Check: DTOO140
Microsoft Excel 2013 STIG:
DTOO140
(in versions v1 r7 through v1 r6)
Title
Automatic republish to web pages must be disallowed. (Cat II impact)
Discussion
If users choose to publish Excel data to a static web page and enable the AutoRepublish feature, Excel saves a copy of the data to the web page every time the user saves the workbook. If the page is on a web server, anyone who has access to the page will be able to see the updated data after every save, which can lead to the undesired disclosure of sensitive or incorrect information. By default, a message dialog box displays every time the user saves a published workbook when AutoRepublish is enabled. From this dialog box, the user can disable AutoRepublish temporarily or permanently, or select "Do not show this message again" to prevent the dialog box from appearing after every save. If the user selects "Do not show this message again", Excel will continue to automatically republish the data after every save without informing the user.
Check Content
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2013 -> Excel Options -> Save "Disable AutoRepublish" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\excel\options Criteria: If the value DisableAutoRepublish is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Excel 2013 -> Excel Options -> Save "Disable AutoRepublish" to "Enabled".
Additional Identifiers
Rule ID: SV-53731r1_rule
Vulnerability ID: V-17652
Group Title: DTOO140 - Disable AutoRepublish
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |