Check: DTOO197
Microsoft Office System 2013 STIG:
DTOO197
(in version v2 r1)
Title
Smart Documents use of Manifests in Office must be disallowed. (Cat II impact)
Discussion
An XML expansion pack is the group of files that constitutes a Smart Document in Excel and Word. One or more components that provide the logic needed for a Smart Document are packaged by using an XML expansion pack. These components can include any type of file, including XML schemas, Extensible Stylesheet Language Transforms (XSLTs), dynamic-link libraries (DLLs), and image files, as well as additional XML files, HTML files, Word files, Excel files, and text files. The key component to building an XML expansion pack is creating an XML expansion pack manifest file. By creating this file, the locations of all files that make up the XML expansion pack are specified, as well as information that instructs Office 2013 how to set up the files for the Smart Document. The XML expansion pack can also contain information about how to set up other files, such as how to install and register a COM object required by the XML expansion pack. XML expansion packs can be used to initialize and load malicious code, which might affect the stability of a computer and lead to data loss. Office applications can load an XML expansion pack manifest file with a Smart Document.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" is set to "Enabled". Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\Common\Smart Tag If the value 'NeverLoadManifests' is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Smart Documents (Word, Excel) "Disable Smart Document's use of manifests" to "Enabled".
Additional Identifiers
Rule ID: SV-228519r508020_rule
Vulnerability ID: V-228519
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |