Title

Enable the Restriction on adding custom code to InfoPath forms. (Cat II impact)

Discussion

By default, users can design new InfoPath 2007 forms that use custom code to add interactivity and other functionality to forms. Designers can add managed code written in C# and Visual Basic .NET, as well as scripts written in Jscript and VBScript. An inexperienced or malicious user could design a form with dangerous code that harms users' computers or puts sensitive data at risk.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Restricted Features “Custom code” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures Criteria: If the value CodeAllowed is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office InfoPath 2007 -> Restricted Features “Custom code” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18703r1_rule

Vulnerability ID: V-17582

Group Title: DTOO175 - Custom Code - InfoPath

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.