StigData/Processed/Office-System2016-1.1.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
<DISASTIG version="1" classification="UNCLASSIFIED" customname="" stigid="Microsoft_Office_System_2016" description="The Microsoft Office System 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." filename="U_Microsoft_Office_System_2016_STIG_V1R1_Manual-xccdf.xml" releaseinfo="Release: 1 Benchmark Date: 14 Nov 2016" title="Microsoft Office System 2016 Security Technical Implementation Guide" notice="terms-of-use" source="STIG.DOD.MIL" fullversion="1.1" created="12/17/2019">
  <RegistryRule dscresourcemodule="PSDscResources">
    <Rule id="V-70855" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user's computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\ptwatson</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Tools \ Options \ Spelling -&gt; Proofing Data Collection "Improve Proofing Tools" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\ptwatson
 
Criteria: If the value PTWOptIn is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>PTWOptIn</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70859" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether Office 2016 applications notify users when potentially unsafe features or content are detected, or whether such features or content are silently disabled without notification. The Message Bar in Office 2016 applications is used to identify security issues, such as unsigned macros or potentially unsafe add-ins. When such issues are detected, the application disables the unsafe feature or content and displays the Message Bar at the top of the active window. The Message Bar informs the users about the nature of the security issue and, in some cases, provides the users with an option to enable the potentially unsafe feature or content, which could harm the user's computer. If you enable this policy setting, Office 2016 applications do not display information in the Message Bar about potentially unsafe content that has been detected or has automatically been blocked. If you disable this policy setting, Office 2016 applications display information in the Message Bar about content that has automatically been blocked. If you do not configure this policy setting, if an Office 2016 application detects a security issue, the Message Bar is displayed. However, this configuration can be modified by users in the Trust Center.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\trustcenter</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Disable all Trust Bar notifications for security issues" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\trustcenter
 
Criteria: If the value TrustBar is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>TrustBar</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70861" severity="medium" conversionstatus="pass" title="SRG-APP-000429" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting determines whether metadata is encrypted in Office Open XML files that are protected by Information Rights Management (IRM). If you enable this policy setting, Excel, PowerPoint, and Word encrypt metadata stored in rights-managed Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in rights-managed Office Open XML files, which can reduce security. If you do not configure this policy setting, when Information Rights Management (IRM) is used to restrict access to an Office Open XML document, any metadata associated with the document is not encrypted.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Protect document metadata for rights managed Office Open XML Files" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security
 
Criteria: If the value DRMEncryptProperty is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>DRMEncryptProperty</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70863" severity="medium" conversionstatus="pass" title="SRG-APP-000231" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting determines whether metadata is encrypted when an Office Open XML file is password protected. If you enable this policy setting, Excel 2016, PowerPoint 2016, and Word 2016 encrypt metadata stored in password-protected Office Open XML files and override any configuration changes on users' computers. If you disable this policy setting, Office 2016 applications cannot encrypt metadata in password-protected Office Open XML files, which can reduce security. If you do not configure this policy setting, when an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Protect document metadata for password protected files" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security
 
Criteria: If the value OpenXMLEncryptProperty is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>OpenXMLEncryptProperty</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70865" severity="medium" conversionstatus="pass" title="SRG-APP-000231" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you to specify an encryption type for Office Open XML files. If you enable this policy setting, you can specify the type of encryption that Office applications use to encrypt password-protected files in the Office Open XML file formats used by Excel, PowerPoint, and Word. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:&lt;Encryption Provider&gt;,&lt;Encryption Algorithm&gt;,&lt;Encryption Key Length&gt;For example: Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you disable or do not configure this policy setting, the default CSP is used. The default cryptographic service provider (CSP) is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit.Note: This policy setting does not take effect unless the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\&lt;office application name&gt;\Security\Crypto\CompatMode is set to 0. By default the CompatMode registry key is set to 1.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Encryption type for password protected Office Open XML files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security
 
