Title

The Office Telemetry Agent must be configured to obfuscate the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. (Cat II impact)

Discussion

This policy setting configures the Office Telemetry Agent to disguise, or obfuscate, certain file properties that are reported in telemetry data. If this policy setting is enabled, Office Telemetry Agent obfuscates the file name, file path, and title of Office documents before uploading telemetry data to the shared folder. If this policy setting is disabled or not configured, the Office Telemetry Agent uploads telemetry data that shows the full file name, file path, and title of all Office documents.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on privacy setting in Office Telemetry Agent" is set to "Enabled". Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\osm If the value “enablefileobfuscation” is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Telemetry Dashboard >> "Turn on privacy setting in Office Telemetry Agent" to "Enabled".

Additional Identifiers

Rule ID: SV-53218r5_rule

Vulnerability ID: V-40886

Group Title: DTOO416 - Telemetry Agent privacy setting

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.