Microsoft Outlook 2016 Security Technical Implementation Guide

The Microsoft Outlook 2016 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: [email protected]

Details

Version / Release: V1R2

Published: 2017-05-08

Updated At: 2018-09-23 19:15:15

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-85733r1_rule DTOO104 CCI-001170 MEDIUM Disabling of user name and password syntax from being used in URLs must be enforced. The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:[email protected] A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate websi
    SV-85735r1_rule DTOO111 CCI-001695 MEDIUM Enabling IE Bind to Object functionality must be present. Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located
    SV-85737r1_rule DTOO117 CCI-001170 MEDIUM Saved from URL mark to assure Internet zone processing must be enforced. Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet se
    SV-85739r1_rule DTOO123 CCI-001170 MEDIUM Navigation to URLs embedded in Office products must be blocked. To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an
    SV-85741r1_rule DTOO124 CCI-001695 MEDIUM Scripted Window Security must be enforced. Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to: -Crea
    SV-85743r1_rule DTOO126 CCI-001662 MEDIUM Add-on Management functionality must be allowed. Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become
    SV-85745r1_rule DTOO129 CCI-001662 MEDIUM Links that invoke instances of Internet Explorer from within an Office product must be blocked. The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example,
    SV-85747r1_rule DTOO132 CCI-001169 MEDIUM File Downloads must be configured for proper restrictions. Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet
    SV-85749r1_rule DTOO209 CCI-001695 MEDIUM Protection from zone elevation must be enforced. Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio
    SV-85751r1_rule DTOO211 CCI-002460 MEDIUM ActiveX Installs must be configured for proper restriction. Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not confi
    SV-85753r1_rule DTOO216 CCI-000366 MEDIUM Publishing calendars to Office Online must be prevented. This policy setting controls whether Outlook users can publish their calendars to the Office.com Calendar Sharing Service. If you enable this policy setting, Outlook users cannot publish their calendars to Office.com. If you disable do not configure this
    SV-85755r1_rule DTOO217 CCI-000366 MEDIUM Publishing to a Web Distributed and Authoring (DAV) server must be prevented. This policy setting controls whether Outlook users can publish their calendars to a DAV server. If you enable this policy setting, Outlook users cannot publish their calendars to a DAV server. If you disable or do not configure this policy setting, Outloo
    SV-85757r1_rule DTOO218 CCI-000366 MEDIUM Level of calendar details that a user can publish must be restricted. This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service. If you enable this policy setting, you can choose from three levels of detail: * All options are available - This
    SV-85759r1_rule DTOO219 CCI-000366 MEDIUM Access restriction settings for published calendars must be configured. This policy setting determines what restrictions apply to users who publish their calendars on Office.com or third-party World Wide Web Distributed Authoring and Versioning (WebDAV) servers. If you enable or disable this policy setting, calendars that are
    SV-85769r1_rule DTOO232 CCI-001170 MEDIUM Outlook Object Model scripts must be disallowed to run for shared folders. This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. If you enable this policy setting, Outlook cannot execute any scripts associated with shared folders, overriding any config
    SV-85771r1_rule DTOO233 CCI-001170 MEDIUM Outlook Object Model scripts must be disallowed to run for public folders. This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. If you enable this policy setting, Outlook cannot execute any scripts associated with public folders, overriding a
    SV-85773r1_rule DTOO234 CCI-001170 MEDIUM ActiveX One-Off forms must be configured. By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so
    SV-85775r1_rule DTOO236 CCI-001170 MEDIUM The Add-In Trust Level must be configured. All installed trusted COM addins can be trusted. Exchange Settings for the addins still override if present and this option is selected.
    SV-85777r1_rule DTOO237 CCI-002007 MEDIUM The remember password for internet e-mail accounts must be disabled. Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to have Outlook remember their password. Note that POP3, IMAP, a
    SV-85779r1_rule DTOO238 CCI-001170 MEDIUM Users customizing attachment security settings must be prevented. This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" regi
