diff --git a/CHANGELOG.md b/CHANGELOG.md index cf773810..3e4cffc2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## [Unreleased] +* Update Powerstig to parse/apply Microsoft Office System 2016 STIG - Ver 2, Rel 3 [#1352](https://github.com/microsoft/PowerStig/issues/1352) * Update Powerstig to parse/apply Microsoft Office 365 ProPlus STIG - Ver 2, Rel 12 [#1351](https://github.com/microsoft/PowerStig/issues/1351) * Update Powerstig to parse/apply Microsoft .Net Framework 4.0 STIG - Ver 2, Rel 4 [#1349](https://github.com/microsoft/PowerStig/issues/1349) * Update Powerstig to parse/apply U_MS_SQL_Server_2016_Instance_V2R12 [#1348](https://github.com/microsoft/PowerStig/issues/1348) diff --git a/source/StigData/Archive/Office/U_Microsoft_Office_System_2016_STIG_V2R1_Manual-xccdf.log b/source/StigData/Archive/Office/U_MS_Office_System_2016_STIG_V2R3_Manual-xccdf.log similarity index 100% rename from source/StigData/Archive/Office/U_Microsoft_Office_System_2016_STIG_V2R1_Manual-xccdf.log rename to source/StigData/Archive/Office/U_MS_Office_System_2016_STIG_V2R3_Manual-xccdf.log diff --git a/source/StigData/Archive/Office/U_Microsoft_Office_System_2016_STIG_V2R1_Manual-xccdf.xml b/source/StigData/Archive/Office/U_MS_Office_System_2016_STIG_V2R3_Manual-xccdf.xml similarity index 94% rename from source/StigData/Archive/Office/U_Microsoft_Office_System_2016_STIG_V2R1_Manual-xccdf.xml rename to source/StigData/Archive/Office/U_MS_Office_System_2016_STIG_V2R3_Manual-xccdf.xml index 6496a4e8..3acc4d68 100644 --- a/source/StigData/Archive/Office/U_Microsoft_Office_System_2016_STIG_V2R1_Manual-xccdf.xml +++ b/source/StigData/Archive/Office/U_MS_Office_System_2016_STIG_V2R3_Manual-xccdf.xml @@ -1,4 +1,4 @@ -acceptedMicrosoft Office System 2016 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 1 Benchmark Date: 23 Jul 20213.2.2.360791.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000516<GroupDescription></GroupDescription>DTOO182The Help Improve Proofing Tools feature for Office must be configured. +<?xml version="1.0" encoding="utf-8"?><?xml-stylesheet type='text/xsl' href='STIG_unclass.xsl'?><Benchmark xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:cpe="http://cpe.mitre.org/language/2.0" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 http://nvd.nist.gov/schema/xccdf-1.1.4.xsd http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd" id="Microsoft_Office_System_2016" xml:lang="en" xmlns="http://checklists.nist.gov/xccdf/1.1"><status date="2024-02-21">accepted</status><title>Microsoft Office System 2016 Security Technical Implementation GuideThis Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.DISASTIG.DOD.MILRelease: 3 Benchmark Date: 24 Apr 20243.4.1.229161.10.02I - Mission Critical Classified<ProfileDescription></ProfileDescription>I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>SRG-APP-000516<GroupDescription></GroupDescription>DTOO182The Help Improve Proofing Tools feature for Office must be configured. <VulnDiscussion>This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85479V-70855CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Tools \ Options \ Spelling -> Proofing Data Collection "Improve Proofing Tools" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Tools \ Options \ Spelling -> Proofing Data Collection "Improve Proofing Tools" is set to "Disabled". @@ -6,7 +6,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\ptwatson -Criteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.SRG-APP-000207<GroupDescription></GroupDescription>DTOO186Trust Bar notifications for Security messages must be enforced. +Criteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.</check-content></check></Rule></Group><Group id="V-238025"><title>SRG-APP-000207<GroupDescription></GroupDescription>DTOO186Trust Bar notifications for Security messages must be enforced. <VulnDiscussion>This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer. If you enable this policy setting, Office 2016 applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked. If you disable this policy setting, Office 2016 applications display information in the Message Bar about content that has automatically been blocked. If you do not configure this policy setting, if an Office 2016 application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85483V-70859CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Disable all Trust Bar notifications for security issues" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Disable all Trust Bar notifications for security issues" is set to "Disabled". @@ -14,7 +14,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\trustcenter -Criteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.SRG-APP-000429<GroupDescription></GroupDescription>DTOO187Rights managed Office Open XML files must be protected. +Criteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.</check-content></check></Rule></Group><Group id="V-238026"><title>SRG-APP-000429<GroupDescription></GroupDescription>DTOO187Rights managed Office Open XML files must be protected. <VulnDiscussion>This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in rights-managed Office Open XML files, which can reduce security. If you do not configure this policy setting, when Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85485V-70861CCI-002476Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for rights managed Office Open XML Files" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for rights managed Office Open XML Files" is set to "Enabled". @@ -22,7 +22,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security -Criteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO188Document metadata for password protected files must be protected. +Criteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238027"><title>SRG-APP-000231<GroupDescription></GroupDescription>DTOO188Document metadata for password protected files must be protected. <VulnDiscussion>This policy setting determines whether metadata is encrypted when an Office Open XML file is password protected. If you enable this policy setting, Excel 2016, PowerPoint 2016, and Word 2016 encrypt metadata stored in password-protected Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in password-protected Office Open XML files, which can reduce security. If you do not configure this policy setting, when an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85487V-70863CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for password protected files" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Protect document metadata for password protected files" is set to "Enabled". @@ -30,7 +30,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security -Criteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO189The encryption type for password protected Open XML files must be set. +Criteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238028"><title>SRG-APP-000231<GroupDescription></GroupDescription>DTOO189The encryption type for password protected Open XML files must be set. <VulnDiscussion>This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file formats used by Excel, PowerPoint, and Word. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:<Encryption Provider>,<Encryption Algorithm>,<Encryption Key Length>For example: Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you disable or do not configure this policy setting, the default CSP is used. The default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit.Note: This policy setting does not take effect unless the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\<office application name>\Security\Crypto\CompatMode is set to 0. By default the CompatMode registry key is set to 1.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85489V-70865CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office Open XML files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office Open XML files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". @@ -38,7 +38,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security -Criteria: If the value OpenXMLEncryption is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.SRG-APP-000231<GroupDescription></GroupDescription>DTOO190The encryption type for password protected Office 97 thru Office 2003 must be set. +Criteria: If the value OpenXMLEncryption is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.</check-content></check></Rule></Group><Group id="V-238029"><title>SRG-APP-000231<GroupDescription></GroupDescription>DTOO190The encryption type for password protected Office 97 thru Office 2003 must be set. <VulnDiscussion>This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in the older Office 97-2003 file formats. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:<Encryption Provider>,<Encryption Algorithm>,<Encryption Key Length>.For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you do not configure this policy setting, Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85491V-70867CCI-001199Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office 97-2003 files" to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encryption type for password protected Office 97-2003 files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)". @@ -46,7 +46,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security -Criteria: If the value DefaultEncryption12 is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.SRG-APP-000488<GroupDescription></GroupDescription>DTOO191ActiveX control initialization must be disabled. +Criteria: If the value DefaultEncryption12 is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.</check-content></check></Rule></Group><Group id="V-238030"><title>SRG-APP-000488<GroupDescription></GroupDescription>DTOO191ActiveX control initialization must be disabled. <VulnDiscussion>This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85493V-70869CCI-002460Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "ActiveX Control Initialization" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "ActiveX Control Initialization" is set to "Disabled". @@ -55,13 +55,15 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security Criteria: If the value UFIControls exists, this is a finding. -SRG-APP-000207<GroupDescription></GroupDescription>DTOO192Load controls in forms3 must be disabled from loading.<VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85495V-70871CCI-001662Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Load Controls in Forms3" to "Disabled". -Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. -(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) +SRG-APP-000207<GroupDescription></GroupDescription>DTOO192Load controls in forms3 must be disabled from loading.<VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85495V-70871CCI-001662Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" to "Enabled" and 1 from the drop-down menu, or set it to "Disabled". +Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. +(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) Setting "Load Controls in Forms3" to disabled is also acceptable. + Use the Windows Registry Editor to navigate to the following key: -HKCU\keycupoliciesmsvbasecurity -If the value LoadControlsInForms is REG_DWORD=1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO193Automation Security to enforce macro level security in Office documents must be configured. + +HKCU\software\policies\microsoft\vba\security + +If the value for "LoadControlsInForms3" does not exist or if the value for "LoadControlsInForms" is REG_DWORD=1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238032"><title>SRG-APP-000210<GroupDescription></GroupDescription>DTOO193Automation Security to enforce macro level security in Office documents must be configured. <VulnDiscussion>This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPoint, and Word when the application is opened programmatically: - Disable macros by default - All macros are disabled in the programmatically opened application. - Macros enabled (default) - Macros can run in the programmatically opened application. This option enforces the default configuration in Excel, PowerPoint, and Word. - User application macro security level - Macro functionality is determined by the setting in the "Macro Settings" section of the Trust Center. If you disable or do not configure this policy setting, when a separate program is used to launch Microsoft Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85497V-70873CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Automation Security" to "Enabled (Use application macro security level)". