bind to Object” will be set to “Enabled” and ‘winword.exe’ is checked. Note: In Office SP2 adm use, filtering in GPEDIT.MSC should have deselected any checks in "Only show configured policy settings" box, and "Only show policy settings that can be fully managed" box, in order to view the hive within the GP Console for policy use.

b

Saved from URL - Word

Medium - V-17175 - SV-18202r1_rule

RMF Control

Severity

M

CCI

Version

DTOO117 - Word

Vuln IDs

V-17175

Rule IDs

SV-18202r1_rule

Typically, when Internet Explorer loads a Web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-17885r1_chk

If Office 2007 PRE SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Saved from URL” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding. If Office 2007 SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Saved from URL” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17049r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Saved from URL” will be set to “Enabled” and ‘winword.exe’ is checked. Note: In Office SP2 adm use, filtering in GPEDIT.MSC should have deselected any checks in "Only show configured policy settings" box, and "Only show policy settings that can be fully managed" box, in order to view the hive within the GP Console for policy use.

b

Block navigation to URL embedded in Office products to protect against attack by malformed URL.

Medium - V-17183 - SV-18604r1_rule

RMF Control

Severity

M

CCI

Version

DTOO123 - Word

Vuln IDs

V-17183

Rule IDs

SV-18604r1_rule

To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18846r1_chk

If Office 2007 PRE SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Navigate URL” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding. If Office 2007 SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Navigate URL” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17446r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Navigate URL” will be set to “Enabled” and ‘winword.exe’ is checked. Note: In Office SP2 adm use, filtering in GPEDIT.MSC should have deselected any checks in "Only show configured policy settings" box, and "Only show policy settings that can be fully managed" box, in order to view the hive within the GP Console for policy use.

b

Block pop-ups for links that invoke instances of IE from within Word.

Medium - V-17184 - SV-18212r1_rule

RMF Control

Severity

M

CCI

Version

DTOO129 - Word

Vuln IDs

V-17184

Rule IDs

SV-18212r1_rule

The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a Web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-17896r1_chk

If Office 2007 PRE SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Block popups” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding. If Office 2007 SP2: The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Block popups” will be set to “Enabled” and ‘winword.exe’ is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value winword.exe is REG_DWORD = 1, this is not a finding.

Fix: F-17057r1_fix

The policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2007 system (Machine) -> Security Settings -> IE Security “Block popups” will be set to “Enabled” and ‘winword.exe’ is checked. Note: In Office SP2 adm use, filtering in GPEDIT.MSC should have deselected any checks in "Only show configured policy settings" box, and "Only show policy settings that can be fully managed" box, in order to view the hive within the GP Console for policy use.

b

Disable Trust Bar Notification for unsigned application add-ins - Word

Medium - V-17187 - SV-18223r1_rule

RMF Control

Severity

M

CCI

Version

DTOO131 - Word

Vuln IDs

V-17187

Rule IDs

SV-18223r1_rule

By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-17916r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.

Fix: F-17083r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”.

b

Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter - System

Medium - V-17322 - SV-18564r1_rule

RMF Control

Severity

M

CCI

Version

DTOO210 - Word

Vuln IDs

V-17322

Rule IDs

SV-18564r1_rule

The Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats enables users of Microsoft Word 2000, Word 2002, and Office Word 2003 to open files saved in the Office Open XML format used by Word 2007. Word Open XML files usually have the following extensions: • .docx • .docm • .dotx • .dotm • .xml By default, the Compatibility Pack does not open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of Word 2007. If this configuration is changed, through a registry modification or by some other mechanism, users with the Compatibility Pack installed can open files saved by some pre-release versions of Word, but not by others, which can lead to inconsistent file opening functionality. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18829r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Office 2007 Converters “Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock Criteria: If the value Word12BetaFilesFromConverters is REG_DWORD = 1, this is not a finding.

Fix: F-17427r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2007 system -> Office 2007 Converters “Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter” will be set to “Enabled”.

b

Disable all Trusted Locations.

Medium - V-17471 - SV-18531r1_rule

RMF Control

Severity

M

CCI

Version

DTOO133 - Word

Vuln IDs

V-17471

Rule IDs

SV-18531r1_rule

Trusted locations specified in the Trust Center are used to define file locations that are assumed to be safe. Content, code, and add-ins are allowed to load from trusted locations with a minimal amount of security, without prompting the users for permission. If a dangerous file is opened from a trusted location, it will not be subject to standard security measures and could harm users' computers or data. By default, files located in trusted locations (those specified in the Trust Center) are assumed to be safe. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18820r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center -> Trusted Locations “Disable all trusted locations” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations Criteria: If the value AllLocationsDisabled is REG_DWORD = 1, this is not a finding.

Fix: F-17412r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center -> Trusted Locations “Disable all trusted locations” will be set to “Enabled”.

b

Determine whether to force encrypted macros to be scanned in open XML documents.

Medium - V-17473 - SV-18536r1_rule

RMF Control

Severity

M

CCI

Version

DTOO142 - Word

Vuln IDs

V-17473

Rule IDs

SV-18536r1_rule

When an Office Open XML document (Word, Excel, Powerpoint) is rights-managed or password-protected, any macros that are embedded in the document are encrypted along with the rest of the contents. By default, these encrypted macros will be disabled unless they are scanned by antivirus software immediately before being loaded. If this default configuration is modified, Office 2007 products will not require encrypted macros to be scanned before loading. They will be handled as specified by the Office 2007 System macro security settings, which can cause macro viruses to load undetected and lead to data loss or reduced application functionality. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18823r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security Criteria: If the value WordBypassEncryptedMacroScan is REG_DWORD = 1, this is not a finding.

Fix: F-17415r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents” will be set to “Enabled”.

b

Disable feature that would block older version of office products from saving files to open XML formats.

Medium - V-17503 - SV-18576r1_rule

RMF Control

Severity

M

CCI

Version

DTOO155 - Word

Vuln IDs

V-17503

Rule IDs

SV-18576r1_rule

The Office Open XML format file types introduced in the 2007 Microsoft Office release offer a number of benefits compared with the previous binary file types supported in Office 2003, including the potential to reduce the effects of malicious code. Files can be identified as unable to run code, and will therefore ignore any embedded code. Also, any files that do have embedded code are easier to identify. For users who run older versions of these applications, Microsoft offers the Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats, which enables them to open and save Open XML files. The Compatibility Pack can be used with the following Microsoft Office programs: • Word 2000 with Service Pack 3, Excel 2000 with Service Pack 3, and PowerPoint 2000 with Service Pack 3 • Word 2002 with Service Pack 3, Excel 2002 with Service Pack 3, and PowerPoint 2002 with Service Pack 3 • Word 2003 with at least Service Pack 1, Excel 2003 with at least Service Pack 1, and PowerPoint 2003 with at least Service Pack 1 • Microsoft Office Word Viewer 2003 • Microsoft Office Excel Viewer 2003 • Microsoft Office PowerPoint Viewer 2003 If users cannot save files in Office Open XML format for some reason, they will be unable to take advantage of the security benefits of the new file types. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18832r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Save “Block saving of Open XML file types” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock Criteria: If the value OpenXmlFiles is REG_DWORD = 0, this is not a finding.

Fix: F-17430r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Save “Block saving of Open XML file types” will be set to “Disabled”.

b

Block opening of "open XML" format files created by pre-release versions of Word

Medium - V-17518 - SV-18591r1_rule

RMF Control

Severity

M

CCI

Version

DTOO153 - Word

Vuln IDs

V-17518

Rule IDs

SV-18591r1_rule

By default, users can open files that were saved in pre-release versions of the new Office Open XML format, which underwent some minor changes prior to the final release of Office 2007. Open XML files usually have the following extensions: • .xlsb • .xlsx • .xlsm • .xltx • .xltm • .xlam If a vulnerability is discovered that affects these kinds of files, you can use this setting to protect your organization against attacks by temporarily preventing users from opening files in these formats until a security patch is available. By default, these file types are not blocked in Office 2007 products. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18835r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Open “Block opening of pre-release versions of file formats new to Word 2007” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock Criteria: If the value Word12BetaFiles is REG_DWORD = 1, this is not a finding.

