Microsoft Office 365 ProPlus Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
AutoRepublish warning alert in Excel must be enabled.
<VulnDiscussion>This policy setting allows administrators to disable the AutoRepublish feature in Excel. If users choose to publish Excel dat...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
File extensions must be enabled to match file types in Excel.
<VulnDiscussion>This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensio...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Scan of encrypted macros in Excel Open XML workbooks must be enabled.
<VulnDiscussion>This policy setting controls whether encrypted macros in Open XML workbooks be are required to be scanned with anti-virus sof...Rule Medium Severity -
SRG-APP-000112
<GroupDescription></GroupDescription>Group -
File validation in Excel must be enabled.
<VulnDiscussion>This policy setting allows you turn off the file validation feature. If you enable this policy setting, file validation will...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
WEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.
<VulnDiscussion>This policy setting controls how Excel will warn users when WEBSERVICE functions are present. If you enable this policy sett...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Macros must be blocked from running in Excel files from the Internet.
<VulnDiscussion>This policy setting allows you to block macros from running in Office files that come from the Internet. If you enable this ...Rule Medium Severity -
SRG-APP-000131
<GroupDescription></GroupDescription>Group -
Trust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.
<VulnDiscussion>This policy setting controls whether the specified Office 2016 applications notify users when unsigned application add-ins ar...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
Untrusted Microsoft Query files must be blocked from opening in Excel.
<VulnDiscussion>This policy setting controls whether Microsoft Query files (.iqy, oqy, .dqy, and .rqy) in an untrusted location are prevented...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
Untrusted database files must be opened in Excel in Protected View mode.
<VulnDiscussion>This policy setting controls whether database files (.dbf) opened from an untrusted location are always opened in Protected V...Rule Medium Severity -
SRG-APP-000207
<GroupDescription></GroupDescription>Group -
Files from Internet zone must be opened in Excel in Protected View mode.
<VulnDiscussion>This policy setting allows you to determine if files downloaded from the Internet zone open in Protected View. If you enable...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Files from unsafe locations must be opened in Excel in Protected View mode.
<VulnDiscussion>This policy setting lets you determine if files located in unsafe locations will open in Protected View. If you have not spec...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Outlook must be configured to prevent users overriding attachment security settings.
<VulnDiscussion>This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy sett...Rule Medium Severity -
Files failing file validation must be opened in Excel in Protected view mode and disallow edits.
<VulnDiscussion>This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
File attachments from Outlook must be opened in Excel in Protected mode.
<VulnDiscussion>This policy setting allows you to determine if Excel files in Outlook attachments open in Protected View. If you enable this...Rule Medium Severity -
SRG-APP-000219
<GroupDescription></GroupDescription>Group -
The SIP security mode in Lync must be enabled.
<VulnDiscussion>When Lync connects to the server, it supports various authentication mechanisms. This policy allows the user to specify wheth...Rule Medium Severity -
SRG-APP-000219
<GroupDescription></GroupDescription>Group -
The HTTP fallback for SIP connection in Lync must be disabled.
<VulnDiscussion>Prevents from HTTP being used for SIP connection in case TLS or TCP fail.</VulnDiscussion><FalsePositives></Fa...Rule Medium Severity -
SRG-APP-000575
<GroupDescription></GroupDescription>Group -
The Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.
<VulnDiscussion>This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note: E...Rule Medium Severity -
SRG-APP-000575
<GroupDescription></GroupDescription>Group -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
Outlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.
<VulnDiscussion>This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchan...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Scripts associated with public folders must be prevented from execution in Outlook.
<VulnDiscussion>This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for ...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Scripts associated with shared folders must be prevented from execution in Outlook.
<VulnDiscussion>This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared fo...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
Files dragged from an Outlook e-mail to the file system must be created in ANSI format.
<VulnDiscussion>This policy setting controls whether e-mail messages dragged from Outlook to the file system are saved in Unicode or ANSI for...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The junk email protection level must be set to No Automatic Filtering.
<VulnDiscussion>This policy setting controls the Junk E-mail protection level. The Junk E-mail Filter in Outlook helps to prevent junk email ...Rule Medium Severity -
SRG-APP-000210
<GroupDescription></GroupDescription>Group -
Active X One-Off forms must only be enabled to load with Outlook Controls.
<VulnDiscussion>By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so ...Rule Medium Severity -
SRG-APP-000340
<GroupDescription></GroupDescription>Group -
Internet must not be included in Safe Zone for picture download in Outlook.
<VulnDiscussion>This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Inte...Rule Medium Severity -
SRG-APP-000516
<GroupDescription></GroupDescription>Group -
The Publish to Global Address List (GAL) button must be disabled in Outlook.
<VulnDiscussion>This policy setting controls whether Outlook users can publish e-mail certificates to the Global Address List (GAL). If you...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.