1.8.7.2.2.4 Ensure 'Document Behavior if File Validation Fails' is set to Enabled (Open in Protected View) Unchecked for 'Do not allow edit'

Information

This policy setting controls how Office handles documents when they fail file validation. If you enable this policy setting, you can configure the following options for files that fail file validation: - Block files completely. Users cannot open the files. - Open files in Protected View and disallow edit. Users cannot edit the files. This is also how Office handles the files if you disable this policy setting. - Open files in Protected View and allow edit. Users can edit the files. This is also how Office handles the files if you do not configure this policy setting. If you disable this policy setting, Office follows the 'Open files in Protected View and disallow edit' behavior. If you do not configure this policy setting, Office follows the 'Open files in Protected View and allow edit' behavior. The recommended state for this setting is: Enabled. (Open in Protected View) Unchecked for 'Do not allow edit' Disabling or not configuring this setting allows users to open and edit files that have failed file validation outside of Protected View. As a result, malicious code or users could become active on user computers or the network. For example, a malicious user may purposely put invalid data in a file. The invalid data could force the program to fail or execute its code in an unexpected manner, giving the malicious user control of the application.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled. User Configuration\Administrative Templates\Microsoft Word 2016\Word Options\Security\Trust Center\Protected View\Document Behavior if File Validation Fails Impact: By default, users can only open files in Protected View after the files fail validation to help prevent malicious code from running on user computers or the network. In this way, the application is protected from attacks attempting to induce unexpected execution paths. You can block files from opening at all, but this also prevents users from accessing any data in the file. Using this setting allows the application to open files, and thus users to view valid data and detect invalid data that is visible. However, users cannot correct invalid data in the file. To do so, users must open such files on another isolated computer where this setting is set to a lower security level.

See Also

https://workbench.cisecurity.org/files/557

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 9066ec2d0ceec678015152aa16fcd4d59384a2275552f2dc4b465829e6fd5be1