2.2.4.7.2.3.1 Ensure 'Always open untrusted database files in Protected View' is set to 'Enabled'

Information

This policy setting controls whether database files (.dbf) opened from an untrusted location are always opened in Protected View.

Note: This policy setting only applies to subscription versions of Office, such as Microsoft 365 Apps for enterprise.

The recommended state for this setting is: Enabled.

Rationale:

Files that originate from an untrusted location may contain malicious software. Requiring a user to open files originating from these zones forces them into a read-only mode. This reduces the chance of infection by making the user acknowledge a series of prompts before enabling editing.

Impact:

Database files opened from an untrusted location are always opened in Protected View. Users will not be able to change this setting under Trust Center Settings > Protected View.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled.

User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\Protected View\Always open untrusted database files in Protected View

Default Value:

Disabled. (Database files opened from untrusted locations are not opened in Protected View.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(1)

Plugin: Windows

Control ID: cfab37de87634e2c3f8d43a8eb2212e2fec88ab127b5a05f4e3bd2c651190e9a