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Automation Security" is set to "Enabled (Use application macro security level)". @@ -69,7 +71,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Security -Criteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO196A mix of policy and user locations for Office Products must be disallowed. +Criteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.</check-content></check></Rule></Group><Group id="V-238033"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO196A mix of policy and user locations for Office Products must be disallowed. <VulnDiscussion>This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations. If you disable this policy setting, all trusted locations that are not created by Group Policy are disabled and users cannot create new trusted locations in the Trust Center. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled. Note - InfoPath 2016 and Outlook 2016 do not recognize trusted locations, and therefore are unaffected by this policy setting.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85499V-70875CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center "Allow mix of policy and user locations" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center "Allow mix of policy and user locations" is set to "Disabled". @@ -78,7 +80,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security\trusted locations -Criteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO197Smart Documents use of Manifests in Office must be disallowed. +Criteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.</check-content></check></Rule></Group><Group id="V-238034"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO197Smart Documents use of Manifests in Office must be disallowed. <VulnDiscussion>This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs Office 2016 how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. If you enable this policy setting, Office 2016 applications cannot load XML expansion packs with Smart Documents. If you disable or do not configure this policy setting, Office 2016 applications can load an XML expansion pack manifest file with a Smart Document.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85501V-70877CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled". @@ -86,14 +88,14 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag -Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.SRG-APP-000340<GroupDescription></GroupDescription>DTOO201Connection verification of permissions must be enforced.<VulnDiscussion>This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presentations, or Word documents that are protected by Information Rights Management (IRM). This policy is useful if you want to log the usage of files with restricted permissions on the server. If you enable this policy setting, users are required to connect to verify permissions. This policy setting will only affect protected files created on machines where the policy is enabled. If you disable or do not configure this policy setting, users are not required to connect to the network to verify permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85505V-70881CCI-002235Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Manage Restricted Permissions "Always require users to connect to verify permission" to "Enabled". +Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.SRG-APP-000340<GroupDescription></GroupDescription>DTOO201Connection verification of permissions must be enforced.<VulnDiscussion>This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presentations, or Word documents that are protected by Information Rights Management (IRM). This policy is useful if you want to log the usage of files with restricted permissions on the server. If you enable this policy setting, users are required to connect to verify permissions. This policy setting will only affect protected files created on machines where the policy is enabled. If you disable or do not configure this policy setting, users are not required to connect to the network to verify permissions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85505V-70881CCI-002235Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Manage Restricted Permissions "Always require users to connect to verify permission" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Manage Restricted Permissions "Always require users to connect to verify permission" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\drm -Criteria: If the value RequireConnection is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO206Inclusion of document properties for PDF and XPS output must be disallowed. +Criteria: If the value RequireConnection is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238036"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO206Inclusion of document properties for PDF and XPS output must be disallowed. <VulnDiscussion>This policy setting controls whether document metadata can be saved in PDF and XPS documents. If you enable this policy setting, document properties metadata is not exported to PDF and XPS files. If you disable this policy setting, document properties metadata will always be saved with PDF and XPS files, and users will not be able to override this configuration. If you do not configure this policy setting, if the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access, Excel, InfoPath, PowerPoint, and Word, unless the "Document properties" option is unchecked in the Options dialog.