Criteria: If the value OpenXMLEncryption is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.</RawString>
      <ValueData>Microsoft Enhanced RSA and AES Cryptographic Provider AES 256 256</ValueData>
      <ValueName>OpenXMLEncryption</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70867" severity="medium" conversionstatus="pass" title="SRG-APP-000231" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting enables you to specify an encryption type for password-protected Office 97-2003 files. If you enable this policy setting, you can specify the type of encryption that Office applications will use to encrypt password-protected files in the older Office 97-2003 file formats. The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file. See the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\ registry key for a list of CSPs installed on the local computer. Specify the encryption type to use by entering it in the provided text box in the following form:&lt;Encryption Provider&gt;,&lt;Encryption Algorithm&gt;,&lt;Encryption Key Length&gt;.For example, Microsoft Enhanced Cryptographic Provider v1.0,RC4,128. If you do not configure this policy setting, Excel, PowerPoint, and Word use Office 97/2000 Compatible encryption, a proprietary encryption method, to encrypt password-protected Office 97-2003 files.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Encryption type for password protected Office 97-2003 files" is set to "Enabled (Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256)".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security
 
Criteria: If the value DefaultEncryption12 is REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.</RawString>
      <ValueData>Microsoft Enhanced RSA and AES Cryptographic Provider AES 256 256</ValueData>
      <ValueName>DefaultEncryption12</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70869.a" severity="medium" conversionstatus="pass" title="SRG-APP-000488" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "ActiveX Control Initialization" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\Common\Security
 
Criteria: If the value UFIControls exists, this is a finding.
</RawString>
      <ValueData />
      <ValueName>**del.uficontrols</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70869.b" severity="medium" conversionstatus="pass" title="SRG-APP-000488" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting specifies the Microsoft ActiveX« initialization security level for all Microsoft Office applications. ActiveX controls can adversely affect a computer directly. In addition, malicious code can be used to compromise an ActiveX control and attack a computer. To indicate the safety of an ActiveX control, developers can denote them as Safe For Initialization (SFI). SFI indicates that a control is safe to open and run, and that it is not capable of causing a problem for any computer, regardless of whether it has persisted data values or not. If a control is not marked SFI, it is possible that the control could adversely affect a computer--or it could mean that the developers did not test the control in all situations and are not sure whether it might be compromised in the future. If you enable this policy setting, you can set the ActiveX security level to a number between 1 and 6. These security levels are as follows: 1 - Regardless of how the control is marked, load it and use the persisted values (if any). This setting does not prompt the user. 2 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, load in unsafe mode with persisted values (if any), or use the default (first-time initialization) settings. This level is similar to the default configuration, but does not prompt the user. 3 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 4 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with default (first-time initialization) settings. 5 - If SFI, load the control in unsafe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. 6 - If SFI, load the control in safe mode and use persisted values (if any). If not SFI, prompt the user and advise them that it is marked unsafe. If the user chooses No at the prompt, do not load the control. Otherwise, load it with persisted values. If you disable or do not configure this policy setting, if a control is marked SFI, the application loads the control in safe mode and uses persisted values (if any). If the control is not marked SFI, the application loads the control in unsafe mode with persisted values (if any), or uses the default (first-time initialization) settings. In both situations, the Message Bar informs users that the controls have been disabled and prompts them to respond. Important - Some ActiveX controls do not respect the safe mode registry setting, and therefore might load persisted data even though you configure this setting to instruct the control to use safe mode. This setting only increases security for ActiveX controls that are accurately marked as SFI. In situations that involve malicious or poorly designed code, an ActiveX control might be inaccurately marked as SFI.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Absent</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "ActiveX Control Initialization" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\Common\Security
 
Criteria: If the value UFIControls exists, this is a finding.
</RawString>
      <ValueData />
      <ValueName>uficontrols</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70871.a" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\VBA\Security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Load Controls in Forms3" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
 HKCU\keycupoliciesmsvbasecurity
 
Criteria: If the value LoadControlsInForms exists, this is a finding.</RawString>
      <ValueData />
      <ValueName>**del.loadcontrolsinforms</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70871.b" severity="medium" conversionstatus="pass" title="SRG-APP-000207" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you to control how ActiveX controls in UserForms should be initialized based upon whether they are Safe For Initialization (SFI) or Unsafefor Initialization (UFI). ActiveX controls are Component Object Model (COM) objects and have unrestricted access to users' computers. ActiveX controls can access the local file system and change the registry settings of the operating system. If a malicious user repurposes an ActiveX control to take over a user's computer, the effect could be significant. To help improve security, ActiveX developers can mark controls as Safe For Initialization (SFI), which means that the developer states that the controls are safe to open and run and not capable of causing harm to any computers. If a control is not marked SFI, the control could adversely affect a computer--or it's possible the developers did not test the control in all situations and are not sure whether their control might be compromised at some future date.SFI controls run in safe mode, which limits their access to the computer. For example, a worksheet control can both read and write files when it is in unsafe mode, but perhaps only read from files when it is in safe mode. This functionality allows the control to be used in very powerful ways when safety wasn't important, but the control would still be safe for use in a Web page. If a control is not marked as SFI, it is marked Unsafe For Initialization (UFI), which means that it is capable of affecting a user's computer. If UFI ActiveX controls are loaded, they are always loaded in unsafe mode. If you enable this policy setting, you can choose from four options for loading controls in UserForms: 1- For a UFI or SFI signed control that supports safe and unsafe mode, load the control in unsafe mode. For an SFI signed control that only supports a safe mode configuration, load the control in safe mode. This option enforces the default configuration. 2 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using the default properties. - For an SFI signed control that supports both safe and unsafe modes, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control using safe mode. If the SFI control can only support safe mode, load the control in safe mode. This option is the default configuration in the Microsoft Office 2016 release. 3 - Users are prompted to determine how UserForm forms will load. The prompt only displays once per session within an application. When users respond to the prompt, loading continues based on whether the control is UFI or SFI: - For a UFI signed control, if users respond Yes to the prompt, load the control in unsafe mode. If users respond No, load the control with its default properties. - For an SFI signed control, load in safe mode. 4 - For a UFI signed control, load with the default properties of the control. For an SFI signed control, load in safe mode (considered to be the safest mode). If you disable or do not configure this policy setting, the behavior is as if you enable this policy setting and then select option 1.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Absent</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\VBA\Security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Load Controls in Forms3" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
 HKCU\keycupoliciesmsvbasecurity
 
Criteria: If the value LoadControlsInForms exists, this is a finding.</RawString>
      <ValueData />
      <ValueName>loadcontrolsinforms</ValueName>
      <ValueType>String</ValueType>
    </Rule>
    <Rule id="V-70873" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether macros can run in an Office 2016 application that is opened programmatically by another application. If you enable this policy setting, you can choose from three options for controlling macro behavior in Excel, PowerPoint, and Word when the application is opened programmatically: - Disable macros by default - All macros are disabled in the programmatically opened application. - Macros enabled (default) - Macros can run in the programmatically opened application. This option enforces the default configuration in Excel, PowerPoint, and Word. - User application macro security level - Macro functionality is determined by the setting in the "Macro Settings" section of the Trust Center. If you disable or do not configure this policy setting, when a separate program is used to launch Microsoft Excel, PowerPoint, or Word programmatically, any macros can run in the programmatically opened application without being blocked.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Automation Security" is set to "Enabled (Use application macro security level)".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\Common\Security
 
Criteria: If the value AutomationSecurity is REG_DWORD = 2, this is not a finding.</RawString>
      <ValueData>2</ValueData>
      <ValueName>AutomationSecurity</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70875" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether trusted locations can be defined by users, the Office Customization Tool (OCT), and Group Policy, or if they must be defined by Group Policy alone. If you enable this policy setting, users can specify any location as a trusted location, and a computer can have a combination of user-created, OCT-created, and Group Policy-created trusted locations. If you disable this policy setting, all trusted locations that are not created by Group Policy are disabled and users cannot create new trusted locations in the Trust Center. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled. Note - InfoPath 2016 and Outlook 2016 do not recognize trusted locations, and therefore are unaffected by this policy setting.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security\trusted locations</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings -&gt; Trust Center "Allow mix of policy and user locations" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security\trusted locations
 
