Title

Document metadata for password protected files must be protected. (Cat II impact)

Discussion

When an Office Open XML document is protected with a password and saved, any metadata associated with the document is encrypted along with the rest of the document's contents. If this configuration is changed, potentially sensitive information such as the document author and hyperlink references could be exposed to unauthorized people.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Security Settings "Protect document metadata for password protected files" is set to "Enabled". Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\security If the value “OpenXMLEncryptProperty” is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Security Settings "Protect document metadata for password protected files" to "Enabled".

Additional Identifiers

Rule ID: SV-52725r4_rule

Vulnerability ID: V-17768

Group Title: DTOO188 - Protect document metadata

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.