DISA STIGS Viewer

Office applications must be configured to specify encryption type in password-protected Office 97-2003 files.

Overview

Finding ID Version Rule ID IA Controls Severity
V-223291 O365-CO-000008 SV-223291r961128_rule   Medium
Description
STIG Date
Microsoft Office 365 ProPlus Security Technical Implementation Guide 2025-03-05

Details

Check Text (C-24964r442092_chk)
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings >> Encryption type for password protected Office 97-2003 files is set to Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256.

Use the Windows Registry Editor to navigate to the following key:

HKCU\software\policies\microsoft\office\16.0\common\security

If the value defaultencryption12 is set to REG_SZ = "Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256", this is not a finding.
Fix Text (F-24952r442093_fix)
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings >> Encryption type for password protected Office 97-2003 files to Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256.