Check: O365-CO-000003
Microsoft Office 365 ProPlus STIG:
O365-CO-000003
(in versions v3 r1 through v1 r1)
Title
The Office client must be prevented from polling the SharePoint Server for published links. (Cat II impact)
Discussion
This policy setting controls whether Office 365 ProPlus applications can poll Office servers to retrieve lists of published links. If this policy setting is enabled, Office 365 ProPlus applications cannot poll an Office server for published links. If this policy setting is disabled or not configured, users of Office 365 ProPlus applications can see and use links to Microsoft SharePoint Server sites from those applications. Published links can be configured to Office applications during initial deployment, and can add or change links as part of regular operations. These links appear on the My SharePoint Sites tab of the Open, Save, and Save As dialog boxes when opening and saving documents from these applications. Links can be targeted so they only appear to users who are members of particular audiences. Note: This policy setting applies to Microsoft SharePoint Server specifically. It does not apply to Microsoft SharePoint Foundation.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Server Settings >> Disable the Office client from polling the SharePoint Server for published links is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\common\portal If the value for linkpublishingdisabled is REG_DWORD = "1", this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Server Settings >> Disable the Office client from polling the SharePoint Server for published links to "Enabled".
Additional Identifiers
Rule ID: SV-223286r960963_rule
Vulnerability ID: V-223286
Group Title: SRG-APP-000141
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
Configure the system to provide only organization-defined mission essential capabilities. |
CCI-001662 |
Take organization-defined corrective action when organization-defined unacceptable mobile code is identified. |