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85507V-70883CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" is set to "Enabled". @@ -101,7 +103,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\fixedformat -Criteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.SRG-APP-000429<GroupDescription></GroupDescription>DTOO321Encrypt document properties must be configured for OLE documents. +Criteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238037"><title>SRG-APP-000429<GroupDescription></GroupDescription>DTOO321Encrypt document properties must be configured for OLE documents. <VulnDiscussion>This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. If you enable this policy setting, the document properties will be encrypted. If you disable or do not configure this policy setting, the document properties will not be encrypted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85509V-70885CCI-002476Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encrypt document properties" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings "Encrypt document properties" is set to "Enabled". @@ -109,7 +111,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\common\security -Criteria: If the value EncryptDocProps is REG_DWORD = 1, this is not a finding.SRG-APP-000141<GroupDescription></GroupDescription>DTOO408Office Presentation Service must be removed as an option for presenting PowerPoint and Word online. +Criteria: If the value EncryptDocProps is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238038"><title>SRG-APP-000141<GroupDescription></GroupDescription>DTOO408Office Presentation Service must be removed as an option for presenting PowerPoint and Word online. <VulnDiscussion>This policy setting allows you to remove Office Presentation Service from the list of online presentation services in PowerPoint and Word. This list appears when a user selects Present Online from the Share tab in Backstage view and in the ribbon in PowerPoint. If you enable this policy setting, Office Presentation Service is not shown as an option for presenting online. If you disable or do not configure this policy setting, users can select Office Presentation Service to present their PowerPoint or Word file to other users online.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85513V-70889CCI-000381Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" is set to "Enabled". @@ -117,7 +119,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\broadcast -Criteria: If the value disabledefaultservice is REG_DWORD = 1, this is not a finding.SRG-APP-000210<GroupDescription></GroupDescription>DTOO409The ability to create an online presentation programmatically must be disabled. +Criteria: If the value disabledefaultservice is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238039"><title>SRG-APP-000210<GroupDescription></GroupDescription>DTOO409The ability to create an online presentation programmatically must be disabled. <VulnDiscussion>This policy setting allows you to restrict the ability to create an online presentation programmatically in PowerPoint and Word. If you enable this policy setting, an online presentation cannot be created programmatically. If you disable or do not configure this policy setting, an online presentation can be created programmatically.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85515V-70891CCI-001170Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Restrict programmatic access for creating online presentations in PowerPoint and Word" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Present Online -> "Restrict programmatic access for creating online presentations in PowerPoint and Word" is set to "Enabled". @@ -125,15 +127,15 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\broadcast -Criteria: If the value disableprogrammaticaccess is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO410When using the Office Feedback tool, the ability to include a screenshot must be disabled. -<VulnDiscussion>This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. If you enable this policy setting, the Office Feedback Tool will allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you disable this policy setting, the Office Feedback Tool will not allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85517V-70893CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" to "Disabled". -Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" is set to "Disabled". +Criteria: If the value disableprogrammaticaccess is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO410When using the Office Feedback tool, the ability to include a screenshot must be disabled. +<VulnDiscussion>This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. If you enable this policy setting, the Office Feedback Tool will allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you disable this policy setting, the Office Feedback Tool will not allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85517V-70893CCI-000366Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow users to include screenshots and attachments when they submit feedback to Microsoft" to "Disabled". +Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow users to include screenshots and attachments when they submit feedback to Microsoft" is set to "Disabled". -Procedure: Use the Windows Registry Editor to navigate to the following key: +Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\feedback -Criteria: If the value includescreenshot is REG_DWORD = 0, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO412The ability to run unsecure Office web add-ins and Catalogs must be disabled. +If the value "includescreenshot" is "REG_DWORD = 0", this is not a finding.</check-content></check></Rule></Group><Group id="V-238041"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO412The ability to run unsecure Office web add-ins and Catalogs must be disabled. <VulnDiscussion>This policy setting allows users to run unsecure web add-in, which are add-ins that have web page or catalog locations that are not SSL-secured (https://), and are not in users' Internet zones. If you enable this policy setting, users can run unsecure apps. To enable specific unsecure web add-ins, you must also configure the Trusted Web add-in Catalog policy settings to trust the catalogs that contains those Add-ins. If you disable or do not configure this policy setting, unsecure web add-ins are not allowed.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85519V-70895CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center -> Trusted Catalogs "Allow Unsecure web add-ins and Catalogs" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Security Settings -> Trust Center -> Trusted Catalogs "Allow Unsecure web add-ins and Catalogs" is set to "Disabled". @@ -141,7 +143,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\wef\trustedcatalogs -Criteria: If the value requireserververification is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO416The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. +Criteria: If the value requireserververification is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238042"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO416The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. <VulnDiscussion>This policy setting configures Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If you enable this policy setting, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If you disable or do not configure this policy setting, Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85521V-70897CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Telemetry Dashboard -> "Turn on privacy setting in Office Telemetry Agent" to "Enabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Telemetry Dashboard -> "Turn on privacy setting in Office Telemetry Agent" is set to "Enabled". @@ -149,7 +151,7 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\osm -Criteria: If the value enablefileobfuscation is REG_DWORD = 1, this is not a finding.SRG-APP-000516<GroupDescription></GroupDescription>DTOO601The ability to send personal information to Office must be disabled. +Criteria: If the value enablefileobfuscation is REG_DWORD = 1, this is not a finding.</check-content></check></Rule></Group><Group id="V-238043"><title>SRG-APP-000516<GroupDescription></GroupDescription>DTOO601The ability to send personal information to Office must be disabled. <VulnDiscussion>This policy setting controls whether users can send personal information to Office. When users choose to send information Office 2016 applications automatically send information to Office. If you enable this policy setting, users will opt into sending personal information to Office. If your organization has policies that govern the use of external resources, opting users into the program might cause them to violate these policies. If you disable this policy setting, Office 2016 users cannot send personal information to Office. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Microsoft Office System 2016DISADPMS TargetMicrosoft Office System 20165310SV-85523V-70899CCI-000366Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Send personal information" to "Disabled". Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Send personal information" is set to "Disabled". @@ -157,4 +159,4 @@ Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common -Criteria: If the value sendcustomerdata is REG_DWORD = 0, this is not a finding. +Criteria: If the value sendcustomerdata is REG_DWORD = 0, this is not a finding. \ No newline at end of file diff --git a/source/StigData/Processed/Office-System2016-2.1.org.default.xml b/source/StigData/Processed/Office-System2016-2.3.org.default.xml similarity index 84% rename from source/StigData/Processed/Office-System2016-2.1.org.default.xml rename to source/StigData/Processed/Office-System2016-2.3.org.default.xml index 12bbd754..6517d514 100644 --- a/source/StigData/Processed/Office-System2016-2.1.org.default.xml +++ b/source/StigData/Processed/Office-System2016-2.3.org.default.xml @@ -5,4 +5,4 @@ Each setting in this file is linked by STIG ID and the valid range is in an associated comment. --> - + diff --git a/source/StigData/Processed/Office-System2016-2.1.xml b/source/StigData/Processed/Office-System2016-2.3.xml similarity index 96% rename from source/StigData/Processed/Office-System2016-2.1.xml rename to source/StigData/Processed/Office-System2016-2.3.xml index 4a9739ce..b227eab6 100644 --- a/source/StigData/Processed/Office-System2016-2.1.xml +++ b/source/StigData/Processed/Office-System2016-2.3.xml @@ -1,4 +1,4 @@ - + <VulnDiscussion>This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> @@ -163,8 +163,7 @@ Criteria: If the value UFIControls exists, this is a finding. String - <VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Present False @@ -172,18 +171,20 @@ Criteria: If the value UFIControls exists, this is a finding. V-70871.a False - Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. -(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) + Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. +(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) Setting "Load Controls in Forms3" to disabled is also acceptable. + Use the Windows Registry Editor to navigate to the following key: -HKCU\keycupoliciesmsvbasecurity -If the value LoadControlsInForms is REG_DWORD=1, this is not a finding. + +HKCU\software\policies\microsoft\vba\security + +If the value for "LoadControlsInForms3" does not exist or if the value for "LoadControlsInForms" is REG_DWORD=1, this is not a finding. **del.loadcontrolsinforms String - <VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. -</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> + <VulnDiscussion>This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> Absent False @@ -191,11 +192,14 @@ If the value LoadControlsInForms is REG_DWORD=1, this is not a finding.V-70871.b False - Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. -(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) + Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings "Load Controls in Forms3" is set to Enabled and 1 from drop-down menu. +(For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration.) Setting "Load Controls in Forms3" to disabled is also acceptable. + Use the Windows Registry Editor to navigate to the following key: -HKCU\keycupoliciesmsvbasecurity -If the value LoadControlsInForms is REG_DWORD=1, this is not a finding. + +HKCU\software\policies\microsoft\vba\security + +If the value for "LoadControlsInForms3" does not exist or if the value for "LoadControlsInForms" is REG_DWORD=1, this is not a finding. loadcontrolsinforms String @@ -370,13 +374,13 @@ Criteria: If the value disableprogrammaticaccess is REG_DWORD = 1, this is not a V-70893 False - Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2016 -> Privacy -> Trust Center -> "Allow including screenshot with Office Feedback" is set to "Disabled". + Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Privacy >> Trust Center >> "Allow users to include screenshots and attachments when they submit feedback to Microsoft" is set to "Disabled". -Procedure: Use the Windows Registry Editor to navigate to the following key: +Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\16.0\common\feedback -Criteria: If the value includescreenshot is REG_DWORD = 0, this is not a finding. +If the value "includescreenshot" is "REG_DWORD = 0", this is not a finding. 0 includescreenshot Dword