Microsoft Outlook 2016 Security Technical Implementation Guide
Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]
Details
Version / Release: V2R2
Published: 2021-12-21
Updated At: 2022-04-06 01:06:46
Compare/View Releases
Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Actions
Download
Filter
Findings
| Severity | Open | Not Reviewed | Not Applicable | Not a Finding |
|---|---|---|---|---|
| Overall | 0 | 0 | 0 | 0 |
| Low | 0 | 0 | 0 | 0 |
| Medium | 0 | 0 | 0 | 0 |
| High | 0 | 0 | 0 | 0 |
Drop CKL or SCAP (XCCDF) results here.
| Vuln | Rule | Version | CCI | Severity | Title | Description | Status | Finding Details | Comments |
|---|---|---|---|---|---|---|---|---|---|
| SV-228419r508021_rule | DTOO104 | CCI-001170 | MEDIUM | Disabling of user name and password syntax from being used in URLs must be enforced. | The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:[email protected] A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate websi | ||||
| SV-228420r508021_rule | DTOO111 | CCI-001695 | MEDIUM | Enabling IE Bind to Object functionality must be present. | Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located | ||||
| SV-228421r508021_rule | DTOO117 | CCI-001170 | MEDIUM | Saved from URL mark to assure Internet zone processing must be enforced. | Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet se | ||||
| SV-228422r508021_rule | DTOO123 | CCI-001170 | MEDIUM | Navigation to URLs embedded in Office products must be blocked. | To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an | ||||
| SV-228423r508021_rule | DTOO124 | CCI-001695 | MEDIUM | Scripted Window Security must be enforced. | Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to: -Crea | ||||
| SV-228424r508021_rule | DTOO126 | CCI-001662 | MEDIUM | Add-on Management functionality must be allowed. | Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become | ||||
| SV-228425r508021_rule | DTOO129 | CCI-001662 | MEDIUM | Links that invoke instances of Internet Explorer from within an Office product must be blocked. | The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, | ||||
| SV-228426r508021_rule | DTOO132 | CCI-001169 | MEDIUM | File Downloads must be configured for proper restrictions. | Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet | ||||
| SV-228427r508021_rule | DTOO209 | CCI-001695 | MEDIUM | Protection from zone elevation must be enforced. | Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicio | ||||
| SV-228428r508021_rule | DTOO211 | CCI-002460 | MEDIUM | ActiveX Installs must be configured for proper restriction. | Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not confi | ||||
| SV-228429r508021_rule | DTOO216 | CCI-000366 | MEDIUM | Publishing calendars to Office Online must be prevented. | This policy setting controls whether Outlook users can publish their calendars to the Office.com Calendar Sharing Service. If you enable this policy setting, Outlook users cannot publish their calendars to Office.com. If you disable do not configure this | ||||
| SV-228430r508021_rule | DTOO217 | CCI-000366 | MEDIUM | Publishing to a Web Distributed and Authoring (DAV) server must be prevented. | This policy setting controls whether Outlook users can publish their calendars to a DAV server. If you enable this policy setting, Outlook users cannot publish their calendars to a DAV server. If you disable or do not configure this policy setting, Outloo | ||||
| SV-228431r508021_rule | DTOO218 | CCI-000366 | MEDIUM | Level of calendar details that a user can publish must be restricted. | This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service. If you enable this policy setting, you can choose from three levels of detail: * All options are available - This | ||||
| SV-228432r508021_rule | DTOO219 | CCI-000366 | MEDIUM | Access restriction settings for published calendars must be configured. | This policy setting determines what restrictions apply to users who publish their calendars on Office.com or third-party World Wide Web Distributed Authoring and Versioning (WebDAV) servers. If you enable or disable this policy setting, calendars that are | ||||
| SV-228433r508021_rule | DTOO232 | CCI-001170 | MEDIUM | Outlook Object Model scripts must be disallowed to run for shared folders. | This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. If you enable this policy setting, Outlook cannot execute any scripts associated with shared folders, overriding any config | ||||
| SV-228434r508021_rule | DTOO233 | CCI-001170 | MEDIUM | Outlook Object Model scripts must be disallowed to run for public folders. | This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. If you enable this policy setting, Outlook cannot execute any scripts associated with public folders, overriding a | ||||
| SV-228435r508021_rule | DTOO234 | CCI-001170 | MEDIUM | ActiveX One-Off forms must be configured. | By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so | ||||
| SV-228436r508021_rule | DTOO236 | CCI-001170 | MEDIUM | The Add-In Trust Level must be configured. | All installed trusted COM addins can be trusted. Exchange Settings for the addins still override if present and this option is selected. | ||||
| SV-228437r508021_rule | DTOO237 | CCI-002007 | MEDIUM | The remember password for internet e-mail accounts must be disabled. | Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to have Outlook remember their password. Note that POP3, IMAP, a | ||||
| SV-228438r508021_rule | DTOO238 | CCI-001170 | MEDIUM | Users customizing attachment security settings must be prevented. | This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" regi | ||||
| SV-228439r508021_rule | DTOO239 | CCI-000366 | MEDIUM | Outlook Security Mode must be configured to use Group Policy settings. | This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: * Outlook Default Security - This option is the default confi | ||||
| SV-228440r508021_rule | DTOO240 | CCI-001662 | MEDIUM | The ability to display level 1 attachments must be disallowed. | This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can | ||||
| SV-228441r508021_rule | DTOO244 | CCI-001662 | MEDIUM | Level 1 file extensions must be blocked and not removed. | This policy setting controls which types of attachments (determined by file extension) Outlook prevents from being delivered. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with spe | ||||
| SV-228442r508021_rule | DTOO245 | CCI-001662 | MEDIUM | Level 2 file extensions must be blocked and not removed. | This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open | ||||
| SV-228443r508021_rule | DTOO246 | CCI-001170 | MEDIUM | Scripts in One-Off Outlook forms must be disallowed. | This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this pol | ||||
| SV-228444r508021_rule | DTOO247 | CCI-002460 | MEDIUM | Custom Outlook Object Model (OOM) action execution prompts must be configured. | This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to me | ||||
| SV-228445r508021_rule | DTOO249 | CCI-002460 | MEDIUM | Object Model Prompt for programmatic email send behavior must be configured. | This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts t | ||||
| SV-228446r508021_rule | DTOO250 | CCI-002460 | MEDIUM | Object Model Prompt behavior for programmatic address books must be configured. | This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts | ||||
| SV-228447r508021_rule | DTOO251 | CCI-002460 | MEDIUM | Object Model Prompt behavior for programmatic access of user address data must be configured. | This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the 'To:' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options when | ||||
| SV-228448r508021_rule | DTOO252 | CCI-002460 | MEDIUM | Object Model Prompt behavior for Meeting and Task Responses must be configured. | This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options w | ||||
| SV-228449r508021_rule | DTOO253 | CCI-002460 | MEDIUM | Object Model Prompt behavior for the SaveAs method must be configured. | This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to u | ||||
| SV-228450r508021_rule | DTOO254 | CCI-002460 | MEDIUM | Object Model Prompt behavior for accessing User Property Formula must be configured. | This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different option | ||||
| SV-228451r508021_rule | DTOO256 | CCI-000366 | MEDIUM | Trusted add-ins behavior for email must be configured. | This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook. If you enable this policy setting, a list of trusted add-ins and hashes is made available that you can modif | ||||
| SV-228452r508021_rule | DTOO257 | CCI-000803 | MEDIUM | S/Mime interoperability with external clients for message handling must be configured. | This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing. If you enable this policy setting, you can choose from three options for configuring external S/MIME clients:- Handle inte | ||||
| SV-228453r508021_rule | DTOO260 | CCI-000803 | MEDIUM | Message formats must be set to use SMime. | This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. If you enable this policy setting, you can specify whether Outlook can use S | ||||
| SV-228454r559729_rule | DTOO262 | CCI-000803 | MEDIUM | Run in FIPS compliant mode must be enforced. | This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by | ||||
| SV-228455r508021_rule | DTOO264 | CCI-000366 | MEDIUM | Send all signed messages as clear signed messages must be configured. | This policy setting controls whether Outlook sends signed messages as clear text signed messages. If you enable this policy setting, the "Send clear text signed message when sending signed messages" option is selected in the E-mail Security section of the | ||||
| SV-228456r508021_rule | DTOO266 | CCI-000366 | MEDIUM | Automatic sending s/Mime receipt requests must be disallowed. | This policy setting controls how Outlook handles S/MIME receipt requests. If you enable this policy setting, you can choose from four options for handling S/MIME receipt requests in Outlook:- Open message if receipt can't be sent- Don't open message if re | ||||
| SV-228457r508021_rule | DTOO267 | CCI-000185 | MEDIUM | Retrieving of CRL data must be set for online action. | This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates.Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authoritie | ||||
| SV-228458r508021_rule | DTOO270 | CCI-000366 | MEDIUM | External content and pictures in HTML email must be displayed. | This policy setting setting controls whether Outlook downloads untrusted pictures and external content located in HTML e-mail messages without users explicitly choosing to download them. If you enable this policy setting, Outlook will not automatically do | ||||
| SV-228459r508021_rule | DTOO271 | CCI-000366 | MEDIUM | Automatic download content for email in Safe Senders list must be disallowed. | This policy setting controls whether Outlook automatically downloads external content in e-mail from senders in the Safe Senders List or Safe Recipients List. If you enable this policy setting, Outlook automatically downloads content for e-mail from peopl | ||||
| SV-228460r508021_rule | DTOO272 | CCI-000366 | MEDIUM | Permit download of content from safe zones must be configured. | This policy setting controls whether Outlook automatically downloads content from safe zones when displaying messages. If you enable this policy setting content from safe zones will be downloaded automatically. If you disable this policy Outlook will not | ||||
| SV-228461r508021_rule | DTOO273 | CCI-000366 | MEDIUM | IE Trusted Zones assumed trusted must be blocked. | This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items. If you enable this policy setting, Outlook does not automatically download content from We | ||||