Fix: F-17435r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Open “Block opening of pre-release versions of file formats new to Word 2007” will be set to “Enabled”.

b

Block Opening of "Open XML" file types to prevent them automatically executing code.

Medium - V-17519 - SV-18593r1_rule

RMF Control

Severity

M

CCI

Version

DTOO154 - Word

Vuln IDs

V-17519

Rule IDs

SV-18593r1_rule

The Office Open XML format file types introduced in the 2007 Microsoft Office release offer a number of benefits compared to the previous binary file types supported in Office 2003, including the potential to reduce the effects of malicious code. Files can be identified as unable to run code, and will therefore ignore any embedded code. Also, any files that do have embedded code are easier to identify. If a vulnerability is discovered that affects Office Open XML files, you can use this setting to protect your organization against attacks by temporarily preventing users from opening files in these formats until a security patch is available. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18836r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Open “Block opening of Open XML file types” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock Criteria: If the value OpenXmlFiles is REG_DWORD = 0, this is not a finding.

Fix: F-17436r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Block file formats -> Open “Block opening of Open XML file types” will be set to “Disabled”.

b

Disable settings for content and add-ins that "Allow trusted locations not on computer" that might bypass more stringent security checks.

Medium - V-17520 - SV-18600r1_rule

RMF Control

Severity

M

CCI

Version

DTOO134 - Word

Vuln IDs

V-17520

Rule IDs

SV-18600r1_rule

By default, files located in trusted locations and specified in the Trust Center are assumed to be safe. Content, code, and add-ins are allowed to load from trusted locations with minimal security and without prompting the user for permission. By default, users can specify trusted locations on network shares or in other remote locations that are not under their direct control by selecting the Allow Trusted Locations on my network (not recommended) check box in the Trusted Locations section of the Trust Center. If a dangerous file is opened from a trusted location, it will not be subject to typical security measures and could affect users' computers or data. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18842r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center -> Trusted Locations “Allow Trusted Locations not on the computer” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations Criteria: If the value AllowNetworkLocations is REG_DWORD = 0, this is not a finding

Fix: F-17442r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center -> Trusted Locations “Allow Trusted Locations not on the computer” will be set to “Disabled”.

b

Save files default format as backward compatible, not as XML.

Medium - V-17521 - SV-18608r1_rule

RMF Control

Severity

M

CCI

Version

DTOO139 - Word

Vuln IDs

V-17521

Rule IDs

SV-18608r1_rule

By default, Office 2007 producst save new workbooks in the Office Open XML format. For users who run prior versions of Office products, Microsoft offers the Microsoft Office Compatibility Pack, which enables these versions to open and save open XML format. If some users in your organization cannot install the Compatibility Pack, or are running other versions of Office products these users might not be able to access Excel files saved in the Open XML format.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18849r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Save "save files in this format" will be set to “Enabled (Word 97 - 2003 Document (*.doc)) or "Enabled (Word Document (.docx))”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Options Criteria: If the value DefaultFormat is REG_SZ = doc for Word 97 - 2003 .doc or If the value DefaultFormat is REG_SZ = (blank) for Word 2007 .docx, this is not a finding.

Fix: F-17449r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Save “save files in this format” will be set to “Enabled (Word 97 - 2003 Document (*.doc)) or "Enabled (Word Document (.docx))”.

b

Disable Trust access for VBA into Excel, Word, and PowerPoint.

Medium - V-17522 - SV-18612r1_rule

RMF Control

Severity

M

CCI

Version

DTOO146 - Word

Vuln IDs

V-17522

Rule IDs

SV-18612r1_rule

VSTO projects require access to the Visual Basic for Applications project system in Excel 2007, PowerPoint 2007, and Word 2007, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18852r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Trust access to Visual Basic Project” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security Criteria: If the value AccessVBOM is REG_DWORD = 0, this is not a finding.