Criteria: If the value Allow User Locations is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>Allow User Locations</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70877" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether Office 2016 applications can load an XML expansion pack manifest file with a Smart Document. An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. You package one or more components that provide the logic needed for a Smart Document by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, you specify the locations of all files that make up the XML expansion pack, as well as information that instructs Office 2016 how to set up the files for your Smart Document. The XML expansion pack can also contain information about how to set up some files, such as how to install and register a COM object required by the XML expansion pack. If you enable this policy setting, Office 2016 applications cannot load XML expansion packs with Smart Documents. If you disable or do not configure this policy setting, Office 2016 applications can load an XML expansion pack manifest file with a Smart Document.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Smart Tag</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag
 
Criteria: If the value NeverLoadManifests is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>NeverLoadManifests</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70881" severity="medium" conversionstatus="pass" title="SRG-APP-000340" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether users are required to connect to the Internet or a local network to have their licenses confirmed every time they attempt to open Excel workbooks, InfoPath forms or templates, Outlook e-mail messages, PowerPoint presentations, or Word documents that are protected by Information Rights Management (IRM). This policy is useful if you want to log the usage of files with restricted permissions on the server. If you enable this policy setting, users are required to connect to verify permissions. This policy setting will only affect protected files created on machines where the policy is enabled. If you disable or do not configure this policy setting, users are not required to connect to the network to verify permissions.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\drm</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Manage Restricted Permissions "Always require users to connect to verify permission" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\drm
 
Criteria: If the value RequireConnection is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>RequireConnection</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70883" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether document metadata can be saved in PDF and XPS documents. If you enable this policy setting, document properties metadata is not exported to PDF and XPS files. If you disable this policy setting, document properties metadata will always be saved with PDF and XPS files, and users will not be able to override this configuration. If you do not configure this policy setting, if the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs add-in is installed, document properties are saved as metadata when users save files using the PDF or XPS or Publish as PDF or XPS commands in Access, Excel, InfoPath, PowerPoint, and Word, unless the "Document properties" option is unchecked in the Options dialog.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\fixedformat</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\fixedformat
 
Criteria: If the value DisableFixedFormatDocProperties is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>DisableFixedFormatDocProperties</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70885" severity="medium" conversionstatus="pass" title="SRG-APP-000429" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you configure if the document properties are encrypted. This applies to OLE documents (Office 97-2003 compatible) if the application is configured for CAPI RC4. If you enable this policy setting, the document properties will be encrypted. If you disable or do not configure this policy setting, the document properties will not be encrypted.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\common\security</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings "Encrypt document properties" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\Software\Policies\Microsoft\Office\16.0\common\security
 
Criteria: If the value EncryptDocProps is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>EncryptDocProps</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70889" severity="medium" conversionstatus="pass" title="SRG-APP-000141" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you to remove Office Presentation Service from the list of online presentation services in PowerPoint and Word. This list appears when a user selects Present Online from the Share tab in Backstage view and in the ribbon in PowerPoint. If you enable this policy setting, Office Presentation Service is not shown as an option for presenting online. If you disable or do not configure this policy setting, users can select Office Presentation Service to present their PowerPoint or Word file to other users online.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\common\broadcast</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Present Online -&gt; "Remove Office Presentation Service from the list of online presentation services in PowerPoint and Word" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\common\broadcast
 
Criteria: If the value disabledefaultservice is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>disabledefaultservice</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70891" severity="medium" conversionstatus="pass" title="SRG-APP-000210" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows you to restrict the ability to create an online presentation programmatically in PowerPoint and Word. If you enable this policy setting, an online presentation cannot be created programmatically. If you disable or do not configure this policy setting, an online presentation can be created programmatically.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\common\broadcast</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Present Online -&gt; "Restrict programmatic access for creating online presentations in PowerPoint and Word" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\common\broadcast
 
