Title

Project 2013 application must be prevented from loading any custom user interface (UI) code. (Cat II impact)

Discussion

This policy setting controls whether Office 2013 applications load any custom user interface (UI) code included with a document or template. Office 2013 allows developers to extend the UI with customization code that is included in a document or template. If this policy setting is enabled, Office 2013 applications cannot load any UI customization code included with documents and templates. If this policy setting is disabled or not configured, Office 2013 applications load any UI customization code included with a document or template when opening it, leaving the Office 2013 application susceptible to malicious code.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Global Options -> Customize -> "Disable UI extending from documents and templates" is set to "Enabled" and "Disallow in Project" is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\15.0\common\toolbars\project Criteria: If the value noextensibilitycustomizationfromdocument is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Office 2013 -> Global Options -> Customize -> "Disable UI extending from documents and templates" to "Enabled". Select the policy option for "Disallow in Project".

Additional Identifiers

Rule ID:

Vulnerability ID: V-40891

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.