STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Office 365 ProPlus Security Technical Implementation Guide

Version

V3R5

Release Date

Feb 12, 2026

SCAP Benchmark ID

MS_Office_365_ProPlus_STIG

Total Checks

139

Tags

other

CAT I: 1CAT II: 138CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (139)

V-223280MEDIUMMacros must be blocked from running in Access files from the Internet.V-223281MEDIUMTrust Bar Notifications for unsigned application add-ins in Access must be disabled and blocked.V-223282MEDIUMVBA macros not digitally signed must be blocked in Access.V-223284MEDIUMThe Macro Runtime Scan Scope must be enabled for all documents.V-223285HIGHDocument metadata for rights managed Office Open XML files must be protected.V-223286MEDIUMThe Office client must be prevented from polling the SharePoint Server for published links.V-223287MEDIUMCustom user interface (UI) code must be blocked from loading in all Office applications.V-223288MEDIUMActiveX Controls must be initialized in Safe Mode.V-223289MEDIUMMacros in all Office applications that are opened programmatically by another application must be opened based upon macro security level.V-223290MEDIUMTrust Bar notifications must be configured to display information in the Message Bar about the content that has been automatically blocked.V-223291MEDIUMOffice applications must be configured to specify encryption type in password-protected Office 97-2003 files.V-223292MEDIUMOffice applications must be configured to specify encryption type in password-protected Office Open XML files.V-223293MEDIUMUsers must be prevented from creating new trusted locations in the Trust Center.V-223294MEDIUMOffice applications must not load XML expansion packs with Smart Documents.V-223295MEDIUMThe load of controls in Forms3 must be blocked.V-223296MEDIUMAdd-on Management must be enabled for all Office 365 ProPlus programs.V-223297MEDIUMConsistent MIME handling must be enabled for all Office 365 ProPlus programs.V-223298MEDIUMUser name and password must be disabled in all Office programs.V-223299MEDIUMThe Information Bar must be enabled in all Office programs.V-223300MEDIUMThe Local Machine Zone Lockdown Security must be enabled in all Office programs.V-223301MEDIUMThe MIME Sniffing safety feature must be enabled in all Office programs.V-223302MEDIUMNavigate URL must be enabled in all Office programs.V-223303MEDIUMObject Caching Protection must be enabled in all Office programs.V-223304MEDIUMProtection from zone elevation must be enabled in all Office programs.V-223305MEDIUMActiveX installation restriction must be enabled in all Office programs.V-223306MEDIUMFile Download Restriction must be enabled in all Office programs.V-223307MEDIUMThe Save from URL feature must be enabled in all Office programs.V-223308MEDIUMScripted Windows Security restrictions must be enabled in all Office programs.V-223309MEDIUMFlash player activation must be disabled in all Office programs.V-223310MEDIUMTrusted Locations on the network must be disabled in Excel.V-223311MEDIUMVBA Macros not digitally signed must be blocked in Excel.V-223312MEDIUMDynamic Data Exchange (DDE) server launch in Excel must be blocked.V-223313MEDIUMDynamic Data Exchange (DDE) server lookup in Excel must be blocked.V-223314MEDIUMOpen/save of dBase III / IV format files must be blocked.V-223315MEDIUMOpen/save of Dif and Sylk format files must be blocked.V-223316MEDIUMOpen/save of Excel 2 macrosheets and add-in files must be blocked.V-223317MEDIUMOpen/save of Excel 2 worksheets must be blocked.V-223318MEDIUMOpen/save of Excel 3 macrosheets and add-in files must be blocked.V-223319MEDIUMOpen/save of Excel 3 worksheets must be blocked.V-223320MEDIUMOpen/save of Excel 4 macrosheets and add-in files must be blocked.V-223321MEDIUMOpen/save of Excel 4 workbooks must be blocked.V-223322MEDIUMOpen/save of Excel 4 worksheets must be blocked.V-223323MEDIUMOpen/save of Excel 95 workbooks must be blocked.V-223324MEDIUMOpen/save of Excel 95-97 workbooks and templates must be blocked.V-223325MEDIUMThe default file block behavior must be set to not open blocked files in Excel.V-223326MEDIUMOpen/save of Web pages and Excel 2003 XML spreadsheets must be blocked.V-223327MEDIUMExtraction