Cyber · Trackr The Free Compliance Library
⌘K
DoD Compliance · STIG

Microsoft Outlook 2016 Security Technical Implementation Guide

V2R1 · · · Released 23 Oct 2020 · 58 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R2 · 28 Jul 2017 +58 −58

Comparison against the immediately-prior release (V1R2). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 58

  • V-228419 Medium Disabling of user name and password syntax from being used in URLs must be enforced.
  • V-228420 Medium Enabling IE Bind to Object functionality must be present.
  • V-228421 Medium Saved from URL mark to assure Internet zone processing must be enforced.
  • V-228422 Medium Navigation to URLs embedded in Office products must be blocked.
  • V-228423 Medium Scripted Window Security must be enforced.
  • V-228424 Medium Add-on Management functionality must be allowed.
  • V-228425 Medium Links that invoke instances of Internet Explorer from within an Office product must be blocked.
  • V-228426 Medium File Downloads must be configured for proper restrictions.
  • V-228427 Medium Protection from zone elevation must be enforced.
  • V-228428 Medium ActiveX Installs must be configured for proper restriction.
  • V-228429 Medium Publishing calendars to Office Online must be prevented.
  • V-228430 Medium Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
  • V-228431 Medium Level of calendar details that a user can publish must be restricted.
  • V-228432 Medium Access restriction settings for published calendars must be configured.
  • V-228433 Medium Outlook Object Model scripts must be disallowed to run for shared folders.
  • V-228434 Medium Outlook Object Model scripts must be disallowed to run for public folders.
  • V-228435 Medium ActiveX One-Off forms must be configured.
  • V-228436 Medium The Add-In Trust Level must be configured.
  • V-228437 Medium The remember password for internet e-mail accounts must be disabled.
  • V-228438 Medium Users customizing attachment security settings must be prevented.
  • V-228439 Medium Outlook Security Mode must be configured to use Group Policy settings.
  • V-228440 Medium The ability to display level 1 attachments must be disallowed.
  • V-228441 Medium Level 1 file extensions must be blocked and not removed.
  • V-228442 Medium Level 2 file extensions must be blocked and not removed.
  • V-228443 Medium Scripts in One-Off Outlook forms must be disallowed.
  • V-228444 Medium Custom Outlook Object Model (OOM) action execution prompts must be configured.
  • V-228445 Medium Object Model Prompt for programmatic email send behavior must be configured.
  • V-228446 Medium Object Model Prompt behavior for programmatic address books must be configured.
  • V-228447 Medium Object Model Prompt behavior for programmatic access of user address data must be configured.
  • V-228448 Medium Object Model Prompt behavior for Meeting and Task Responses must be configured.
  • V-228449 Medium Object Model Prompt behavior for the SaveAs method must be configured.
  • V-228450 Medium Object Model Prompt behavior for accessing User Property Formula must be configured.
  • V-228451 Medium Trusted add-ins behavior for email must be configured.
  • V-228452 Medium S/Mime interoperability with external clients for message handling must be configured.
  • V-228453 Medium Message formats must be set to use SMime.
  • V-228454 Medium Run in FIPS compliant mode must be enforced.
  • V-228455 Medium Send all signed messages as clear signed messages must be configured.
  • V-228456 Medium Automatic sending s/Mime receipt requests must be disallowed.
  • V-228457 Medium Retrieving of CRL data must be set for online action.
  • V-228458 Medium External content and pictures in HTML email must be displayed.
  • V-228459 Medium Automatic download content for email in Safe Senders list must be disallowed.
  • V-228460 Medium Permit download of content from safe zones must be configured.
  • V-228461 Medium IE Trusted Zones assumed trusted must be blocked.
  • V-228462 Medium Internet with Safe Zones for Picture Download must be disabled.
  • V-228463 Medium Intranet with Safe Zones for automatic picture downloads must be configured.
  • V-228464 Medium Always warn on untrusted macros must be enforced.
  • V-228465 Medium Hyperlinks in suspected phishing email messages must be disallowed.
  • V-228466 Medium RPC encryption between Outlook and Exchange server must be enforced.
  • V-228467 Medium Outlook must be configured to force authentication when connecting to an Exchange server.
  • V-228468 Medium Disabling download full text of articles as HTML must be configured.
  • V-228469 Medium Automatic download of Internet Calendar appointment attachments must be disallowed.
  • V-228470 Medium Internet calendar integration in Outlook must be disabled.
  • V-228471 Medium User Entries to Server List must be disallowed.
  • V-228472 Medium Automatically downloading enclosures on RSS must be disallowed.
  • V-228473 Medium Outlook must be configured not to prompt users to choose security settings if default settings fail.
  • V-228474 Medium Outlook minimum encryption key length settings must be set.
  • V-228475 Medium Replies or forwards to signed/encrypted messages must be signed/encrypted.
  • V-228476 Medium Check e-mail addresses against addresses of certificates being used must be disallowed.