Fix: F-17452r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “Trust access to Visual Basic Project” will be set to “Disabled”.

b

Enable Warning Bar settings for VBA macros contained in WordFiles.

Medium - V-17545 - SV-18636r2_rule

RMF Control

Severity

M

CCI

Version

DTOO304 - Word

Vuln IDs

V-17545

Rule IDs

SV-18636r2_rule

By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but users cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-18853r2_chk

NOTE: If VBA support is not installed, this check is Not Applicable. The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Security Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.

Fix: F-17464r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”.

b

Disable the feature to automatically update links when the document opens - Word.

Medium - V-17811 - SV-19048r1_rule

RMF Control

Severity

M

CCI

Version

DTOO302 - Word

Vuln IDs

V-17811

Rule IDs

SV-19048r1_rule

By default, when users open documents Word 2007 automatically updates any links to external content, such as graphics, Excel worksheets, and PowerPoint slides. To disable automatic updating, the user can click the Office Button, click Word Options, click Advanced, scroll to the General section, and then clear the Update automatic links at open check box. If Word is configured to automatically update links when documents are open, document content can change without the user's knowledge, which could put important information at risk. System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19090r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Advanced “Update automatic links at Open” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref Criteria: If the value fNoCalcLinksOnOpen_90_1 is REG_DWORD = 1 this is not a finding.

Fix: F-17712r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Advanced “Update automatic links at Open” will be set to “Disabled”.

b

Enable the feature to warn before printing that the document contains tracking changes. - Word

Medium - V-17813 - SV-19052r1_rule

RMF Control

Severity

M

CCI

Version

DTOO303 - Word

Vuln IDs

V-17813

Rule IDs

SV-19052r1_rule

Warn before printing, saving or sending a file that contains tracked changes or comments.System AdministratorInformation Assurance OfficerECSC-1

Checks: C-19097r1_chk

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security “Warn before printing, saving or sending a file that contains tracked changes or comments” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref Criteria: If the value fWarnRevisions_1805_1 is REG_DWORD = 1 this is not a finding.

Fix: F-17714r1_fix

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Word 2007 -> Word Options -> Security “Warn before printing, saving or sending a file that contains tracked changes or comments” will be set to “Enabled”.

Checks: C-17854r1_chk

Fix: F-16957r1_fix

Generate Mitigation Statement:

Checks: C-17865r1_chk

Fix: F-16963r1_fix

Generate Mitigation Statement:

Checks: C-17885r1_chk

Fix: F-17049r1_fix

Generate Mitigation Statement:

Checks: C-18846r1_chk

Fix: F-17446r1_fix

Generate Mitigation Statement:

Checks: C-17896r1_chk

Fix: F-17057r1_fix

Generate Mitigation Statement:

Checks: C-17916r1_chk

Fix: F-17083r1_fix

Generate Mitigation Statement:

Checks: C-18829r1_chk

Fix: F-17427r1_fix

Generate Mitigation Statement:

Checks: C-18820r1_chk

Fix: F-17412r1_fix

Generate Mitigation Statement:

Checks: C-18823r1_chk

Fix: F-17415r1_fix

Generate Mitigation Statement:

Checks: C-18832r1_chk

Fix: F-17430r1_fix

Generate Mitigation Statement:

Checks: C-18835r1_chk

Fix: F-17435r1_fix

Generate Mitigation Statement:

Checks: C-18836r1_chk

Fix: F-17436r1_fix

Generate Mitigation Statement:

Checks: C-18842r1_chk

Fix: F-17442r1_fix

Generate Mitigation Statement:

Checks: C-18849r1_chk

Fix: F-17449r1_fix

Generate Mitigation Statement:

Checks: C-18852r1_chk

Fix: F-17452r1_fix

Generate Mitigation Statement:

Checks: C-18853r2_chk

Fix: F-17464r1_fix

Generate Mitigation Statement:

Checks: C-19090r1_chk

Fix: F-17712r1_fix

Generate Mitigation Statement:

Checks: C-19097r1_chk

Fix: F-17714r1_fix

Generate Mitigation Statement: