Check: DTOO170 - InfoPath
Microsoft InfoPath 2010 STIG:
DTOO170 - InfoPath
(in versions v1 r11 through v1 r10)
Title
InfoPath 2003 forms as email forms in InfoPath 2010 must be disallowed. (Cat II impact)
Discussion
An attacker might target InfoPath 2003 forms to try and compromise an organization's security. InfoPath 2003 did not write a published location for e-mail forms, which means forms could open without a corresponding published location. By default, InfoPath sends all forms via e-mail using InfoPath e-mail forms integration, including forms created using the InfoPath 2003 file format.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” must be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\infopath Criteria: If the value DisableInfoPath2003EmailForms is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2010 -> InfoPath e-mail forms “Disable sending InfoPath 2003 Forms as e-mail forms” to “Enabled”.
Additional Identifiers
Rule ID: SV-33646r1_rule
Vulnerability ID: V-17668
Group Title: DTOO170 - 2003 forms as email
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001170 |
The information system prevents the automatic execution of mobile code in organization-defined software applications. |
Controls
Number | Title |
---|---|
SC-18 (4) |
Prevent Automatic Execution |