Criteria: If the value disableprogrammaticaccess is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>disableprogrammaticaccess</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70893" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting manages whether the Office Feedback Tool (a.k.a. Send a Smile) allows the user to send a screenshot of their desktop with their feedback to Microsoft. The Office Feedback Tool allows users to provide Microsoft feedback regarding their positive and negative experiences when using Office. If you enable this policy setting, the Office Feedback Tool will allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you disable this policy setting, the Office Feedback Tool will not allow the user to send a screenshot of their desktop with their feedback to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\common\feedback</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Privacy -&gt; Trust Center -&gt; "Allow including screenshot with Office Feedback" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\common\feedback
 
Criteria: If the value includescreenshot is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>includescreenshot</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70895" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting allows users to run unsecure web add-in, which are add-ins that have web page or catalog locations that are not SSL-secured (https://), and are not in users' Internet zones. If you enable this policy setting, users can run unsecure apps. To enable specific unsecure web add-ins, you must also configure the Trusted Web add-in Catalog policy settings to trust the catalogs that contains those Add-ins. If you disable or do not configure this policy setting, unsecure web add-ins are not allowed.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\wef\trustedcatalogs</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Security Settings -&gt; Trust Center -&gt; Trusted Catalogs "Allow Unsecure web add-ins and Catalogs" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\wef\trustedcatalogs
 
Criteria: If the value requireserververification is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>requireserververification</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70897" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting configures Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If you enable this policy setting, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If you disable or do not configure this policy setting, Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\osm</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Telemetry Dashboard -&gt; "Turn on privacy setting in Office Telemetry Agent" is set to "Enabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\osm
 
Criteria: If the value enablefileobfuscation is REG_DWORD = 1, this is not a finding.</RawString>
      <ValueData>1</ValueData>
      <ValueName>enablefileobfuscation</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
    <Rule id="V-70899" severity="medium" conversionstatus="pass" title="SRG-APP-000516" dscresource="RegistryPolicyFile">
      <Description>&lt;VulnDiscussion&gt;This policy setting controls whether users can send personal information to Office. When users choose to send information Office 2016 applications automatically send information to Office. If you enable this policy setting, users will opt into sending personal information to Office. If your organization has policies that govern the use of external resources, opting users into the program might cause them to violate these policies. If you disable this policy setting, Office 2016 users cannot send personal information to Office. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to "Enabled".
&lt;/VulnDiscussion&gt;&lt;FalsePositives&gt;&lt;/FalsePositives&gt;&lt;FalseNegatives&gt;&lt;/FalseNegatives&gt;&lt;Documentable&gt;false&lt;/Documentable&gt;&lt;Mitigations&gt;&lt;/Mitigations&gt;&lt;SeverityOverrideGuidance&gt;&lt;/SeverityOverrideGuidance&gt;&lt;PotentialImpacts&gt;&lt;/PotentialImpacts&gt;&lt;ThirdPartyTools&gt;&lt;/ThirdPartyTools&gt;&lt;MitigationControl&gt;&lt;/MitigationControl&gt;&lt;Responsibility&gt;&lt;/Responsibility&gt;&lt;IAControls&gt;&lt;/IAControls&gt;</Description>
      <DuplicateOf />
      <Ensure>Present</Ensure>
      <IsNullOrEmpty>False</IsNullOrEmpty>
      <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\16.0\common</Key>
      <OrganizationValueRequired>False</OrganizationValueRequired>
      <OrganizationValueTestString />
      <RawString>Verify the policy value for User Configuration -&gt; Administrative Templates -&gt; Microsoft Office 2016 -&gt; Privacy -&gt; Trust Center -&gt; "Send personal information" is set to "Disabled".
 
Procedure: Use the Windows Registry Editor to navigate to the following key:
 
HKCU\software\policies\Microsoft\office\16.0\common
 
Criteria: If the value sendcustomerdata is REG_DWORD = 0, this is not a finding.</RawString>
      <ValueData>0</ValueData>
      <ValueName>sendcustomerdata</ValueName>
      <ValueType>Dword</ValueType>
    </Rule>
  </RegistryRule>
</DISASTIG>