Title

Inclusion of document properties for PDF and XPS output must be disallowed. (Cat II impact)

Discussion

If the Microsoft Save as PDF or XPS Add-in for Microsoft Office Programs is installed, document properties are saved as metadata when users save or publish files using the PDF or XPS commands in Access 2013, Excel 2013, InfoPath 2013, PowerPoint 2013, and Word 2013 using the PDF or XPS or Publish. If this metadata contains sensitive information, saving it with the file could compromise security.

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2013 >> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" is set to "Enabled". Use the Windows Registry Editor to navigate to the following HKCU\Software\Policies\Microsoft\Office\15.0\common\fixedformat If the value 'DisableFixedFormatDocProperties' is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Microsoft Save As PDF and XPS add-ins "Disable inclusion of document properties in PDF and XPS output" to "Enabled".

Additional Identifiers

Rule ID: SV-228522r508020_rule

Vulnerability ID: V-228522

Group Title: SRG-APP-000516

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.