Skip to content

III - Administrative Sensitive

Rules and Groups employed by this XCCDF Profile

  • DTOO196 - Mix of Policy and User Locations

    <GroupDescription></GroupDescription>
    Group
  • A mix of policy and user locations for Office Products must be disallowed.

    &lt;VulnDiscussion&gt;When Microsoft Office files are opened from trusted locations, all the content in the files is enabled and active. Users are ...
    Rule Medium Severity
  • DTOO212 - Control Blogging

    <GroupDescription></GroupDescription>
    Group
  • Blogging entries created from inside Office products must be configured for Sharepoint only.

    &lt;VulnDiscussion&gt;The blogging feature in Office products enables users to compose blog entries and post them to their blogs directly from Offi...
    Rule Medium Severity
  • DTOO200 - Allow users to read with browsers

    <GroupDescription></GroupDescription>
    Group
  • Office must be configured to not allow read with browsers.

    &lt;VulnDiscussion&gt;The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2010 Office release to...
    Rule Medium Severity
  • DTOO177-Disable Updates from Office Online Site

    <GroupDescription></GroupDescription>
    Group
  • Access to updates, add-ins, and patches on Office.com must be disabled.

    &lt;VulnDiscussion&gt;Having access to updates, add-ins, and patches on the Office Online Web site can help users ensure computers are up to date a...
    Rule Medium Severity
  • DTOO186 - Trust Bar Notifications

    <GroupDescription></GroupDescription>
    Group
  • Trust Bar notifications for Security messages must be enforced.

    &lt;VulnDiscussion&gt;The Message Bar in Office applications is used to identify security issues, such as unsigned macros or potentially unsafe add...
    Rule Medium Severity
  • DTOO207 - Document Info Beaconing UI

    <GroupDescription></GroupDescription>
    Group
  • Document Information panel Beaconing must show UI.

    &lt;VulnDiscussion&gt;For controlling whether users see a security warning when they open custom Document Information Panels that contain a Web bea...
    Rule Medium Severity
  • DTOO184 - Cust. Experience Improvement Program

    <GroupDescription></GroupDescription>
    Group
  • The Customer Experience Improvement Program for Office must be disabled.

    &lt;VulnDiscussion&gt;When users choose to participate in the Customer Experience Improvement Program (CEIP), Office applications automatically sen...
    Rule Medium Severity
  • DTOO190 - Encr. type for Password Protected files

    <GroupDescription></GroupDescription>
    Group
  • The encryption type for password protected Office 97 thru Office 2003 must be set.

    &lt;VulnDiscussion&gt;If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confident...
    Rule Medium Severity
  • DTOO189 - Encryption Type for Pwd Protected files

    <GroupDescription></GroupDescription>
    Group
  • The encryption type for password protected Open XML files must be set.

    &lt;VulnDiscussion&gt;If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confident...
    Rule Medium Severity
  • DTOO182 - Improve Proofing Tools

    <GroupDescription></GroupDescription>
    Group
  • The Help Improve Proofing Tools feature for Office must be configured.

    &lt;VulnDiscussion&gt;The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictio...
    Rule Medium Severity
  • DTOO194 - Hyperlink warnings for Office

    <GroupDescription></GroupDescription>
    Group
  • Hyperlink warnings for Office must be configured for use.

    &lt;VulnDiscussion&gt;Unsafe hyperlinks are links that might pose a security risk if users click them. Clicking an unsafe link could compromise the...
    Rule Medium Severity
  • DTOO206 - Incl. Doc. properties for PDF and XPS

    <GroupDescription></GroupDescription>
    Group
  • Inclusion of document properties for PDF and XPS output must be disallowed.

    &lt;VulnDiscussion&gt;If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved a...
    Rule Medium Severity
  • DTOO198 - Internet Fax Feature

    <GroupDescription></GroupDescription>
    Group
  • The Internet Fax Feature must be disabled.

    &lt;VulnDiscussion&gt;Excel, PowerPoint, and Word users can use the Internet Fax feature to send documents to fax recipients through an Internet fa...
    Rule Medium Severity
  • DTOO202 - Microsoft Passport Service

    <GroupDescription></GroupDescription>
    Group
  • Microsoft passport Service for content must be disallowed.

    &lt;VulnDiscussion&gt;This controls whether users can open protected content created with a Windows Live ID (formerly Microsoft .NET Passport) auth...
    Rule Medium Severity
  • DTOO183 - Opt-In Wizard on first run use

    <GroupDescription></GroupDescription>
    Group
  • The Opt-In Wizard must be disabled.

    &lt;VulnDiscussion&gt;The Opt-in Wizard displays the first time users run a 2010 Microsoft Office application, which allows them to opt into Intern...
    Rule Medium Severity
  • DTOO195 - Disable Password to Open UI

    <GroupDescription></GroupDescription>
    Group
  • Passwords for secured documents must be enforced.

    &lt;VulnDiscussion&gt;If 2010 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can...
    Rule Medium Severity
  • DTOO197 - Document Manifests

    <GroupDescription></GroupDescription>
    Group
  • Smart Documents use of Manifests in Office must be disallowed.

    &lt;VulnDiscussion&gt;An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more comp...
    Rule Medium Severity
  • DTOO208 - Office client polling from Office Server

    <GroupDescription></GroupDescription>
    Group
  • Office client polling of Sharepoint servers published links must be disabled.

    &lt;VulnDiscussion&gt;Users of Office applications can see and use links to Microsoft Office SharePoint Server sites from those applications. Admin...
    Rule Medium Severity
  • DTOO201 - Connection permissions verification

    <GroupDescription></GroupDescription>
    Group
  • Connection verification of permissions must be enforced.

    &lt;VulnDiscussion&gt;Users are not required to connect to the network to verify permissions. If users do not need their licenses confirmed when at...
    Rule Medium Severity
  • DTOO185 - Do not receive Automatic small updates

    <GroupDescription></GroupDescription>
    Group
  • Automatic receiving of small updates to improve reliability must be disallowed.

    &lt;VulnDiscussion&gt;Office Diagnostics is used to improve the user experience by periodically downloading a small file to the computer with updat...
    Rule Medium Severity
  • DTOO193 - Automation Security

    <GroupDescription></GroupDescription>
    Group
  • Automation Security to enforce macro level security in Office documents must be configured.

    &lt;VulnDiscussion&gt;When a separate program is used to launch Microsoft Office Excel, PowerPoint, or Word programmatically, any macros can run in...
    Rule Medium Severity
  • DTOO203 - Legacy Format signatures

    <GroupDescription></GroupDescription>
    Group
  • Legacy format signatures must be enabled.

    &lt;VulnDiscussion&gt;Office applications use the XML–based XMLDSIG format to attach digital signatures to documents, including Office 97-2003 bina...
    Rule Medium Severity
  • DTOO192 - Load controls for forms3

    <GroupDescription></GroupDescription>
    Group
  • Load controls in forms3 must be disabled from loading.

    &lt;VulnDiscussion&gt;ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls ...
    Rule Medium Severity
  • DTOO179 - Open as Read/Write when browsing

    <GroupDescription></GroupDescription>
    Group
  • Documents must be configured to not open as Read Write when browsing.

    &lt;VulnDiscussion&gt;Office document on a Web server using Internet Explorer, the appropriate application opens the file in read-only mode. Howeve...
    Rule Medium Severity
  • DTOO199 - Permissions on managed content

    <GroupDescription></GroupDescription>
    Group
  • Changing permissions on rights managed content for users must be enforced.

    &lt;VulnDiscussion&gt;This setting controls whether Office 2010 users can change permissions for content that is protected with Information Rights ...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules