Skip to content
Log In

Microsoft InfoPath 2013 STIG

Rules, Groups, and Values defined within the XCCDF Benchmark

  • Disabling email forms from the Internet Security Zone must be configured.

    InfoPath email forms can be designed by an external attacker and sent over the Internet as part of a phishing attempt. Users might fill out such forms and provide sensitive information to the attac...
    Rule Medium Severity
    Show

  • DTOO171 - EMail forms in Restricted Security

    Group
    Show

  • DTOO159 - Fully trusted solutions access

    Group
    Show

  • Disabling of Fully Trusted Solutions access to computers must be configured.

    InfoPath users can choose whether to allow trusted forms to run on their computers. The Full Trust security level allows a form to access local system resources, such as COM components or files on ...
    Rule Medium Severity
    Show

  • DTOO158 - Solutions from the Internet Zone

    Group
    Show

  • Disabling the opening of solutions from the Internet Security Zone must be configured.

    Attackers could use InfoPath solutions published to Internet Web sites to try to obtain sensitive information from users. By default, users can open InfoPath solutions that do not contain managed c...
    Rule Medium Severity
    Show

  • DTOO168 - Sending templates with email form

    Group
    Show

  • DTOO170 - 2003 forms as email

    Group
    Show

  • InfoPath 2003 forms as email forms in InfoPath 2013 must be disallowed.

    An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a published location for email forms, which means forms could open without...
    Rule Medium Severity
    Show

  • DTOO164 - Beaconing UI / forms opening

    Group
    Show

  • DTOO165 - Beaconing UI /forms opened Activex

    Group
    Show

  • Beaconing of UI forms with ActiveX controls must be enforced.

    InfoPath makes it possible to host InfoPath forms in other applications as ActiveX controls. Such controls are known as InfoPath form controls. A malicious user could insert a web beacon into one o...
    Rule Medium Severity
    Show

  • DTOO156 - Offline Mode Cache

    Group
    Show

  • Offline Mode capability to cache queries for offline mode must be configured.

    InfoPath can function in online mode or offline mode. It can also cache queries for use in offline mode. If offline mode is used and cached queries are enabled, sensitive information contained in t...
    Rule Medium Severity
    Show

  • DTOO160 - Unsafe File Attachments in InfoPath

    Group
    Show

  • DTOO127 - Add-ins are signed by Trusted Publisher

    Group
    Show

  • Add-ins to Office applications must be signed by a Trusted Publisher.

    Office 2013 applications do not check the digital signature on application add-ins before opening them. Disabling or not configuring this setting may allow an application to load a dangerous add-i...
    Rule Medium Severity
    Show

  • DTOO294 - E-mail forms from the Intranet

    Group
    Show

  • InfoPath must be enforced to not use email forms from the Intranet security zone.

    InfoPath email forms can be designed by an internal attacker and sent over the local intranet, and users might fill out such forms and provide sensitive information to the attacker. By default, for...
    Rule Medium Severity
    Show

  • DTOO295 - InfoPath e-mail forms in Outlook

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules