Check: O365-CO-000004
Microsoft Office 365 ProPlus STIG:
O365-CO-000004
(in versions v2 r12 through v1 r1)
Title
Custom user interface (UI) code must be blocked from loading in all Office applications. (Cat II impact)
Discussion
This policy setting controls whether Office 365 ProPlus applications load any custom user interface (UI) code included with a document or template. Office 365 ProPlus allows developers to extend the UI with customization code that is included in a document or template. If this policy setting is enabled, Office 365 ProPlus applications cannot load any UI customization code included with documents and templates. If this policy setting is not configured or disabled, Office 365 ProPlus applications load any UI customization code included with a document or template when opening it.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Global Options >> Customize >> Disable UI extending from documents and templates is set to Enabled: Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\common\toolbars If the value noextensibilitycustomizationfromdocument is REG_DWORD = 1 for all installed Office programs, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Global Options >> Customize >> Disable UI extending from documents and templates to Enabled: Disallow in Word; Excel; PowerPoint; Access; Outlook; Publisher; Project; Visio; InfoPath.
Additional Identifiers
Rule ID: SV-223287r879887_rule
Vulnerability ID: V-223287
Group Title: SRG-APP-000516
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |