Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Auditing Microsoft Office Configurations Using Nessus

Hardening Microsoft Office

Microsoft® Office® is ubiquitous in today’s work environment. MS Office applications offer many security configuration options that can reduce the likelihood of exploitation. However, the default configuration settings typically don’t provide a strong security posture. The requirements and recommendations documented in common regulations and security guides are a great start to securing your Office installations. Tenable customers can also measure and evaluate the security of their Microsoft Office Suite environment using Nessus® and Tenable SecurityCenter™ audit compliance policy files.

Securing Microsoft Office Templates

Users can download Microsoft Office templates from the web, some of which may introduce vulnerabilities. For instance, there are vulnerabilities in Microsoft Active Template Library (ATL) Active X controls for Office that could allow for remote code execution if a user loaded a specific malicious template. For more information on this vulnerability, please review MS09-060.

This is a common misconfiguration in the application’s default settings. Configuring "Disable template downloads" in the Microsoft Office Group Policy template setting prevents users from downloading Office templates. By using Nessus compliance auditing, customers can validate this setting if configured correctly:

<custom_item>
type                  : REGISTRY_SETTING
description           : "1.1.3.5. Download of Templates: Level II"
value_type            : POLICY_DWORD
reg_key               : "HKU\Software\Policies\Microsoft\Office\12.0\Common\Internet"
reg_item              : "DisableTemplateDownload"
value_data            : 1
reg_ignore_hku_users  : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option            : CAN_NOT_BE_NULL
info                  : "CCE-1233-6"
info                  : "ref:https://benchmarks.cisecurity.org/tools2/CIS_Microsoft_Office_2007_Benchmark_v1.0.0.pdf pg. 21"
info                  : "Enabling this setting will prevent downloading of templates from Office Online."
</custom_item>

Screen Shot 2013 02 05 at 3 22 22 PM
The above results show that the target being scanned has the setting in place to prevent the downloading of Microsoft Office templates.

Require Signed Application Add-ins

Add-ins can enhance a user’s productivity by adding various types of new or updated features to Microsoft Office applications, such as Word® or Excel®. However, it’s possible that a malicious person may use unsigned add-ins to gain code execution on a user’s machine. For instance, vulnerabilities could allow for remote code execution in the case of opening a specially-crafted Office file in the same network directory of a library file. The attacker could gain the same user rights as the logged-on user if exploited correctly (see MS11-073).

By configuring the "Require that application add-ins are signed by Trusted Publisher" setting, it forces all executed add-ins to be signed by a Trusted Publisher. See the following .audit check as an example:

<custom_item>
type                  : REGISTRY_SETTING         
description           : "1.3.6.2. Require Signed Application Add-Ins: Level II"
value_type            : POLICY_DWORD
reg_key               : "HKU\Software\Policies\Microsoft\Office\12.0\Excel\Security"
reg_item              : "RequireAddinSig"
value_data            : 1
reg_ignore_hku_users  : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option            : CAN_NOT_BE_NULL
info                  : "CCE-1524-8"
info                  : "ref:https://benchmarks.cisecurity.org/tools2/CIS_Microsoft_Office_2007_Benchmark_v1.0.0.pdfpg. 139"
info                  : "This setting determines if application add-ins must be signed by a Trusted Publisher."
</custom_item>

Screen Shot 2013 02 05 at 3 22 50 PM
The above host has the correct settings to require signed application add-ins.

Block Opening of Converters

By default, Microsoft Office applications have built-in text converters that enhance a user’s productivity by converting non-Microsoft Office documents into documents that can be read by the Office application. However, this may pose a security risk if the file the user is trying to open is malicious. For instance, the vulnerability could allow remote code execution if a specific file is opened in Office. An attacker who successfully exploits this vulnerability could gain the same privileges as the currently logged-on user. Configuring the “Block opening of converters” setting to ‘enable’ will prevent users from opening foreign documents and formats. See the following .audit check as an example:

<custom_item>
type                  : REGISTRY_SETTING
description           : "1.5.2.3. Block Opening of Converters: Level II"
value_type            : POLICY_DWORD
reg_key               : "HKU\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock"
reg_item              : "Converters"
value_data            : 1
reg_ignore_hku_users  : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option            : CAN_NOT_BE_NULL
info                  : "CCE-1216-1"
info                  : "ref:https://benchmarks.cisecurity.org/tools2/CIS_Microsoft_Office_2007_Benchmark_v1.0.0.pdfpg. 162"
info                  : "This setting determines whether PowerPoint can open Converters, which have the ability to open all document types and formats."
</custom_item>

Screen Shot 2013 02 05 at 3 23 40 PM
The above host is configured to block the opening of converters.

Securing Web Access

While web-access and connectivity features built into Office, such as InfoPath solutions, can offer users a wealth of services, malicious InfoPath solutions on the Internet can lure users into inadvertently leaking sensitive data. Vulnerabilities have been reported within Outlook Web Access (OWA) that could allow an attacker to gain access to an individual OWA client’s session data.

Configuring the “Disable opening of solutions from the Internet security zone” setting to ‘enable’ will prevent users from opening solutions from an Internet security zone.

Please see the following .audit check as an example:

<custom_item>
type                  : REGISTRY_SETTING
description           : "1.7.1.1. Block Opening Solutions from an Internet Security Zone: Level I"
value_type            : POLICY_DWORD
reg_key               : "HKU\Software\Policies\Microsoft\Office\12.0\InfoPath\Security"
reg_item              : "AllowInternetSolutions"
value_data            : 1
reg_ignore_hku_users  : "S-1-5-18,S-1-5-19,S-1-5-20"
reg_option            : CAN_NOT_BE_NULL
info                  : "CCE-1105-6"
info                  : "ref:https://benchmarks.cisecurity.org/tools2/CIS_Microsoft_Office_2007_Benchmark_v1.0.0.pdfpg. 178"
info                  : "This setting determines whether a User can open a solution from an Internet security zone."
</custom_item>

Screen Shot 2013 02 05 at 3 26 59 PM
The host has failed the configuration audit because it is not configured to block opening solutions from an Internet security zone.

Conclusion

In all, there are 1300+ individual checks spanning several .audit files for Microsoft Office. Audit compliance policies are available for CIS Microsoft Office 2007 Level 1 & 2, DISA STIG Microsoft Office 2010, and MSCM Microsoft Office 2010. Tenable audit compliance policies for Microsoft Office products can be downloaded by logging into the Tenable Support Portal.

*Originally written by Joshua Turpin, Tenable Compliance Auditor

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.