| SV-228462r508021_rule | DTOO274 | CCI-000366 | MEDIUM | Internet with Safe Zones for Picture Download must be disabled. | This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automatica | ||||
| SV-228463r508021_rule | DTOO275 | CCI-000366 | MEDIUM | Intranet with Safe Zones for automatic picture downloads must be configured. | This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook users explictly choosing to do so. If you enable this policy setting, Outlook will autom | ||||
| SV-228464r508021_rule | DTOO276 | CCI-001662 | MEDIUM | Always warn on untrusted macros must be enforced. | This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in th | ||||
| SV-228465r508021_rule | DTOO277 | CCI-000366 | MEDIUM | Hyperlinks in suspected phishing email messages must be disallowed. | This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If y | ||||
| SV-228466r508021_rule | DTOO279 | CCI-001967 | MEDIUM | RPC encryption between Outlook and Exchange server must be enforced. | This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note - RPC | ||||
| SV-228467r508021_rule | DTOO280 | CCI-001967 | MEDIUM | Outlook must be configured to force authentication when connecting to an Exchange server. | This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secur | ||||
| SV-228468r508021_rule | DTOO283 | CCI-000366 | MEDIUM | Disabling download full text of articles as HTML must be configured. | This policy setting controls whether Outlook automatically makes an offline copy of the RSS items as HTML attachments. If you enable this policy setting, Outlook automatically makes an offline copy of RSS items as HTML attachments. If you disable or do no | ||||
| SV-228469r508021_rule | DTOO284 | CCI-001169 | MEDIUM | Automatic download of Internet Calendar appointment attachments must be disallowed. | This policy setting controls whether Outlook downloads files attached to Internet Calendar appointments. If you enable this policy setting, Outlook automatically downloads all Internet Calendar appointment attachments. If you disable or do not configure t | ||||
| SV-228470r508021_rule | DTOO285 | CCI-000381 | MEDIUM | Internet calendar integration in Outlook must be disabled. | This policy setting allows you to determine whether or not you want to include Internet Calendar integration in Outlook. The Internet Calendar feature in Outlook enables users to publish calendars online (using the webcal:// protocol) and subscribe to cal | ||||
| SV-228471r508021_rule | DTOO286 | CCI-000381 | MEDIUM | User Entries to Server List must be disallowed. | This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose between two options to determine whether Outlook users can add en | ||||
| SV-228472r508021_rule | DTOO313 | CCI-000381 | MEDIUM | Automatically downloading enclosures on RSS must be disallowed. | This policy setting allows you to control whether Outlook automatically downloads enclosures on RSS items. If you enable this policy setting, Outlook will automatically download enclosures on RSS items. If you disable or do not configure this policy setti | ||||
| SV-228473r508021_rule | DTOO315 | CCI-000366 | MEDIUM | Outlook must be configured not to prompt users to choose security settings if default settings fail. | Check to prompt the user to choose security settings if default settings fail; uncheck to automatically select. | ||||
| SV-228474r508021_rule | DTOO316 | CCI-002450 | MEDIUM | Outlook minimum encryption key length settings must be set. | This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries t | ||||
| SV-228475r508021_rule | DTOO317 | CCI-000366 | MEDIUM | Replies or forwards to signed/encrypted messages must be signed/encrypted. | This policy setting controls whether replies and forwards to signed/encrypted mail should also be signed/encrypted. If you enable this policy setting, signing/encryption will be turned on when replying/forwarding a signed or encrypted message, even if the | ||||
| SV-228476r508021_rule | DTOO320 | CCI-000366 | MEDIUM | Check e-mail addresses against addresses of certificates being used must be disallowed. | This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing. If you enable this policy setting, users can send messages signed with certificates that do not match their | ||||
| SV-251863r811196_rule | DTOO214 | CCI-000366 | MEDIUM | Read EMail as plain text must be enforced. | Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays email messages in whatever format they were received. | ||||
| SV-251865r811186_rule | DTOO215 | CCI-000366 | MEDIUM | Read signed email as plain text must be enforced. | Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays digitally signed email messages in the format which they were received. | ||||
| SV-251866r811197_rule | DTOO314 | CCI-000366 | MEDIUM | The default message format must be set to use Plain Text. | Outlook uses HTML as the default email format. HTML format poses a security risk by embedding information into the email itself, which could allow for release of sensitive information. If a user attempted to insert an HTML link into an email message, the | ||||
| SV-251867r812967_rule | DTOO344 | CCI-000366 | MEDIUM | Outlook Rich Text options must be set for converting to plain text format. | Outlook automatically converts Rich Text Format (RTF) messages that are sent over the internet to HTML format, so that the message formatting is maintained and attachments are received. This setting controls how Outlook sends RTF messages to internet reci | ||||
| SV-251872r812968_rule | DTOO425 | CCI-000366 | MEDIUM | Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks. | The ability of Outlook to automatically turn text that represents internet and network paths into hyperlinks would allow users to click on those hyperlinks in an email message and access malicious or otherwise harmful websites. | ||||