Looking for:

Microsoft Office System STIG

Click here to Download

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications. Where applications do offer security options, the default settings typically do not provide a strong security posture. This checklist has been created for IT professionals, particularly Windows system administrators and information security personnel.

The document assumes that the reader has experience installing and administering applications on Windows-based systems in domain or standalone configurations. If the „Rely on VML for displaying graphics in browsers“ check box in the web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers. If an organization has policies that govern the use of external resources such as signature providers or Office Marketplace, allowing users to access the Add Signature Services menu item might enable them to violate those policies.

The Office Help system automatically searches MicrosoftOffice. Users can change this default by clearing the Search Microsoft Office. If an organization has policies that govern the use of external resources such as Office. The use of Offline Content for Non-DoD instances of O is prohibited and it must not allow for personal account synchronization.

All non-DoD instances are subject to this requirement. This policy setting allows a document’s properties to be encrypted.

Disabling this setting will prevent the encryption of document properties, which may expose sensitive data. This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed via Windows Installer. If this policy setting is enabled, Office periodically checks for updates. When updates are detected, Office downloads and applies them in the background.

If policy setting is disabled, Office will not check for updates. Without receiving automatic updates, vulnerabilities found within the Office products will not be applied, leaving the vulnerabilities exposed. If the registry key is missing, this is an Open finding. This setting is, by default, enabled and must be explicitly configured to be disabled. This policy setting allows the user interface UI options to enable or disable Office automatic updates to be hidden from users.

These options are found in the Product Information area of all Office applications installed via Click-to-Run. This policy setting has no effect on Office applications installed via Windows Installer. If this policy setting is enabled, the „Enable Updates“ and „Disable Updates“ options in the UI are hidden from users. If this policy setting is not configured, the „Enable Updates“ and „Disable Updates“ options are visible, and users can enable or disable Office automatic updates from the UI.

Office is a subscription-based service which offers access to various Microsoft Office applications. Access to Office will not be permitted; only locally installed and configured Office installations will be used. Since the ability to sign into Office will be disabled, this policy, which determines whether a video about signing into Office is played when Office first runs, will also be disabled.

Office functionality allows users to provide credentials for accessing Office using either their Microsoft Account, or the user ID assigned by the organization. Since the ability to sign into Office will be disabled, this policy, which determines whether the Office First Run comes up on first application boot if not previously viewed, will also be disabled.

Office can be configured to prompt users for credentials to Office using either their Microsoft Account or the user ID assigned by an organization for accessing Office Access to Office will not be permitted and only locally installed and configured Office installations will be used.

The ability to automatically bind hyperlink to a screenshot inserted through the Insert Screenshot tool introduces the possibility of a malicious URL or website being imbedded in the Word, PowerPoint, Excel or Outlook document. Disabling the hyperlink in those screenshots will ensure users do not have the ability to directly open the hyperlinks.

OneDrive formerly SkyDrive is a cloud based storage feature that introduces the capability for users to save documents to locations outside of protected enclaves.

This setting, which will prompt the user to sign in to OneDrive while performing a file save operation, must be disabled. The Office Presentation Service is a free, public service that allows others to follow along in a web browser.

By disabling this policy, the user will not have the ability to deliver a presentation online. Allowing online presentations to be created programmatically allows for the capability of malicious content to become imbedded in those programmatically created presentations.

The „Office Feedback“ tool, also called „Send-a-Smile“, allows a user to click on an icon and send feedback to Microsoft. The „Office Feedback“ Tool must be configured to be disabled. In the event that the Office Feedback Tool has not been configured correctly as disabled, this policy configures whether the uploading of screenshots via the tool is allowed and should also be disabled.

Applications used by DoD users should not be able to provide feedback to commercial vendors regarding their positive and negative experiences when using Office due to the potential of unintentionally revealing FOUO or other protected content. This policy setting allows users to be prevented from using or inserting apps that come from the Office Store. If this policy setting is enabled, apps from the Office Store are blocked.

If this policy setting is disabled or not configured, apps from the Office Store are allowed, unless the „Block Apps for Office“ policy setting is enabled. Microsoft Office includes the ability to roam settings for specific Office features amongst devices by storing this data in the cloud. This data includes user activity such as the list of most recently used documents as well as user preferences such as the Office theme.

This policy setting controls whether this data is allowed to be stored in the cloud. If this policy setting is enabled, roaming settings are only stored locally and not synchronized to the Microsoft Office roaming settings web service. If this policy setting is disabled or not configured, roaming settings are synchronized with the Microsoft Office roaming settings web service and users can access their data from other devices. Existing data in the cloud is not affected by this policy.

Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office applications, the Office Telemetry application adds a record about the event to a local data store. Each record includes a description of the problem and a link to more information. Inventory and usage data is also tracked.

The actual logging capability will be enabled, but this policy allows that data to be uploaded to a remote location which, if enabled, could pass information about the internal network and configuration to that remote site. This policy setting configures the Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data.

