Title

Office must be configured to not allow read with browsers. (Cat II impact)

Discussion

The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2010 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed by using the Windows Rights Management Add-on. If this setting is enabled, an embedded rights-managed HTML version of the content is saved with each IRM-enabled file, which can be viewed in Internet Explorer using the add-on. This configuration increases the size of rights-managed files, in some cases significantly.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions “Allow users with earlier versions of Office to read with browsers” must be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\common\drm Criteria: If the value IncludeHTML is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Manage Restricted Permissions “Allow users with earlier versions of Office to read with browsers” to “Disabled”.

Additional Identifiers

Rule ID: SV-33459r1_rule

Vulnerability ID: V-17583

Group Title: DTOO200 - Allow users to read with browsers

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.