Check: DTOO297
Microsoft InfoPath 2013 STIG:
DTOO297
(in versions v1 r5 through v1 r4)
Title
A form that is digitally signed must be displayed with a warning. (Cat II impact)
Discussion
This setting controls whether or not the user sees a dialog box when opening Microsoft InfoPath forms containing digitally signed content. By default, InfoPath shows the user a warning message when the form contains a digital signature. By being aware of a digitally signed form, the user will be able to check the validity of the signature. Otherwise, the forms may have been maliciously modified and will be invalidated.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security "Display a warning that a form is digitally signed" must be set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\InfoPath\security Criteria: If the value SignatureWarning is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security "Display a warning that a form is digitally signed" to "Enabled".
Additional Identifiers
Rule ID: SV-53432r1_rule
Vulnerability ID: V-26621
Group Title: DTOO297 - A form is digitally signed
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001749 |
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization. |
Controls
| Number | Title |
|---|---|
| CM-5 (3) |
Signed Components |