Title

Disable eMail forms running in Restricted Security Level - InfoPath. (Cat II impact)

Discussion

InfoPath 2007 forms that run with the restricted security level can only access data that is stored on the forms. However, a malicious user could still send an e-mail form that runs with the restricted security level in an attempt to access sensitive information provided by users. By default InfoPath 2007 e-mail forms running with the restricted security level can be opened.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable e-mail forms running in restricted security level” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Security Criteria: If the value EnableRestrictedEMailForms is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> InfoPath e-mail forms “Disable e-mail forms running in restricted security level” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18810r1_rule

Vulnerability ID: V-17657

Group Title: DTOO171 - EMail forms in Restricted Security

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.