Title

Save files default format must be configured. (Cat II impact)

Discussion

When users create new Excel files, Excel 2010 saves them in the new *.xlsx format. Ensure this setting is enabled to specify all new files are created in Excel 2010. If a new file is created in an earlier format, some users may not be able to open or use the file, or they may choose a format this is less secure than the Excel 2010 format. Users can still select a specific format when they save files, but they cannot change default of this setting from the Excel Options dialog box. This enforced user behavior ensures any change to the file format requires additional deliberate user interaction.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2010 -> Excel Options -> Save "default file format" must be set to "Enabled (Excel Workbook *.xlsx)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\excel\options Criteria: If the value DefaultFormat is REG_DWORD = 0x00000033(hex) or 51 (Decimal), this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2010 -> Excel Options -> Save "default file format" to "Enabled (Excel Workbook *.xlsx)".

Additional Identifiers

Rule ID: SV-33437r1_rule

Vulnerability ID: V-17521

Group Title: DTOO139 - Save files default format

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.