DTOO296 - Disabling opening forms with managed code from the Internet security zone must be configured.


When InfoPath solutions are opened locally, the location of the form is checked so that updates to the form can be downloaded. If a user saves a form locally from a location on the Internet and then opens the same form from another location on the Internet, the cache will be updated with the new location information. If the user then opens the first form from its saved location, there will be a mismatch between the locally saved form and the locally cached form. This situation would typically happen when developers move forms to a new location, but if there is no warning when the cached location is used, it could be misused by an attacker attempting to redirect the forms to a new location. This type of attack is a form of beaconing. By default, if the location information in the cached form and the saved form to not match, the form cannot be opened without prompting the user for consent.


Set the policy value for User Configuration -> Administrative Templates -> Microsoft InfoPath 2013 -> Security 'Disable opening forms with managed code from the Internet security zone' to 'Enabled'.

See Also


Item Details


References: 800-53|SC-18(4), CAT|II, CCI|CCI-001170, Rule-ID|SV-53392r1_rule, STIG-ID|DTOO296, Vuln-ID|V-26620

Plugin: Windows

Control ID: 1c9a56752e8d82bc8e7a795f5de0b2e89aa3ebc499924748c6f23f8b24babf68