options must be blocked when opening corrupt Excel workbooks.V-223328MEDIUMUpdating of links in Excel must be prompted and not automatic.V-223329MEDIUMLoading of pictures from Web pages not created in Excel must be disabled.V-223330MEDIUMAutoRepublish in Excel must be disabled.V-223331MEDIUMAutoRepublish warning alert in Excel must be enabled.V-223332MEDIUMFile extensions must be enabled to match file types in Excel.V-223333MEDIUMScan of encrypted macros in Excel Open XML workbooks must be enabled.V-223334MEDIUMFile validation in Excel must be enabled.V-223335MEDIUMWEBSERVICE Function Notification in Excel must be configured to disable all, with notifications.V-223336MEDIUMMacros must be blocked from running in Excel files from the Internet.V-223337MEDIUMTrust Bar notification must be enabled for unsigned application add-ins in Excel and blocked.V-223338MEDIUMUntrusted Microsoft Query files must be blocked from opening in Excel.V-223339MEDIUMUntrusted database files must be opened in Excel in Protected View mode.V-223340MEDIUMFiles from Internet zone must be opened in Excel in Protected View mode.V-223341MEDIUMFiles from unsafe locations must be opened in Excel in Protected View mode.V-223342MEDIUMFiles failing file validation must be opened in Excel in Protected view mode and disallow edits.V-223343MEDIUMFile attachments from Outlook must be opened in Excel in Protected mode.V-223344MEDIUMThe SIP security mode in Lync must be enabled.V-223345MEDIUMThe HTTP fallback for SIP connection in Lync must be disabled.V-223346MEDIUMThe Exchange client authentication with Exchange servers must be enabled to use Kerberos Password Authentication.V-223347MEDIUMOutlook must use remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers.V-223348MEDIUMScripts associated with public folders must be prevented from execution in Outlook.V-223349MEDIUMScripts associated with shared folders must be prevented from execution in Outlook.V-223350MEDIUMFiles dragged from an Outlook e-mail to the file system must be created in ANSI format.V-223351MEDIUMThe junk email protection level must be set to No Automatic Filtering.V-223352MEDIUMActive X One-Off forms must only be enabled to load with Outlook Controls.V-223353MEDIUMOutlook must be configured to prevent users overriding attachment security settings.V-223354MEDIUMInternet must not be included in Safe Zone for picture download in Outlook.V-223355MEDIUMThe Publish to Global Address List (GAL) button must be disabled in Outlook.V-223356MEDIUMThe minimum encryption key length in Outlook must be at least 168.V-223357MEDIUMThe warning about invalid digital signatures must be enabled to warn Outlook users.V-223358MEDIUMOutlook must be configured to allow retrieving of Certificate Revocation Lists (CRLs) always when online.V-223359MEDIUMThe Outlook Security Mode must be enabled to always use the Outlook Security Group Policy.V-223360MEDIUMThe ability to demote attachments from Level 2 to Level 1 must be disabled.V-223361MEDIUMThe display of Level 1 attachments must be disabled in Outlook.V-223362MEDIUMLevel 1 file attachments must be blocked from being delivered.V-223363MEDIUMLevel 2 file attachments must be blocked from being delivered.V-223364MEDIUMOutlook must be configured to not run scripts in forms in which the script and the layout are contained within the message.V-223365MEDIUMWhen a custom action is executed that uses the Outlook object model, Outlook must automatically deny it.V-223366MEDIUMWhen an untrusted program attempts to programmatically access an Address Book using the Outlook object model, Outlook must automatically deny it.V-223367MEDIUMWhen a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field, Outlook must automatically deny it.V-223368MEDIUMWhen an untrusted program attempts to use the Save As command to programmatically save an item, Outlook must automatically deny it.V-223369MEDIUMWhen an untrusted program attempts to gain access to a recipient field, such as the, To: field, using the Outlook object model, Outlook must automatically deny it.V-223370MEDIUMWhen an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request, Outlook must automatically deny it.V-223371MEDIUMWhen an untrusted program attempts to send e-mail