Title

Office must be configured to not allow read with browsers. (Cat II impact)

Discussion

The Windows Rights Management Add-on for Internet Explorer provides a way for users who do not use the 2013 Office release to view, but not alter, files with restricted permissions. By default, IRM-enabled files are saved in a format that cannot be viewed by using the Windows Rights Management Add-on. If this setting is enabled, an embedded rights-managed HTML version of the content is saved with each IRM-enabled file, which can be viewed in Internet Explorer using the add-on, representing the risk of documents being read by those without the rights and not intended to have access to the document.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Manage Restricted Permissions "Allow users with earlier versions of Office to read with browsers" is set to "Disabled". Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\drm If the value 'IncludeHTML' is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Manage Restricted Permissions "Allow users with earlier versions of Office to read with browsers" to "Disabled".

Additional Identifiers

Rule ID: SV-228555r508020_rule

Vulnerability ID: V-228555

Group Title: SRG-APP-000328

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.