STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Visio 2016 Security Technical Implementation Guide

V-238114

CAT II (Medium)

Add-ins to Office applications must be signed by a Trusted Publisher.

Rule ID

SV-238114r960954_rule

STIG

Microsoft Visio 2016 Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-001749

Discussion

This policy setting controls whether add-ins for this applications must be digitally signed by a trusted publisher. If you enable this policy setting, this application checks the digital signature for each add-in before loading it. If an add-in does not have a digital signature, or if the signature did not come from a trusted publisher, this application disables the add-in and notifies the user. Certificates must be added to the Trusted Publishers list if you require that all add-ins be signed by a trusted publisher. For detail on about obtaining and distributing certificates, see http://go.microsoft.com/fwlink/?LinkId=294922. Office 2016 stores certificates for trusted publishers in the Internet Explorer trusted publisher store. Earlier versions of Microsoft Office stored trusted publisher certificate information (specifically, the certificate thumbprint) in a special Office trusted publisher store. Office 2016 still reads trusted publisher certificate information from the Office trusted publisher store, but it does not write information to this store. Therefore, if you created a list of trusted publishers in a previous version of Office and you upgrade to Office 2016, your trusted publisher list will still be recognized. However, any trusted publisher certificates that you add to the list will be stored in the Internet Explorer trusted publisher store. For more information about trusted publishers, see the Office Resource Kit. If you disable or do not configure this policy setting, this application does not check the digital signature on application add-ins before opening them. If a dangerous add-in is loaded, it could harm users' computers or compromise data security.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2016 -> Visio Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" is set to "Enabled".

Procedure: Use the Windows Registry Editor to navigate to the following key: 

HKCU\software\policies\Microsoft\office\16.0\Visio\security

Criteria: If the value requireaddinsig is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Visio 2016 -> Visio Options -> Security -> Trust Center -> "Require that application add-ins are signed by Trusted Publisher" to "Enabled".