programmatically using the Outlook object model, Outlook must automatically deny it.V-223372MEDIUMOutlook must be configured to not allow hyperlinks in suspected phishing messages.V-223373MEDIUMThe Security Level for macros in Outlook must be configured to Warn for signed and disable unsigned.V-223374MEDIUMTrusted Locations on the network must be disabled in Project.V-223375MEDIUMProject must automatically disable unsigned add-ins without informing users.V-223376MEDIUMVBA Macros not digitally signed must be blocked in Project.V-223377MEDIUMVBA Macros not digitally signed must be blocked in PowerPoint.V-223378MEDIUMThe ability to run programs from PowerPoint must be disabled.V-223379MEDIUMOpen/Save of PowerPoint 97-2003 presentations, shows, templates, and add-in files must be blocked.V-223380MEDIUMThe default file block behavior must be set to not open blocked files in PowerPoint.V-223381MEDIUMEncrypted macros in PowerPoint Open XML presentations must be scanned.V-223382MEDIUMFile validation in PowerPoint must be enabled.V-223383MEDIUMMacros from the Internet must be blocked from running in PowerPoint.V-223384MEDIUMUnsigned add-ins in PowerPoint must be blocked with no Trust Bar Notification to the user.V-223385MEDIUMFiles downloaded from the Internet must be opened in Protected view in PowerPoint.V-223386MEDIUMPowerPoint attachments opened from Outlook must be in Protected View.V-223387MEDIUMFiles in unsafe locations must be opened in Protected view in PowerPoint.V-223388MEDIUMIf file validation fails, files must be opened in Protected view in PowerPoint with ability to edit disabled.V-223389MEDIUMThe use of network locations must be ignored in PowerPoint.V-223390MEDIUMPublisher must be configured to prompt the user when another application programmatically opens a macro.V-223391MEDIUMPublisher must automatically disable unsigned add-ins without informing users.V-223392MEDIUMPublisher must disable all unsigned VBA macros.V-223393MEDIUMVBA Macros not digitally signed must be blocked in Visio.V-223394MEDIUMTrusted Locations on the network must be disabled in Visio.V-223395MEDIUMVisio must automatically disable unsigned add-ins without informing users.V-223396MEDIUMVisio 2000-2002 Binary Drawings, Templates and Stencils must be blocked.V-223397MEDIUMVisio 2003-2010 Binary Drawings, Templates and Stencils must be blocked.V-223398MEDIUMVisio 5.0 or earlier Binary Drawings, Templates and Stencils must be blocked.V-223399MEDIUMMacros must be blocked from running in Visio files from the Internet.V-223400MEDIUMWord must automatically disable unsigned add-ins without informing users.V-223401MEDIUMIn Word, encrypted macros must be scanned.V-223402MEDIUMFiles downloaded from the Internet must be opened in Protected view in Word.V-223403MEDIUMFiles located in unsafe locations must be opened in Protected view in Word.V-223404MEDIUMIf file validation fails, files must be opened in Protected view in Word with ability to edit disabled.V-223405MEDIUMWord attachments opened from Outlook must be in Protected View.V-223406MEDIUMThe default file block behavior must be set to not open blocked files in Word.V-223407MEDIUMOpen/Save of Word 2 and earlier binary documents and templates must be blocked.V-223408MEDIUMOpen/Save of Word 2000 binary documents and templates must be blocked.V-223409MEDIUMOpen/Save of Word 2003 binary documents and templates must be blocked.V-223410MEDIUMOpen/Save of Word 2007 and later binary documents and templates must be blocked.V-223411MEDIUMOpen/Save of Word 6.0 binary documents and templates must be blocked.V-223412MEDIUMOpen/Save of Word 95 binary documents and templates must be blocked.V-223413MEDIUMOpen/Save of Word 97 binary documents and templates must be blocked.V-223414MEDIUMOpen/Save of Word XP binary documents and templates must be blocked.V-223415MEDIUMIn Word, macros must be blocked from running, even if Enable all macros is selected in the Macro Settings section of the Trust Center.V-223416MEDIUMTrusted Locations on the network must be disabled in Word.V-223417MEDIUMVBA Macros not digitally signed must be blocked in Word.V-223418MEDIUMFile validation in Word must be enabled.V-278355MEDIUMSending of diagnostic data to Microsoft must be disabled.