O365-CO-000026 - Scripted Windows Security restrictions must be enabled in all Office programs.

Information

Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
- Create browser windows appearing to be from the local operating system.
- Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input.
- Overlay parent windows with their own browser windows to hide important system information, choices, or prompts.

Solution

Set the policy value for Computer Configuration >> Administrative Templates >> Microsoft Office 2016 (Machine) >> Security Settings >> IE Security >>Scripted Window Security Restrictions to 'Enabled' and select the check boxes for all installed Office programs.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Office_365_ProPlus_V3R1_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3), CAT|II, CCI|CCI-001695, Rule-ID|SV-223308r960921_rule, STIG-ID|O365-CO-000026, STIG-Legacy|SV-108795, STIG-Legacy|V-99691, Vuln-ID|V-223308

Plugin: Windows

Control ID: 76354f4b906abf5de070514fbd913c2ec262b507aaf1ea7d660986d2dc801bed