Removed rules 58

  • V-71109 Medium Disabling of user name and password syntax from being used in URLs must be enforced.
  • V-71111 Medium Enabling IE Bind to Object functionality must be present.
  • V-71113 Medium Saved from URL mark to assure Internet zone processing must be enforced.
  • V-71115 Medium Navigation to URLs embedded in Office products must be blocked.
  • V-71117 Medium Scripted Window Security must be enforced.
  • V-71119 Medium Add-on Management functionality must be allowed.
  • V-71121 Medium Links that invoke instances of Internet Explorer from within an Office product must be blocked.
  • V-71123 Medium File Downloads must be configured for proper restrictions.
  • V-71125 Medium Protection from zone elevation must be enforced.
  • V-71127 Medium ActiveX Installs must be configured for proper restriction.
  • V-71129 Medium Publishing calendars to Office Online must be prevented.
  • V-71131 Medium Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
  • V-71133 Medium Level of calendar details that a user can publish must be restricted.
  • V-71135 Medium Access restriction settings for published calendars must be configured.
  • V-71145 Medium Outlook Object Model scripts must be disallowed to run for shared folders.
  • V-71147 Medium Outlook Object Model scripts must be disallowed to run for public folders.
  • V-71149 Medium ActiveX One-Off forms must be configured.
  • V-71151 Medium The Add-In Trust Level must be configured.
  • V-71153 Medium The remember password for internet e-mail accounts must be disabled.
  • V-71155 Medium Users customizing attachment security settings must be prevented.
  • V-71157 Medium Outlook Security Mode must be configured to use Group Policy settings.
  • V-71159 Medium The ability to display level 1 attachments must be disallowed.
  • V-71161 Medium Level 1 file extensions must be blocked and not removed.
  • V-71163 Medium Level 2 file extensions must be blocked and not removed.
  • V-71165 Medium Scripts in One-Off Outlook forms must be disallowed.
  • V-71167 Medium Custom Outlook Object Model (OOM) action execution prompts must be configured.
  • V-71169 Medium Object Model Prompt for programmatic email send behavior must be configured.
  • V-71171 Medium Object Model Prompt behavior for programmatic address books must be configured.
  • V-71173 Medium Object Model Prompt behavior for programmatic access of user address data must be configured.
  • V-71175 Medium Object Model Prompt behavior for Meeting and Task Responses must be configured.
  • V-71177 Medium Object Model Prompt behavior for the SaveAs method must be configured.
  • V-71179 Medium Object Model Prompt behavior for accessing User Property Formula must be configured.
  • V-71193 Medium Trusted add-ins behavior for email must be configured.
  • V-71195 Medium S/Mime interoperability with external clients for message handling must be configured.
  • V-71227 Medium Message formats must be set to use SMime.
  • V-71229 Medium Run in FIPS compliant mode must be enforced.
  • V-71231 Medium Send all signed messages as clear signed messages must be configured.
  • V-71233 Medium Automatic sending s/Mime receipt requests must be disallowed.
  • V-71235 Medium Retrieving of CRL data must be set for online action.
  • V-71237 Medium External content and pictures in HTML email must be displayed.
  • V-71239 Medium Automatic download content for email in Safe Senders list must be disallowed.
  • V-71241 Medium Permit download of content from safe zones must be configured.
  • V-71243 Medium IE Trusted Zones assumed trusted must be blocked.
  • V-71245 Medium Internet with Safe Zones for Picture Download must be disabled.
  • V-71247 Medium Intranet with Safe Zones for automatic picture downloads must be configured.
  • V-71249 Medium Always warn on untrusted macros must be enforced.
  • V-71251 Medium Hyperlinks in suspected phishing email messages must be disallowed.
  • V-71253 Medium RPC encryption between Outlook and Exchange server must be enforced.
  • V-71255 Medium Outlook must be configured to force authentication when connecting to an Exchange server.
  • V-71259 Medium Disabling download full text of articles as HTML must be configured.
  • V-71261 Medium Automatic download of Internet Calendar appointment attachments must be disallowed.
  • V-71263 Medium Internet calendar integration in Outlook must be disabled.
  • V-71265 Medium User Entries to Server List must be disallowed.
  • V-71267 Medium Automatically downloading enclosures on RSS must be disallowed.
  • V-71271 Medium Outlook must be configured not to prompt users to choose security settings if default settings fail.
  • V-71273 Medium Outlook minimum encryption key length settings must be set.
  • V-71275 Medium Replies or forwards to signed/encrypted messages must be signed/encrypted.
  • V-71277 Medium Check e-mail addresses against addresses of certificates being used must be disallowed.
Sort by
b
Disabling of user name and password syntax from being used in URLs must be enforced.
SC-18 - Medium - CCI-001170 - V-228419 - SV-228419r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO104
Vuln IDs
  • V-228419
  • V-71109
Rule IDs
  • SV-228419r508021_rule
  • SV-85733
The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com appears to open http://www.wingtiptoys.com but actually opens http://example.com. To protect users from such attacks, Internet Explorer usually blocks any URLs using this syntax. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a website). If user names and passwords in URLs are allowed, users could be diverted to dangerous Web pages, which could pose a security risk.
Checks: C-30652r497579_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Disable user name and password" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30637r497580_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Disable user name and password" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Enabling IE Bind to Object functionality must be present.
SC-18 - Medium - CCI-001695 - V-228420 - SV-228420r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001695
Version
DTOO111
Vuln IDs
  • V-228420
  • V-71111
Rule IDs
  • SV-228420r508021_rule
  • SV-85735
Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to be initialized. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). A security risk could occur if potentially dangerous controls are allowed to load.
Checks: C-30653r497582_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Bind to Object" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30638r497583_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Bind to Object" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Saved from URL mark to assure Internet zone processing must be enforced.
SC-18 - Medium - CCI-001170 - V-228421 - SV-228421r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO117
Vuln IDs
  • V-228421
  • V-71113
Rule IDs
  • SV-228421r508021_rule
  • SV-85737
Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive Local Intranet security zone. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer does not evaluate the page for a MOTW, potentially dangerous code could be allowed to run.
Checks: C-30654r497585_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Saved from URL" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30639r497586_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Saved from URL" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Navigation to URLs embedded in Office products must be blocked.
SC-18 - Medium - CCI-001170 - V-228422 - SV-228422r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO123
Vuln IDs
  • V-228422
  • V-71115
Rule IDs
  • SV-228422r508021_rule
  • SV-85739
To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If Internet Explorer attempts to load a malformed URL, a security risk could occur.
Checks: C-30655r497588_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Navigate URL" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30640r497589_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Navigate URL" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Scripted Window Security must be enforced.
SC-18 - Medium - CCI-001695 - V-228423 - SV-228423r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001695
Version
DTOO124
Vuln IDs
  • V-228423
  • V-71117
Rule IDs
  • SV-228423r508021_rule
  • SV-85741
Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to: -Create browser windows appearing to be from the local operating system. -Draw active windows displaying outside of the viewable areas of the screen capturing keyboard input. -Overlay parent windows with their own browser windows to hide important system information, choices or prompts.
Checks: C-30656r497591_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30641r497592_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Add-on Management functionality must be allowed.
SC-18 - Medium - CCI-001662 - V-228424 - SV-228424r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO126
Vuln IDs
  • V-228424
  • V-71119
Rule IDs
  • SV-228424r508021_rule
  • SV-85743
Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user can monitor and then use keystrokes users type into Internet Explorer. Even legitimate add-ons may demand resources, compromising the performance of Internet Explorer, and the operating systems for user computers.
Checks: C-30657r497594_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30642r497595_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Add-on Management" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Links that invoke instances of Internet Explorer from within an Office product must be blocked.
SC-18 - Medium - CCI-001662 - V-228425 - SV-228425r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO129
Vuln IDs
  • V-228425
  • V-71121
Rule IDs
  • SV-228425r508021_rule
  • SV-85745
The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a web page). If the Pop-up Blocker is disabled, disruptive and potentially dangerous pop-up windows could load and present a security risk.
Checks: C-30658r497597_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Block popups" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30643r497598_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Block popups" to "Enabled" and place a check in the 'outlook.exe' check box.

b
File Downloads must be configured for proper restrictions.
SC-18 - Medium - CCI-001169 - V-228426 - SV-228426r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001169
Version
DTOO132
Vuln IDs
  • V-228426
  • V-71123
Rule IDs
  • SV-228426r508021_rule
  • SV-85747
Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this functionality. Malicious websites may continually prompt users to download a file or present confusing dialog boxes to trick users into downloading or running a file. If the download occurs and it contains malicious code, the code could become active on user computers or the network.
Checks: C-30659r497600_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value of outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30644r497601_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict File Download" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Protection from zone elevation must be enforced.
SC-18 - Medium - CCI-001695 - V-228427 - SV-228427r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001695
Version
DTOO209
Vuln IDs
  • V-228427
  • V-71125
Rule IDs
  • SV-228427r508021_rule
  • SV-85749
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring this setting could allow pages in the Internet zone to navigate to pages in the Local Machine zone to then run code to elevate privileges. This could allow malicious code or users to become active on user computers or the network.
Checks: C-30660r497603_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30645r497604_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" to "Enabled" and place a check in the 'outlook.exe' check box.

b
ActiveX Installs must be configured for proper restriction.
SC-18 - Medium - CCI-002460 - V-228428 - SV-228428r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO211
Vuln IDs
  • V-228428
  • V-71127
Rule IDs
  • SV-228428r508021_rule
  • SV-85751
Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations, and these prompts display to users. This could allow malicious code to become active on user computers or the network.
Checks: C-30661r497606_chk

Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.

Fix: F-30646r497607_fix

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2016 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" to "Enabled" and place a check in the 'outlook.exe' check box.

b
Publishing calendars to Office Online must be prevented.
CM-6 - Medium - CCI-000366 - V-228429 - SV-228429r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO216
Vuln IDs
  • V-228429
  • V-71129
Rule IDs
  • SV-228429r508021_rule
  • SV-85753
This policy setting controls whether Outlook users can publish their calendars to the Office.com Calendar Sharing Service. If you enable this policy setting, Outlook users cannot publish their calendars to Office.com. If you disable do not configure this policy setting, Outlook users can share their calendars with selected others by publishing them to the Microsoft Outlook Calendar Sharing Service. Users can control who can view their calendar and at what level of detail.
Checks: C-30662r497609_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal Criteria: If the value DisableOfficeOnline is REG_DWORD = 1, this is not a finding.

Fix: F-30647r497610_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" to "Enabled".

b
Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
CM-6 - Medium - CCI-000366 - V-228430 - SV-228430r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO217
Vuln IDs
  • V-228430
  • V-71131
Rule IDs
  • SV-228430r508021_rule
  • SV-85755
This policy setting controls whether Outlook users can publish their calendars to a DAV server. If you enable this policy setting, Outlook users cannot publish their calendars to a DAV server. If you disable or do not configure this policy setting, Outlook users can share their calendars with others by publishing them to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.
Checks: C-30663r497612_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to a DAV server" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal Criteria: If the value DisableDav is REG_DWORD = 1, this is not a finding.

Fix: F-30648r497613_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to a DAV server" to "Enabled".

b
Level of calendar details that a user can publish must be restricted.
CM-6 - Medium - CCI-000366 - V-228431 - SV-228431r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO218
Vuln IDs
  • V-228431
  • V-71133
Rule IDs
  • SV-228431r508021_rule
  • SV-85757
This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service. If you enable this policy setting, you can choose from three levels of detail: * All options are available - This level of detail is the default configuration. * Disables 'Full details' * Disables 'Full details' and 'Limited details'. If you disable or do not configure this policy setting, Outlook users can share their calendars with selected others by publishing them to the Microsoft Outlook Calendar Sharing Service. Users can choose from three levels of detail: * Availability only - Authorized visitors will see the user's time marked as Free, Busy, Tentative, or Out of Office, but will not be able to see the subjects or details of calendar items. * Limited details - Authorized visitors can see the user's availability and the subjects of calendar items only. They will not be able to view the details of calendar items. Optionally, users can allow visitors to see the existence of private items. * Full details - Authorized visitors can see the full details of calendar items. Optionally, users can allow visitors to see the existence of private items.
Checks: C-30664r497615_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Restrict level of calendar details users can publish" is set to "Enabled (Disables 'Full details' and 'Limited details')". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal Criteria: If the value PublishCalendarDetailsPolicy is REG_DWORD = 4000 (hex) or 16384 (Decimal), this is not a finding.

Fix: F-30649r497828_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Restrict level of calendar details users can publish" to "Enabled (Disables 'Full details' and 'Limited details')".

b
Access restriction settings for published calendars must be configured.
CM-6 - Medium - CCI-000366 - V-228432 - SV-228432r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO219
Vuln IDs
  • V-228432
  • V-71135
Rule IDs
  • SV-228432r508021_rule
  • SV-85759
This policy setting determines what restrictions apply to users who publish their calendars on Office.com or third-party World Wide Web Distributed Authoring and Versioning (WebDAV) servers. If you enable or disable this policy setting, calendars that are published on Office.com must have restricted access (users other than the calendar owner/publisher who wish to view the calendar can only do so if they receive invitations from the calendar owner), and users cannot publish their calendars to third-party DAV servers. If you do not configure this policy setting, users can share their calendars with others by publishing them to the Office.com Calendar Sharing Services and to a server that supports the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol. Office.com allows users to choose whether to restrict access to their calendars to people they invite, or allow unrestricted access to anyone who knows the URL to reach the calendar. DAV access restrictions can only be achieved through server and folder permissions, and might require the assistance of a server administrator to set up and maintain.
Checks: C-30665r497618_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\pubcal Criteria: If the value RestrictedAccessOnly is REG_DWORD = 1, this is not a finding.

