Title

Database functionality configurations must be displayed to the user. (Cat II impact)

Discussion

This policy setting controls how Access notifies users about untrusted components. If you enable this policy setting, when users attempt to open an untrusted Access database that contains user-programmed executable components, users see a dialog box where they then must choose whether to enable or disable the components before they can work with the database. If you disable or do not configure this policy setting, when users open an untrusted Access database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Access 2016 -> Tools \ Security "Modal Trust Decision Only" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\access\security Criteria: If the value ModalTrustDecisionOnly is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Access 2016 -> Tools \ Security "Modal Trust Decision Only" to "Disabled".

Additional Identifiers

Rule ID: SV-85569r1_rule

Vulnerability ID: V-70945

Group Title: SRG-APP-000488

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.