    SV-85781r1_rule DTOO239 CCI-000366 MEDIUM Outlook Security Mode must be configured to use Group Policy settings. This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: * Outlook Default Security - This option is the default confi
    SV-85783r1_rule DTOO240 CCI-001662 MEDIUM The ability to display level 1 attachments must be disallowed. This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can
    SV-85785r1_rule DTOO244 CCI-001662 MEDIUM Level 1 file extensions must be blocked and not removed. This policy setting controls which types of attachments (determined by file extension) Outlook prevents from being delivered. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with spe
    SV-85787r1_rule DTOO245 CCI-001662 MEDIUM Level 2 file extensions must be blocked and not removed. This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open
    SV-85789r1_rule DTOO246 CCI-001170 MEDIUM Scripts in One-Off Outlook forms must be disallowed. This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this pol
    SV-85791r1_rule DTOO247 CCI-002460 MEDIUM Custom Outlook Object Model (OOM) action execution prompts must be configured. This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to me
    SV-85793r1_rule DTOO249 CCI-002460 MEDIUM Object Model Prompt for programmatic email send behavior must be configured. This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts t
    SV-85795r1_rule DTOO250 CCI-002460 MEDIUM Object Model Prompt behavior for programmatic address books must be configured. This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts
    SV-85797r1_rule DTOO251 CCI-002460 MEDIUM Object Model Prompt behavior for programmatic access of user address data must be configured. This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the 'To:' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options when
    SV-85799r1_rule DTOO252 CCI-002460 MEDIUM Object Model Prompt behavior for Meeting and Task Responses must be configured. This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options w
    SV-85801r1_rule DTOO253 CCI-002460 MEDIUM Object Model Prompt behavior for the SaveAs method must be configured. This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to u
    SV-85803r1_rule DTOO254 CCI-002460 MEDIUM Object Model Prompt behavior for accessing User Property Formula must be configured. This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different option
    SV-85817r1_rule DTOO256 CCI-000366 MEDIUM Trusted add-ins behavior for email must be configured. This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook. If you enable this policy setting, a list of trusted add-ins and hashes is made available that you can modif
    SV-85819r1_rule DTOO257 CCI-000803 MEDIUM S/Mime interoperability with external clients for message handling must be configured. This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing. If you enable this policy setting, you can choose from three options for configuring external S/MIME clients:- Handle inte
    SV-85851r1_rule DTOO260 CCI-000803 MEDIUM Message formats must be set to use SMime. This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. If you enable this policy setting, you can specify whether Outlook can use S
    SV-85853r1_rule DTOO262 CCI-000803 MEDIUM Run in FIPS compliant mode must be enforced. This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by
    SV-85855r1_rule DTOO264 CCI-000366 MEDIUM Send all signed messages as clear signed messages must be configured. This policy setting controls whether Outlook sends signed messages as clear text signed messages. If you enable this policy setting, the "Send clear text signed message when sending signed messages" option is selected in the E-mail Security section of the
    SV-85857r1_rule DTOO266 CCI-000366 MEDIUM Automatic sending s/Mime receipt requests must be disallowed. This policy setting controls how Outlook handles S/MIME receipt requests. If you enable this policy setting, you can choose from four options for handling S/MIME receipt requests in Outlook:- Open message if receipt can't be sent- Don't open message if re
    SV-85859r1_rule DTOO267 CCI-000185 MEDIUM Retrieving of CRL data must be set for online action. This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates.Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authoritie
    SV-85861r1_rule DTOO270 CCI-000366 MEDIUM External content and pictures in HTML email must be displayed. This policy setting setting controls whether Outlook downloads untrusted pictures and external content located in HTML e-mail messages without users explicitly choosing to download them. If you enable this policy setting, Outlook will not automatically do