Fix: F-30650r497619_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" to "Enabled".

b
Outlook Object Model scripts must be disallowed to run for shared folders.
SC-18 - Medium - CCI-001170 - V-228433 - SV-228433r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO232
Vuln IDs
  • V-228433
  • V-71145
Rule IDs
  • SV-228433r508021_rule
  • SV-85769
This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. If you enable this policy setting, Outlook cannot execute any scripts associated with shared folders, overriding any configuration changes on users' computers. If you disable this policy setting, Outlook will automatically run any scripts associated with custom forms or folder home pages for shared folders. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled.
Checks: C-30666r497621_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for shared folders" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value SharedFolderScript is REG_DWORD = 0, this is not a finding.

Fix: F-30651r497622_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for shared folders" to "Enabled".

b
Outlook Object Model scripts must be disallowed to run for public folders.
SC-18 - Medium - CCI-001170 - V-228434 - SV-228434r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO233
Vuln IDs
  • V-228434
  • V-71147
Rule IDs
  • SV-228434r508021_rule
  • SV-85771
This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. If you enable this policy setting, Outlook cannot execute any scripts associated with public folders, overriding any configuration changes on users' computers. If you disable this policy setting, Outlook will automatically run any scripts associated with custom forms or folder home pages for public folders, overriding any configuration changes on users' computers. If you do not configure this policy setting, Outlook will not run any scripts associated with public folders by default. Users can configure the setting in the Trust Center by selecting the ôAllow script in public foldersö check box.
Checks: C-30667r497624_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for public folders" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PublicFolderScript is REG_DWORD = 0, this is not a finding.

Fix: F-30652r497625_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for public folders" to "Enabled".

b
ActiveX One-Off forms must be configured.
SC-18 - Medium - CCI-001170 - V-228435 - SV-228435r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO234
Vuln IDs
  • V-228435
  • V-71149
Rule IDs
  • SV-228435r508021_rule
  • SV-85773
By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so that all ActiveX controls are allowed to run.
Checks: C-30668r497627_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Allow Active X One Off Forms" is set to "Enabled: Load only Outlook Controls". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value AllowActiveXOneOffForms is REG_DWORD = 0, this is not a finding.

Fix: F-30653r497628_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Allow Active X One Off Forms" to "Enabled: Load only Outlook Controls".

b
The Add-In Trust Level must be configured.
SC-18 - Medium - CCI-001170 - V-228436 - SV-228436r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO236
Vuln IDs
  • V-228436
  • V-71151
Rule IDs
  • SV-228436r508021_rule
  • SV-85775
All installed trusted COM addins can be trusted. Exchange Settings for the addins still override if present and this option is selected.
Checks: C-30669r497630_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Configure Add-In Trust Level" is set to "Enabled (Trust all loaded and installed COM addins)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value AddinTrust is REG_DWORD = 1, this is not a finding.

Fix: F-30654r497631_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Configure Add-In Trust Level" to "Enabled (Trust all loaded and installed COM addins)".

b
The remember password for internet e-mail accounts must be disabled.
IA-5 - Medium - CCI-002007 - V-228437 - SV-228437r508021_rule
RMF Control
IA-5
Severity
M
CCI
CCI-002007
Version
DTOO237
Vuln IDs
  • V-228437
  • V-71153
Rule IDs
  • SV-228437r508021_rule
  • SV-85777
Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to have Outlook remember their password. Note that POP3, IMAP, and HTTP e-mail accounts are all considered Internet e-mail accounts in Outlook. E-mail account options are listed on the Server Type dialog box when users choose 'New' under Tools | Account Settings.
Checks: C-30670r497633_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Disable 'Remember password' for Internet e-mail accounts" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value EnableRememberPwd is REG_DWORD = 0, this is not a finding.

Fix: F-30655r497634_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Disable 'Remember password' for Internet e-mail accounts" to "Enabled".

b
Users customizing attachment security settings must be prevented.
SC-18 - Medium - CCI-001170 - V-228438 - SV-228438r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO238
Vuln IDs
  • V-228438
  • V-71155
Rule IDs
  • SV-228438r508021_rule
  • SV-85779
This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" registry key when this setting is specified. If you disable or do not configure this policy setting, users will be allowed to override the set of attachments blocked by Outlook.
Checks: C-30671r497636_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prevent users from customizing attachment security settings" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is not a finding.

