Free DISA STIG and SRG Library | Vaulted
Removed

V-223332

File extensions must be enabled to match file types in Excel.

Finding ID
O365-EX-000023
Rule ID
SV-223332r508019_rule
Severity
Cat II
CCE
(None)
Group Title
SRG-APP-000516
CCI
CCI-000366
Target Key
(None)
Documentable
No
Discussion

This policy setting controls how Excel loads file types that do not match their extension. Excel can load files with extensions that do not match the files' type. For example, if a comma-separated values (CSV) file named example.csv is renamed example.xls (or any other file extension supported by Excel 2003 and earlier only), Excel can properly load it as a CSV file. If you enable this policy setting, you can choose from three options for working with files that have non-matching extensions: - Allow different - Excel opens the files properly without warning users that the files have non-matching extensions. If users subsequently edit and save the files, Excel preserves both the true, underlying file format and the incorrect file extension. - Allow different, but warn - Excel opens the files properly, but warns users about the file type mismatch. This option is the default configuration in Excel. - Always match file type - Excel does not open any files that have non-matching extensions. If you disable or do not configure this policy setting, if users attempt to open files with the wrong extension, Excel opens the file and displays a warning that the file type is not what Excel expected.

Fix Text

Set policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Force file extension to match file type to "Always match file type".

Check Content

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Excel 2016 >> Excel Options >> Security >> Force file extension to match file type is set to "Always match file type". Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\excel\security If value for extensionhardening is REG_DWORD = 1, this is not a finding.