Free DISA STIG and SRG Library | Vaulted

Microsoft Access 2007

Version 4 Release 14
2016-07-22
U_MicrosoftAccess2007_V4R14_Manual-xccdf.xml
The Microsoft Access 2007 STIG is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the NIST 800-53 and related documents. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Vulnerabilities (11)

Disable user name and password syntax from being used in URLs

Finding ID
DTOO104 - Access
Rule ID
SV-19429r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO104 - Disable user name and password
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If user names and passwords in URLs are allowed, users could be diverted to dangerous web pages, which could pose a security risk.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” to “Enabled” and select the "msaccess.exe" check box.

Check Content

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Disable user name and password” is set to “Enabled” and ‘msaccess.exe’ check box is selected. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

Bind to Object - Access

Finding ID
DTOO111 - Access
Rule ID
SV-18190r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO111 - Enable IE Bind to Object
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” to “Enabled” and select the "msaccess.exe" check box.

Check Content

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Bind to Object” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

Saved from URL - Access

Finding ID
DTOO117 - Access
Rule ID
SV-18205r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO117 - Saved from URL
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Typically, when Internet Explorer loads a web page from a UNC share that contains a Mark of the Web (MOTW) comment that indicates the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” to “Enabled” and select the ‘msaccess.exe’ check box.

Check Content

Validate the policy value for Computer Configuration -> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Saved from URL” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

Block navigation to URL embedded in Office products to protect against attack by malformed URL.

Finding ID
DTOO123 - Access
Rule ID
SV-18603r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO123-Block Navigation to URL from Office
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur in some cases.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” to “Enabled” and select the "msaccess.exe" check box.

Check Content

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Navigate URL” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

No pop-ups - Access

Finding ID
DTOO129 - Access
Rule ID
SV-18215r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO129 - Block Pop-Ups
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by 2007 Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.

Fix Text

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” to “Enabled” and select the "msaccess.exe" check box.

Check Content

Validate the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2007 system (Machine) >> Security Settings >> IE Security “Block popups” is set to “Enabled” and "msaccess.exe" check box is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value msaccess.exe is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

Disable Trust Bar Notification for unsigned application add-ins - Access

Finding ID
DTOO131 - Access
Rule ID
SV-18219r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO131 - Trust Bar Notifications
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, if an application is configured to require that all add-ins be signed by a trusted publisher, any unsigned add-ins the application loads will be disabled and the application will display the Trust Bar at the top of the active window. The Trust Bar contains a message that informs users about the unsigned add-in.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “Disable Trust Bar Notification for unsigned application add-ins” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value NoTBPromptUnsignedAddin is REG_DWORD = 1, this is not a finding.

Responsibility

System Administrator

Enable Warning Bar settings for VBA macros contained in Access Files.

Finding ID
DTOO304 - Access
Rule ID
SV-18637r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO304 - VBA Macro Warning settings
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, when users open files in the specified applications that contain VBA macros, the applications open the files with the macros disabled and display the Trust Bar with a warning that macros are present and have been disabled. Users can inspect and edit the files if appropriate, but cannot use any disabled functionality until they enable it by clicking Options on the Trust Bar and selecting the appropriate action. If users enable dangerous macros, it could affect their computers or cause sensitive information to be compromised.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Security -> Trust Center “VBA Macro Warning Settings” will be set to “Enabled (Trust Bar warning for all macros)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value VBAWarnings is REG_DWORD = 2, this is not a finding.

Responsibility

System Administrator

Set the default saved file format for Access.

Finding ID
DTOO136 - Access
Rule ID
SV-18706r2_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO136 - Default file format
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, when users create new database files, Access 2007 saves them in the new Access 2007 format. Users can change this functionality by clicking the Office button, clicking Access Options, and then selecting a file format from the Default file format list. If a new database is created in an inappropriate format, some users might be unable to open or use it.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Default File Format” will be set to “Enabled (Access 2007)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings Criteria: If the value Default File Format is REG_DWORD = c (hex) or 12 (Decimal), this is not a finding.

Responsibility

System Administrator

Do not Prompt to convert when opening older databases - Access.

Finding ID
DTOO137 - Access
Rule ID
SV-18733r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO137 - Prompt / Convert Older Databases
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, when users open databases that were created in the Access 97 file format, Access 2007 prompts them to convert the database to a newer file format. Users can choose to convert the database or leave it in the older format. If this configuration is changed, Access will leave Access 97-format databases unchanged. Access informs the user that the database is in the older format, but does not provide the user with an option to convert the database. Some features introduced in more recent versions of Access will not be available, and the user will not be able to make any design changes to the database.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Miscellaneous “Do not prompt to convert older databases” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Settings Criteria: If the value NoConvertDialog is REG_DWORD = 0, this is not a finding.

Responsibility

System Administrator

Enable Modal Trust Decision Only - Access

Finding ID
DTOO135 - Access
Rule ID
SV-18952r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO135 - Modal Trust Decision Only
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, when users open an untrusted Access 2007 database that contains user-programmed executable components, Access opens the database with the components disabled and displays the Message Bar with a warning that database content has been disabled. Users can inspect the contents of the database, but cannot use any disabled functionality until they enable it by clicking Options on the Message Bar and selecting the appropriate action. The default configuration can be changed so that users see a dialog box when they open an untrusted database with executable components. Users must then choose whether to enable or disable the components before working with the database. In these circumstances users frequently enable the components, even if they do not require them. Executable components can be used to launch an attack against a computer environment.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Tools \ Security “Modal Trust Decision Only” will be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Security Criteria: If the value ModalTrustDecisionOnly is REG_DWORD = 0, this is not a finding.

Responsibility

System Administrator

Enable the feature to underline hyperlinks in Access.

Finding ID
DTOO130 - Access
Rule ID
SV-19046r1_rule
Severity
Cat II
CCE
(None)
Group Title
DTOO130 - Underline hyperlinks
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

By default, Access 2007 underlines hyperlinks that appear in tables, queries, forms, and reports. If this configuration is changed, users might click on dangerous hyperlinks without realizing it, which could pose a security risk

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Access 2007 -> Application Settings -> Web Options -> General “Underline Hyperlinks” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Access\Internet Criteria: If the value DoNotUnderlineHyperlinks is REG_DWORD = 0, this is not a finding.

Responsibility

System Administrator