Fix: F-30656r497637_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prevent users from customizing attachment security settings" to "Enabled".

b
Outlook Security Mode must be configured to use Group Policy settings.
CM-6 - Medium - CCI-000366 - V-228439 - SV-228439r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO239
Vuln IDs
  • V-228439
  • V-71157
Rule IDs
  • SV-228439r508021_rule
  • SV-85781
This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: * Outlook Default Security - This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy. * Use Security Form from 'Outlook Security Settings' Public Folder - Outlook uses the settings from the security form published in the designated public folder. * Use Security Form from 'Outlook 10 Security Settings' Public Folder - Outlook uses the settings from the security form published in the designated public folder. * Use Outlook Security Group Policy - Outlook uses security settings from Group Policy. Important - You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide. If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy. Note - In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users' security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users' own computers.
Checks: C-30672r497639_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings "Outlook Security Mode" is set to "Enabled (Use Outlook Security Group Policy)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value AdminSecurityMode is REG_DWORD = 3, this is not a finding.

Fix: F-30657r497640_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings "Outlook Security Mode" to "Enabled (Use Outlook Security Group Policy)".

b
The ability to display level 1 attachments must be disallowed.
SC-18 - Medium - CCI-001662 - V-228440 - SV-228440r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO240
Vuln IDs
  • V-228440
  • V-71159
Rule IDs
  • SV-228440r508021_rule
  • SV-85783
This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open the file after saving it to disk). Users can freely open files of types that are not categorized as Level 1 or Level 2. If you enable this policy setting, Outlook users can gain access to Level 1 file type attachments by first saving the attachments to disk and then opening them, as with Level 2 attachments. If you disable this policy setting, Level 1 attachments do not display under any circumstances. If you do not configure this policy setting, Outlook completely blocks access to Level 1 files, and requires users to save Level 2 files to disk before opening them.
Checks: C-30673r497642_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Display Level 1 attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value ShowLevel1Attach is REG_DWORD = 0, this is not a finding.

Fix: F-30658r497643_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Display Level 1 attachments" to "Disabled".

b
Level 1 file extensions must be blocked and not removed.
SC-18 - Medium - CCI-001662 - V-228441 - SV-228441r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO244
Vuln IDs
  • V-228441
  • V-71161
Rule IDs
  • SV-228441r508021_rule
  • SV-85785
This policy setting controls which types of attachments (determined by file extension) Outlook prevents from being delivered. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open the file after saving it to disk). Users can freely open files of types that are not categorized as Level 1 or Level 2. If you enable this policy setting, you can specify the removal of file type extensions as that Outlook classifies as Level 1--that is, to be blocked from delivery--by entering them in the text field provided separated by semicolons. If you disable or do not configure this policy setting, Outlook classifies a number of potentially harmful file types (such as those with .exe, .reg, and .vbs extensions) as Level 1 and blocks files with those extensions from being delivered. Important: This policy setting only applies if the "Outlook Security Mode" policy setting under "Microsoft Outlook 2016\Security\Security Form Settings" is configured to "Use Outlook Security Group Policy."
Checks: C-30674r497645_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 1" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security\FileExtensionsRemoveLevel1 Criteria: If the registry key exists, this is a finding.

Fix: F-30659r497646_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 1" to "Disabled".

b
Level 2 file extensions must be blocked and not removed.
SC-18 - Medium - CCI-001662 - V-228442 - SV-228442r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO245
Vuln IDs
  • V-228442
  • V-71163
Rule IDs
  • SV-228442r508021_rule
  • SV-85787
This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open the file after saving it to disk). Users can freely open files of types that are not categorized as Level 1 or Level 2. If you enable this policy setting, you can specify a list of attachment file types to classify as Level 2, which forces users to actively decide to download the attachment to view it. If you disable or do not configure this policy setting, Outlook does not classify any file type extensions as Level 2. Important: This policy setting only applies if the "Outlook Security Mode" policy setting under "Microsoft Outlook 2016\Security\Security Form Settings" is configured to "Use Outlook Security Group Policy."
Checks: C-30675r497648_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 2" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security\FileExtensionsRemoveLevel2 Criteria: If the registry key exists, this is a finding.

Fix: F-30660r497649_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Attachment Security "Remove file extensions blocked as Level 2" to "Disabled".

b
Scripts in One-Off Outlook forms must be disallowed.
SC-18 - Medium - CCI-001170 - V-228443 - SV-228443r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001170
Version
DTOO246
Vuln IDs
  • V-228443
  • V-71165
Rule IDs
  • SV-228443r508021_rule
  • SV-85789
This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this policy setting, Outlook does not run scripts in forms in which the script and the layout are contained within the message. Important: This policy setting only applies if the "Outlook Security Mode" policy setting under "Microsoft Outlook 2016\Security\Security Form Settings" is configured to "Use Outlook Security Group Policy."
Checks: C-30676r497651_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Allow scripts in one-off Outlook forms" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value EnableOneOffFormScripts is REG_DWORD = 0, this is not a finding.

Fix: F-30661r497652_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Allow scripts in one-off Outlook forms" to "Disabled".

b
Custom Outlook Object Model (OOM) action execution prompts must be configured.
SC-18 - Medium - CCI-002460 - V-228444 - SV-228444r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO247
Vuln IDs
  • V-228444
  • V-71167
Rule IDs
  • SV-228444r508021_rule
  • SV-85791
This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send protections. If you enable this policy setting, you can choose from four options to control how Outlook functions when a custom action is executed that uses the Outlook object model: * Prompt User * Automatically Approve * Automatically Deny * Prompt user based on computer security. This option enforces the default configuration in Outlook. If you disable or do not configure this policy setting, when Outlook or another program initiates a custom action using the Outlook object model, users are prompted to allow or reject the action. If this configuration is changed, malicious code can use the Outlook object model to compromise sensitive information or otherwise cause data and computing resources to be at risk. This is the equivalent of choosing Enabled -- Prompt user based on computer security.
Checks: C-30677r497654_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Set Outlook object model Custom Actions execution prompt" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMCustomAction is REG_DWORD = 0, this is not a finding.

Fix: F-30662r497655_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Custom Form Security "Set Outlook object model Custom Actions execution prompt" to "Enabled (Automatically Deny)".

b
Object Model Prompt for programmatic email send behavior must be configured.
SC-18 - Medium - CCI-002460 - V-228445 - SV-228445r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO249
Vuln IDs
  • V-228445
  • V-71169
Rule IDs
  • SV-228445r508021_rule
  • SV-85793
This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to send e-mail programmatically using the Outlook object model: - Prompt user - The user will be prompted to approve every access attempt.- Automatically approve - Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended. - Automatically deny - Outlook will automatically deny programmatic access requests from any program. - Prompt user based on computer security. Outlook will only prompt users when antivirus software is out of date or not running. Important: This policy setting only applies if the 'Outlook Security Mode' policy setting under 'Microsoft Outlook 2016\Security\Security Form Settings' is configured to 'Use Outlook Security Group Policy'. If you disable or do not configure this policy setting, when an untrusted application attempts to send mail programmatically, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30678r497657_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when sending mail" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMSend is REG_DWORD = 0, this is not a finding.

Fix: F-30663r497658_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when sending mail" to "Enabled (Automatically Deny)".

b
Object Model Prompt behavior for programmatic address books must be configured.
SC-18 - Medium - CCI-002460 - V-228446 - SV-228446r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO250
Vuln IDs
  • V-228446
  • V-71171
Rule IDs
  • SV-228446r508021_rule
  • SV-85795
This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically access an Address Book using the Outlook object model:- Prompt user - Users are prompted to approve every access attempt. - Automatically approve - Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended. - Automatically deny - Outlook will automatically deny programmatic access requests from any program.- Prompt user based on computer security - Outlook will rely on the setting in the 'Programmatic Access' section of the Trust Center. This is the default behavior. If you disable or do not configure this policy setting, when an untrusted application attempts to access the address book programmatically, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30679r497660_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when accessing an address book" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMAddressBookAccess is REG_DWORD = 0, this is not a finding.

Fix: F-30664r497830_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when accessing an address book" to "Enabled (Automatically Deny)".

b
Object Model Prompt behavior for programmatic access of user address data must be configured.
SC-18 - Medium - CCI-002460 - V-228447 - SV-228447r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO251
Vuln IDs
  • V-228447
  • V-71173
Rule IDs
  • SV-228447r508021_rule
  • SV-85797
This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the 'To:' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access a recipient field using the Outlook object model:- Prompt user. The user will be prompted to approve every access attempt.- Automatically approve. Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended.- Automatically deny. Outlook will automatically deny programmatic access requests from any program.- Prompt user based on computer security. Outlook will only prompt users when antivirus software is out of date or not running. This is the default configuration. If you disable or do not configure this policy setting, when an untrusted application attempts to access recipient fields, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30680r497663_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when reading address information" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMAddressInformationAccess is REG_DWORD = 0, this is not a finding.

Fix: F-30665r497832_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when reading address information" to "Enabled (Automatically Deny)".

b
Object Model Prompt behavior for Meeting and Task Responses must be configured.
SC-18 - Medium - CCI-002460 - V-228448 - SV-228448r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO252
Vuln IDs
  • V-228448
  • V-71175
Rule IDs
  • SV-228448r508021_rule
  • SV-85799
This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically send e-mail using the Response method of a task or meeting request:- Prompt user. The user will be prompted to approve every access attempt.- Automatically approve. Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended.- Automatically deny. Outlook will automatically deny programmatic access requests from any program. - Prompt user based on computer security. Outlook only prompts users when antivirus software is out of date or not running. This is the default configuration. If you disable or do not configure this policy setting, when an untrusted application attempts to respond to tasks or meeting requests programmatically, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30681r497666_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when responding to meeting and task requests" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMMeetingTaskRequestResponse is REG_DWORD = 0, this is not a finding.

