Check: O365-EX-000003
Microsoft Office 365 ProPlus STIG:
O365-EX-000003
(in versions v2 r11 through v1 r2)
Title
Dynamic Data Exchange (DDE) server launch in Excel must be blocked. (Cat II impact)
Discussion
This policy setting allows you to control whether Dynamic Data Exchange (DDE) server launch is allowed. By default, DDE server launch is turned off, but users can turn on DDE server launch by going to File >> Options >> Trust Center >> Trust Center Settings >> External Content. For security reasons, turning on DDE server launch is not recommended. Note: For DDE server launch to work, Dynamic Data Exchange (DDE) server lookup must be turned on. Be sure that the “Don't allow Dynamic Data Exchange (DDE) server lookup” policy setting is not enabled, because enabling that policy setting turns off DDE server lookup. If you enable this policy setting, DDE server launch is not allowed, and users cannot turn on DDE server launch in the Trust Center. If you disable this policy setting, DDE server launch is allowed, and users cannot turn off DDE server launch in the Trust Center. For security reasons, this is not recommended. If you do not configure this policy setting, DDE server launch is turned off, but users can turn on DDE server launch in the Trust Center. Note: This policy setting only applies to subscription versions of Office, such as Office 365 ProPlus.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server launch in Excel is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security\external content If the value for "disableddeserverlaunch" is REG_DWORD = 1, this is not a finding.
Fix Text
Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Trust Center >> External Content >> Don't allow Dynamic Data Exchange (DDE) server launch in Excel to "Enabled".
Additional Identifiers
Rule ID: SV-223312r879628_rule
Vulnerability ID: V-223312
Group Title: SRG-APP-000207
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001662 |
The information system takes organization-defined corrective action when organization-defined unacceptable mobile code is identified. |
Controls
Number | Title |
---|---|
SC-18 (1) |
Identify Unacceptable Code / Take Corrective Actions |