An error occurred:

Check: DTOO401

Microsoft Office System 2013 STIG: DTOO401 (in versions v2 r1 through v1 r5)

Title

Office automatic updates must be enabled for Office products installed via Click-to-Run and configured to use a Trusted site. (Cat II impact)

Discussion

This policy setting controls whether the Office automatic updates are enabled or disabled for all Office products installed via Click-to-Run. This policy has no effect on Office products installed via Windows Installer. If this policy setting is enabled, Office periodically checks for updates. When updates are detected, Office downloads and applies them in the background. If policy setting is disabled, Office will not check for updates. Without receiving automatic updates, vulnerabilities found within the Office products will not be applied, leaving the vulnerabilities exposed.

Check Content

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine)->Updates->"Enable Automatic Updates" is set to "Enabled". Verify the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> "Specify intranet Microsoft update service location" is set to "Enabled" and the "Set the intranet update service for detecting updates:" and the "Set the intranet statistics server:" both point to an Intranet system. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\software\policies\Microsoft\office\15.0\common\officeupdate Criteria: If the value EnableAutomaticUpdates is REG_DWORD = 1, this is not a finding. If the registry key is missing, this is an Open finding. This setting is, by default, enabled and must be explicitly configured to be disabled. HKLM\software\policies\Microsoft\Windows\WindowsUpdate Criteria: If the value of WUServer and WUStatusServer are populated with an Intranet system, this is not a finding.

Fix Text

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine)->Updates->"Enable Automatic Updates" to "Enabled". Set the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> "Specify intranet Microsoft update service location" to "Enabled" and the "Set the intranet update service for detecting updates:" and the "Set the intranet statistics server:"to point to an Intranet system.

Additional Identifiers

Rule ID: SV-228562r508020_rule

Vulnerability ID: V-228562

Group Title: SRG-APP-000456

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002605

The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SI-2

Flaw Remediation