If this policy setting is enabled, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If this policy setting is disabled or not configured, the Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents. This policy setting allows the data collection features in Office that are used by the Office Telemetry Dashboard and Office Telemetry Log to be turned on.

If this policy setting is enabled, Office Telemetry Agent and Office applications will collect telemetry data, which includes Office application usage, most recently used Office documents including file names and solutions usage, compatibility issues, and critical errors that occur on the local computers.

Office Telemetry Dashboard can be used to view this data remotely, and users can use Office Telemetry Log to view this data on their local computers. If this policy setting is disabled or not configured, the Office Telemetry Agent and Office applications do not generate or collect telemetry data.

Toggle navigation. Version 1 Release 9. The requirements are derived from the NIST and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa. Vulnerabilities ActiveX control initialization must be disabled. Finding ID. Target Key. Discussion ActiveX controls can adversely affect a computer directly.

A mix of policy and user locations for Office Products must be disallowed. Discussion When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active.

Blogging entries created from inside Office products must be configured for SharePoint only. Discussion The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software. Office must be configured to not allow read with browsers. Discussion The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the Office release to view, but not alter, files with restricted permissions.

Trust Bar notifications for Security messages must be enforced. The nearly universal presence of systems on the desktops of all levels of staff provides tremendous opportunities for office automation, communication, data sharing, and collaboration. Unfortunately, this presence also brings about dependence and vulnerabilities. Malicious and mischievous forces have attempted to take advantage of the vulnerabilities and dependencies to disrupt the work processes of the Government.

Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications.

 
 

 

Microsoft office system 2013 stig free

 

Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the security of sensitive information or harm the computer. Other unsafe links are those using protocols considered to be unsafe, including msn, nntp, mms, outlook, and stssync.

If this metadata contains sensitive information, saving it with the file could compromise security. Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the time, place, or manner in which faxes are sent, this feature could help users evade those policies.

By default, Office users can use the Internet Fax feature. The Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such as Microsoft Update, the Customer Experience Improvement Program, Office Diagnostics, and Online Help.

If an organization has policies that govern the use of such external resources, allowing users to opt in to these services might cause them to violate the policies. If Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing documents not protected by file-level security.

By default, users can add passwords to Excel workbooks, PowerPoint presentations, and Word documents from the Save or Save As dialog box by clicking Tools, clicking General Options, and entering appropriate passwords to open or modify the documents.

If this configuration is changed, the General Options dialog box for saving with a password will not be available for the user to password-protect their documents. One or more components that provide the logic needed for a Smart Document are packaged by using an XML expansion pack. By creating this file, the locations of all files that make up the XML expansion pack are specified, as well as information that instructs Office how to set up the files for the Smart Document. The XML expansion pack can also contain information about how to set up other files, such as how to install and register a COM object required by the XML expansion pack.

XML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications.

Administrators configure published links to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications.

Links can be targeted so that they only appear to users who are members of particular audiences. If a malicious person gains access to the list of published links, they could modify the links to point to unapproved sites, which could make sensitive data vulnerable to exposure.

Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access documents after their licenses have been revoked.

Also, it is not possible to log the usage of files with restricted permissions if users‘ licenses are not confirmed. Having access to updates, add-ins, and patches on the Office Online website can help users ensure computers are up to date and equipped with the latest security patches.

However, to ensure updates are tested and applied in a consistent manner, many organizations prefer to roll out updates using a centralized mechanism such as Microsoft Systems Center or Windows Server Update Services. By default, users are allowed to download updates, add-ins, and patches from the Office Online Web site to keep their Office applications running smoothly and securely.

If an organization has policies that govern the use of external resources such as Office Online, allowing users to download updates might cause them to violate these policies. When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.

This functionality could allow an attacker to use automation to run malicious code in Excel, PowerPoint, or Word. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user’s computer, the effect could be significant.

To help improve security, ActiveX developers can mark controls as Safe For Initialization SFI , which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers.

If a control is not marked SFI, the control could adversely affect a computer–or it could mean the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.

SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety is not important, but the control would still be safe for use in a Web page.

By default, when an Office document on a web server is opened using Internet Explorer, the appropriate application opens the file in read-only mode. Users could potentially make changes to documents and resave them in situations where the web server security is not configured to prevent such changes.

This setting controls whether Office users can change permissions for content that is protected with Information Rights Management IRM. The Information Rights Management feature of Office allows individuals and administrators to specify access permissions to Word documents, Excel workbooks, PowerPoint presentations, InfoPath templates and forms, and Outlook email messages.

This functionality helps prevent sensitive information from being printed, forwarded, or copied by unauthorized people. When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document’s contents.

If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people. This configuration could allow potentially sensitive information such as the document author and hyperlink references to be exposed to unauthorized individuals. If the „Rely on VML for displaying graphics in browsers“ check box in the web Options dialog box is selected, applications will not save raster copies of VML graphics, which means those graphics will not display in non-Microsoft browsers.

If an organization has policies that govern the use of external resources such as signature providers or Office Marketplace, allowing users to access the Add Signature Services menu item might enable them to violate those policies. The Office Help system automatically searches MicrosoftOffice. Users can change this default by clearing the Search Microsoft Office. If an organization has policies that govern the use of external resources such as Office. The use of Offline Content for Non-DoD instances of O is prohibited and it must not allow for personal account synchronization.

All non-DoD instances are subject to this requirement. This policy setting allows a document’s properties to be encrypted. Disabling this setting will prevent the encryption of document properties, which may expose sensitive data.

This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed via Windows Installer. If this policy setting is enabled, Office periodically checks for updates.

You are viewing this page in an unauthorized frame window. NCP Special Publication. Checklist Repository. This setting controls whether Office users can change permissions for content that is protected with Information Rights Management IRM. The Information Rights Management feature of Office This policy setting allows the user interface UI options to enable or disable Office automatic updates to be hidden from users.

These options are found in the Product Information area of all V Medium Office must be configured to not allow read with browsers. The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the Office release to view, but not alter, files with restricted permissions.

By default, The Opt-in Wizard displays the first time users run a Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such V Medium Passwords for secured documents must be enforced. If Office users add passwords to documents, other users can be prevented from opening the documents.

This capability can provide an extra level of protection to documents already protected by V Medium Legacy format signatures must be enabled. This policy setting controls whether users see a security warning when they open custom Document Information Panels that contain a web beaconing threat.

Web beacons can be used to contact an Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the V Medium The ability to create an online presentation programmatically must be disabled. Allowing online presentations to be created programmatically allows for the capability of malicious content to become imbedded in those programmatically created presentations.

V Medium Document metadata for password protected files must be protected. When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document’s contents. If this V Medium Automation Security to enforce macro level security in Office documents must be configured. When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.

The „Help Improve Proofing Tools“ feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature The Office Presentation Service is a free, public service that allows others to follow along in a web browser. One or more components that provide the logic needed for a Smart Document are packaged by using an Office files can save graphic files in Portable Network Graphics PNG format to improve the quality of the graphics when documents are saved as web pages.

The PNG graphic file format. V Medium Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site. This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed This policy setting allows a document’s properties to be encrypted. Disabling this V Medium Automatic receiving of small updates to improve reliability must be disallowed.

Having access to updates, add-ins, and patches on the Office Online website can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates V Medium ActiveX control initialization must be disabled. ActiveX controls can adversely affect a computer directly. III – Administrative Public. III – Administrative Sensitive. The ability to create an online presentation programmatically must be disabled.

Document metadata for password protected files must be protected. Online content options must be configured for offline content availability. The Internet Fax Feature must be disabled. Automatic receiving of small updates to improve reliability must be disallowed.

The Opt-In Wizard must be disabled. When using the Office Feedback tool, the ability to include a screenshot must be disabled. The ability to run unsecure Office apps must be disabled. The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. Legacy format signatures must be enabled. External Signature Services Menu for Office must be suppressed. Blogging entries created from inside Office products must be configured for SharePoint only.

Encrypt document properties must be configured for OLE documents. Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site. Automation Security to enforce macro level security in Office documents must be configured. The Office Telemetry Agent and Office applications must be configured to collect telemetry data. Documents must be configured to not open as Read Write when browsing. Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.

The ability of the Office Telemetry Agent to periodically upload telemetry data to a shared folder must be disabled. The encryption type for password protected Open XML files must be set. The encryption type for password protected Office 97 thru Office must be set. The prompt to save to OneDrive formerly SkyDrive must be disabled. The ability to automatically hyperlink screenshots within Word, PowerPoint, Excel and Outlook must be disabled.

The ability to sign into Office must be disabled. The first-run prompt to sign into Office must be disabled. The video informing a user about signing into Office must be disabled. A mix of policy and user locations for Office Products must be disallowed. Document Information panel Beaconing must show UI. Hyperlink warnings for Office must be configured for use. Office client polling of SharePoint servers published links must be disabled. Smart Documents use of Manifests in Office must be disallowed.

The Office Feedback tool must be disabled. Trust Bar notifications for Security messages must be enforced.

Passwords for secured documents must be enforced. Users must be prevented from using or inserting apps that come from the Office Store. Load controls in forms3 must be disabled from loading.

 
 

diarmf – implement Archives – ConvoCourses

 
 
Microsoft Office System STIG, Version 1, Release 8. Microsoft SQL Server Database STIG, Version 1, Release 4. CIS Benchmarks help you safeguard systems, software, and networks against today’s evolving cyber threats. Microsoft Office System STIG, Version 1, Release 8. Microsoft SQL Server Database STIG, Version 1, Release 4.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Bitte füllen Sie dieses Feld aus.
Bitte füllen Sie dieses Feld aus.
Bitte gib eine gültige E-Mail-Adresse ein.