Title

Passwords for secured documents must be enforced. (Cat II impact)

Discussion

If 2013 Office users add passwords to documents, other users can be prevented from opening the documents. This capability can provide an extra level of protection to documents already protected by access control lists, or provide a means of securing documents not protected by file-level security. By default, users can add passwords to Excel 2013 workbooks, PowerPoint 2013 presentations, and Word 2013 documents from the Save or Save As dialog box by clicking Tools, clicking General Options, and entering appropriate passwords to open or modify the documents. If this configuration is changed, the General Options dialog box for saving with a password will not be available for the user to password-protect their documents.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Disable password to open UI" is set to "Disabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\common\security If the value 'DisablePasswordUI' is REG_DWORD = 0, this is not a finding. Fix Text: Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Disable password to open UI" to "Disabled".

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Disable password to open UI" to "Disabled".

Additional Identifiers

Rule ID: SV-228550r508020_rule

Vulnerability ID: V-228550

Group Title: SRG-APP-000231

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.