Microsoft Office System 2013 Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000033
Group -
Office client polling of SharePoint servers published links must be disabled.
Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Administrators configure published links to Office applications during initia...Rule Medium Severity -
The Help Improve Proofing Tools feature for Office must be configured.
The "Help Improve Proofing Tools" feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature s...Rule Medium Severity -
Smart Documents use of Manifests in Office must be disallowed.
An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. One or more components that provide the logic needed for a Smart Document are packaged by using an X...Rule Medium Severity -
External Signature Services Menu for Office must be suppressed.
Users can select Add Signature Services (from the Signature Line drop-down menu on the Insert tab of the Ribbon in Excel 2013, PowerPoint 2013, and Word 2013) to see a list of signature service pro...Rule Medium Severity -
The Enable Updates and Disable Updates options in the UI must be hidden from users.
This policy setting allows the user interface (UI) options to enable or disable Office automatic updates to be hidden from users. These options are found in the Product Information area of all Offi...Rule Medium Severity -
The Customer Experience Improvement Program for Office must be disabled.
When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically send information to Microsoft about how the applications are used. This inf...Rule Medium Severity -
The first-run prompt to sign into Office365 must be disabled.
Office 365 functionality allows users to provide credentials for accessing Office 365 using either their Microsoft Account, or the user ID assigned by the organization. Access to Office 365 will no...Rule Medium Severity -
Roaming settings must be stored locally and not synchronized to the Microsoft Office roaming settings web service.
Microsoft Office includes the ability to roam settings for specific Office features amongst devices by storing this data in the cloud. This data includes user activity such as the list of most rece...Rule Medium Severity -
The Office Telemetry Agent and Office applications must be configured to collect telemetry data.
Office Telemetry is a new compatibility monitoring framework. When an Office document or solution is loaded, used, closed, or raises an error in certain Office 2013 applications, the Office Telemet...Rule Medium Severity -
Automation Security to enforce macro level security in Office documents must be configured.
When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked. This fun...Rule Medium Severity -
The encryption type for password protected Open XML files must be set.
If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Microsoft Office application files can be encrypted and password...Rule Medium Severity -
Passwords for secured documents must be enforced.
If 2013 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by ...Rule Medium Severity -
Trust Bar notifications for Security messages must be enforced.
The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe...Rule Medium Severity -
Users must be prevented from using or inserting apps that come from the Office Store.
This policy setting allows users to be prevented from using or inserting apps that come from the Office Store. If this policy setting is enabled, apps from the Office Store are blocked. If this pol...Rule Medium Severity -
Connection verification of permissions must be enforced.
Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when attempting to open Office documents, they might be able to access document...Rule Medium Severity -
ActiveX control initialization must be disabled.
ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX contr...Rule Medium Severity -
Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site.
This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed ...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
A mix of policy and user locations for Office Products must be disallowed.
When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are not notified about any potential risks that might be contained in the fi...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
Legacy format signatures must be enabled.
Office applications use the XML-based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 binary documents. XMLDSIG signatures are not recognized by Office 2003 appli...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
Inclusion of document properties for PDF and XPS output must be disallowed.
If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs is installed, document properties are saved as metadata when users save or publish files using the PDF or XPS commands in Ac...Rule Medium Severity -
SRG-APP-000516
Group -
Blogging entries created from inside Office products must be configured for SharePoint only.
The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Office, without using any additional software. By default, users can post bl...Rule Medium Severity -
SRG-APP-000516
Group -
SRG-APP-000516
Group -
When using the Office Feedback tool, the ability to include a screenshot must be disabled.
The "Office Feedback" tool, also called "Send-a-Smile", allows a user to click on an icon and send feedback to Microsoft. The "Office Feedback" Tool must be configured to be disabled. In the event ...Rule Medium Severity -
SRG-APP-000516
Group -
The ability to run unsecure Office apps must be disabled.
Unsecure apps for Office, which are apps that have web page or catalog locations that are not SSL-secured (https://), and/or are not in users' Internet zones may allow data to be transmitted/access...Rule Medium Severity -
SRG-APP-000516
Group -
The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder.
This policy setting configures the Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If this policy setting is enabled, Office Telemetry...Rule Medium Severity -
SRG-APP-000141
Group -
The Opt-In Wizard must be disabled.
The Opt-in Wizard displays the first time users run a 2013 Microsoft Office application, which allows them to opt into Internet-based services that will help improve their Office experience, such a...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
Automatic receiving of small updates to improve reliability must be disallowed.
Having access to updates, add-ins, and patches on the Office Online website can help users ensure computers are up to date and equipped with the latest security patches. However, to ensure updates ...Rule Medium Severity -
SRG-APP-000141
Group -
The Internet Fax Feature must be disabled.
Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fax service provider. If your organization has policies that govern the ti...Rule Medium Severity -
SRG-APP-000141
Group -
Online content options must be configured for offline content availability.
The Office 2013 Help system automatically searches MicrosoftOffice.com for content when a computer is connected to the Internet. Users can change this default by clearing the Search Microsoft Offic...Rule Medium Severity -
SRG-APP-000141
Group -
The video informing a user about signing into Office365 must be disabled.
Office 365 is a subscription-based service which offers access to various Microsoft Office applications. Access to Office 365 will not be permitted; only locally installed and configured Office 20...Rule Medium Severity -
SRG-APP-000141
Group -
SRG-APP-000141
Group -
The ability to sign into Office365 must be disabled.
Office 2013 can be configured to prompt users for credentials to Office365 using either their Microsoft Account or the user ID assigned by an organization for accessing Office 365. Access to Offic...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.