This Microsoft Office Technology Overview, along with the associated Security Technical Implementation Guide (STIG), provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) applications.
The nearly universal presence of systems on the desktops of all levels of staff provides tremendous opportunities for office automation, communication, data sharing, and collaboration. Unfortunately, this presence also brings about dependence and vulnerabilities. Malicious and mischievous forces have attempted to take advantage of the vulnerabilities and dependencies to disrupt the work processes of the Government. Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications. Where applications do offer security options, the default settings typically do not provide a strong security posture.
This document is based on Microsoft Office 2013 installations within the Windows 7 Operating System and the Windows 8 Operating System. This document, and associated STIGs, has set forth requirements based upon having a secured Windows environment. The superset of these requirements can be found in the appropriate Windows STIG, which is also available from the IASE website. Failure to apply these requirements will significantly diminish the value of the
specifications in this document, as well as diminish the overall security posture of the asset to which these settings apply.
Security controls applied to the underlying operating system platform will directly affect the strength of the security that surrounds desktop applications.
The security requirements detailed in this document target applications installed on Microsoft Windows 7/Windows 8 platforms only, using the traditional Windows Installer-based (MSI) method of installing and updating Office.
Office 2013 introduced additional technologies including the ability to use/update the cloud, touch capabilities, and a more streamlined, ribbon-less interface in the products making up the suite. Specific settings have been included to ensure disabling of saving to the cloud. Additional Office 2013 functionality introduced extended settings, some of which were not deemed to impact the security posture of the system. Under those circumstances, specific STIG requirements were not developed. Other Office 2013 extended settings were determined to affect the security posture of the system and have been included as additional STIG requirement settings.
Also introduced in this Office STIG version are individual STIGs for the Visio 2013, Lync(client) 2013, SharePoint Design 2013, and SkyDrive Pro (Groove) 2013 products.
It is notable to differentiate between SkyDrive and SkyDrive Pro (Groove). SkyDrive is Microsoft's consumer cloud storage solution. SkyDrive Pro, however, is aimed at corporate users and provides much of the same experience that SkyDrive (cloud) provides to consumer users, but adds the ability for a corporate IT department to define security/search/content policies.
SkyDrive is a personal cloud storage capability for an individual's personal files, managed by the individual, using the public cloud, and is currently not allowed from a DoD network. SkyDrive Pro is site's cloud storage for work documents, managed by local IT personnel and uses local SharePoint or on-premises storage. The guidance provided in the Groove 2013 is for the
purposes of SkyDrive Pro (groove.exe) and does not relate to the SkyDrive commercial cloud use.
Office 365 is a subscription-based online office suite, providing hosted email and Microsoft Office 2013 desktop applications (WebApps). It is installed via the Click-to-Run installation option. Office 365 is not deployed or used in the DoD and this STIG does not cover any setting related to the Office 365 online suite.
Click-to-Run is a Microsoft streaming and virtualization technology that is also used to install and update Microsoft Office 2013 desktop products, as an alternative to the traditional Windows Installer-based (MSI) method. These streaming and virtualization capabilities are based on technologies in Microsoft Application Virtualization (App-V). In Office 2010, Click-to-Run was
available to only consumer users. In this new release, Click-to-Run supports large enterprise deployments. Guidance for Click-to-Run installations is not provided in this STIG. Although not specifically included in this STIG, Office 365 and Click-to-Run technologies may be referenced in STIG requirements and vulnerability discussions.
This document is a requirement for all DoD administered systems and all systems connected to DoD networks. These requirements are designed to assist Security Managers (SMs), Information Assurance Managers (IAMs), Information Assurance Officers (IAOs), and System Administrators (SAs) with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.
- Specialized Security-Limited Functionality (SSLF)
To conduct a manual review of compliance with the Microsoft Office STIG requirements, it is necessary to use some tools that are provided with the Windows operating system. Some of these tools are as follows:
Windows "Edit File Type" facility - accessed through the Windows Explorer
Windows Registry Editor - regedit.exe or regedt32.exe
Windows Search - accessed via the Windows Start Menu
Group Policy Object Editor - gpedit.msc
Microsoft Management Console (MMC)
Microsoft Security Configuration and Analysis snap-in (used with the MMC)
Registry paths and values identified in each control assume the use of Group Policy Object Editor in the Microsoft Management Console, with installation of Microsoft Office 2013 Administrative Templates. Installations not using Group Policies to administer Microsoft Office products may observe alternate registry paths for stored configuration values. Instructions for the manual remediation of vulnerabilities, to include adding, deleting, and modifying settings can
be found in the "Fix" information provided in the VMS vulnerability.
If only one application of the Microsoft Office suite is installed (i.e., Microsoft Office Word only or Microsoft Office Excel only), the Microsoft Office System STIG settings must also be applied, along with the STIG settings for the installed application. The Microsoft Office System STIG is included in each of the individual application STIG packages in addition to being included as a separate STIG.
It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation may lead to a loss
of required functionality. It is especially important to fully test with specific and legacy applications which is dependent upon the Microsoft Office applications for functionality, as well as Microsoft Office Add-ins which are currently used in the environment.
DoD Directive (DoDD) 8500.1 and DoDI 8500.2
Comments or proposed revisions to this document should be sent via email to the following address: email@example.com. DISA Field Security Operations (FSO) will coordinate all change requests with the relevant DoD organizations before inclusion in this document.
Added Version 1, Release 5 Overview - 5 August 2015
Version 1, Release 2 - 25 April 2014
Version 1, Release 1 - 3 December 2013
Version 1, Release 3 - 30 October 2014
Updated status to "Final" - 07 January 2015
Changed status from "under review" to "final" - 11 September 2015
Updated URL to reflect change to the DISA website - http --> https
added benchmark - 5/24/18
NIST checklist record last modified on 05/25/2018