Check: DTOO146
Microsoft Word 2013 STIG:
DTOO146
(in versions v1 r6 through v1 r5)
Title
Trust access for VBA must be disallowed. (Cat II impact)
Discussion
VSTO projects require access to the Visual Basic for Applications project system in Excel, PowerPoint, and Word, even though the projects do not use Visual Basic for Applications. Design-time support of controls in both Visual Basic and C# projects depends on the Visual Basic for Applications project system in Word and Excel. By default, Excel, Word, and PowerPoint do not allow automation clients to have programmatic access to VBA projects. Users can enable this by selecting the Trust access to the VBA project object model in the Macro Settings section of the Trust Center. However, doing so allows macros in any documents the user opens to access the core Visual Basic objects, methods, and properties, which represents a potential security hazard.
Check Content
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Word 2013 -> Word Options -> Security -> Trust Center "Trust access to Visual Basic Project" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\word\security Criteria: If the value AccessVBOM is REG_DWORD = 0, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Word 2013 -> Word Options -> Security -> Trust Center "Trust access to Visual Basic Project" to "Disabled".
Additional Identifiers
Rule ID: SV-53576r1_rule
Vulnerability ID: V-17522
Group Title: DTOO146-Disable Trust access to VB Project Macros
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |