Title

Upload of document templates to Office Online must be prevented. (Cat II impact)

Discussion

Office users can share Excel, PowerPoint, and Word templates they create with other Microsoft Office users around the world by uploading them to the community area of the Microsoft Office Online Web site. If your organization has policies that govern the use of external resources such as Office Online, allowing users to upload templates might enable them to violate those policies.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \ Options \ General \ Web Options... “Prevent users from uploading document templates to the Office.com Community” must be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\common\internet Criteria: If the value DisableCustomerSubmittedUpload is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2010 -> Tools \ Options \ General \ Web Options... “Prevent users from uploading document templates to the Office.com Community” to “Enabled”.

Additional Identifiers

Rule ID: SV-33477r1_rule

Vulnerability ID: V-17767

Group Title: DTOO178 - Uploads to Office Online

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.