    SV-85863r1_rule DTOO271 CCI-000366 MEDIUM Automatic download content for email in Safe Senders list must be disallowed. This policy setting controls whether Outlook automatically downloads external content in e-mail from senders in the Safe Senders List or Safe Recipients List. If you enable this policy setting, Outlook automatically downloads content for e-mail from peopl
    SV-85865r1_rule DTOO272 CCI-000366 MEDIUM Permit download of content from safe zones must be configured. This policy setting controls whether Outlook automatically downloads content from safe zones when displaying messages. If you enable this policy setting content from safe zones will be downloaded automatically. If you disable this policy Outlook will not
    SV-85867r1_rule DTOO273 CCI-000366 MEDIUM IE Trusted Zones assumed trusted must be blocked. This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items. If you enable this policy setting, Outlook does not automatically download content from We
    SV-85869r1_rule DTOO274 CCI-000366 MEDIUM Internet with Safe Zones for Picture Download must be disabled. This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automatica
    SV-85871r1_rule DTOO275 CCI-000366 MEDIUM Intranet with Safe Zones for automatic picture downloads must be configured. This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook users explictly choosing to do so. If you enable this policy setting, Outlook will autom
    SV-85873r1_rule DTOO276 CCI-001662 MEDIUM Always warn on untrusted macros must be enforced. This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in th
    SV-85875r1_rule DTOO277 CCI-000366 MEDIUM Hyperlinks in suspected phishing email messages must be disallowed. This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If y
    SV-85877r1_rule DTOO279 CCI-001967 MEDIUM RPC encryption between Outlook and Exchange server must be enforced. This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note - RPC
    SV-85879r1_rule DTOO280 CCI-001967 MEDIUM Outlook must be configured to force authentication when connecting to an Exchange server. This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secur
    SV-85883r1_rule DTOO283 CCI-000366 MEDIUM Disabling download full text of articles as HTML must be configured. This policy setting controls whether Outlook automatically makes an offline copy of the RSS items as HTML attachments. If you enable this policy setting, Outlook automatically makes an offline copy of RSS items as HTML attachments. If you disable or do no
    SV-85885r1_rule DTOO284 CCI-001169 MEDIUM Automatic download of Internet Calendar appointment attachments must be disallowed. This policy setting controls whether Outlook downloads files attached to Internet Calendar appointments. If you enable this policy setting, Outlook automatically downloads all Internet Calendar appointment attachments. If you disable or do not configure t
    SV-85887r1_rule DTOO285 CCI-000381 MEDIUM Internet calendar integration in Outlook must be disabled. This policy setting allows you to determine whether or not you want to include Internet Calendar integration in Outlook. The Internet Calendar feature in Outlook enables users to publish calendars online (using the webcal:// protocol) and subscribe to cal
    SV-85889r1_rule DTOO286 CCI-000381 MEDIUM User Entries to Server List must be disallowed. This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose between two options to determine whether Outlook users can add en
    SV-85891r1_rule DTOO313 CCI-000381 MEDIUM Automatically downloading enclosures on RSS must be disallowed. This policy setting allows you to control whether Outlook automatically downloads enclosures on RSS items. If you enable this policy setting, Outlook will automatically download enclosures on RSS items. If you disable or do not configure this policy setti
    SV-85895r1_rule DTOO315 CCI-000366 MEDIUM Outlook must be configured not to prompt users to choose security settings if default settings fail. Check to prompt the user to choose security settings if default settings fail; uncheck to automatically select.
    SV-85897r1_rule DTOO316 CCI-002450 MEDIUM Outlook minimum encryption key length settings must be set. This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries t
    SV-85899r1_rule DTOO317 CCI-000366 MEDIUM Replies or forwards to signed/encrypted messages must be signed/encrypted. This policy setting controls whether replies and forwards to signed/encrypted mail should also be signed/encrypted. If you enable this policy setting, signing/encryption will be turned on when replying/forwarding a signed or encrypted message, even if the
    SV-85901r1_rule DTOO320 CCI-000366 MEDIUM Check e-mail addresses against addresses of certificates being used must be disallowed. This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing. If you enable this policy setting, users can send messages signed with certificates that do not match their