Fix: F-30666r497834_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when responding to meeting and task requests" to "Enabled (Automatically Deny)".

b
Object Model Prompt behavior for the SaveAs method must be configured.
SC-18 - Medium - CCI-002460 - V-228449 - SV-228449r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO253
Vuln IDs
  • V-228449
  • V-71177
Rule IDs
  • SV-228449r508021_rule
  • SV-85801
This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to use the Save As command to programmatically save an item:- Prompt user. The user will be prompted to approve every access attempt. - Automatically approve. Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended. - Automatically deny. Outlook will automatically deny programmatic access requests from any program.- Prompt user based on computer security. Outlook will only prompt users when antivirus software is out of date or not running. This is the default configuration. If you disable or do not configure this policy setting, when an untrusted application attempts to use the Save As command, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30682r497669_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when executing Save As" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMSaveAs is REG_DWORD = 0, this is not a finding.

Fix: F-30667r497836_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when executing Save As" to "Enabled (Automatically Deny)".

b
Object Model Prompt behavior for accessing User Property Formula must be configured.
SC-18 - Medium - CCI-002460 - V-228450 - SV-228450r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-002460
Version
DTOO254
Vuln IDs
  • V-228450
  • V-71179
Rule IDs
  • SV-228450r508021_rule
  • SV-85803
This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access address information using the UserProperties. Find method of the Outlook object model: - Prompt user. The user will be prompted to approve every access attempt. - Automatically approve. Outlook will automatically grant programmatic access requests from any program. This option can create a significant vulnerability, and is not recommended. - Automatically deny. Outlook will automatically deny programmatic access requests from any program. - Prompt user based on computer security. Outlook will only prompt users when antivirus software is out of date or not running. If you disable or do not configure this policy setting, when a user tries to bind an address information field to a combination or formula custom field in a custom form, Outlook relies on the setting configured in the 'Programmatic Access' section of the Trust Center.
Checks: C-30683r497672_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value PromptOOMFormulaAccess is REG_DWORD = 0, this is not a finding.

Fix: F-30668r497838_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object" to "Enabled (Automatically Deny)".

b
Trusted add-ins behavior for email must be configured.
CM-6 - Medium - CCI-000366 - V-228451 - SV-228451r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO256
Vuln IDs
  • V-228451
  • V-71193
Rule IDs
  • SV-228451r508021_rule
  • SV-85817
This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook. If you enable this policy setting, a list of trusted add-ins and hashes is made available that you can modify by adding and removing entries. The list is empty by default. To create a new entry, enter a DLL file name in the 'Value Name' column and the hash result in the 'Value' column. If you disable or do not configure this policy setting, the list of trusted add-ins is empty and unused, so the recommended EC and SSLF settings do not create any usability issues. However, users who rely on add-ins that access the Outlook object model might be repeatedly prompted unless administrators enable this setting and add the add-ins to the list.Note - You can also configure Exchange Security Form settings by enabling the 'Outlook Security Mode' setting in User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Microsoft Outlook 2016 Security and selecting 'Use Outlook Security Group Policy' from the drop-down list.
Checks: C-30684r497675_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins "Configure trusted add-ins" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\Outlook\security Criteria: If the value trustedaddins does not exist, this is not a finding. If the value trustedaddins exists, but with no entries, this is not a finding. If the value trustedaddins exists, with entries, this is a finding. In some reported configurations, the value remains after disabling the setting but the value is empty.

Fix: F-30669r497676_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins "Configure trusted add-ins" to "Disabled".

b
S/Mime interoperability with external clients for message handling must be configured.
IA-7 - Medium - CCI-000803 - V-228452 - SV-228452r508021_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
DTOO257
Vuln IDs
  • V-228452
  • V-71195
Rule IDs
  • SV-228452r508021_rule
  • SV-85819
This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing. If you enable this policy setting, you can choose from three options for configuring external S/MIME clients:- Handle internally. Outlook decrypts all S/MIME messages itself.- Handle externally. Outlook hands all S/MIME messages off to the configured external program.- Handle if possible. Outlook attempts to decrypt all S/MIME messages itself. If it cannot decrypt a message, Outlook hands the message off to the configured external program. This option is the default configuration. If you disable or do not configure this policy setting, the behavior is the equivalent of selecting Enabled: Handle if possible.
Checks: C-30685r497678_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME interoperability with external clients" is set to "Enabled (Handle internally)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value ExternalSMime is REG_DWORD = 0, this is not a finding.

Fix: F-30670r497679_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME interoperability with external clients" to "Enabled (Handle internally)".

b
Message formats must be set to use SMime.
IA-7 - Medium - CCI-000803 - V-228453 - SV-228453r508021_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
DTOO260
Vuln IDs
  • V-228453
  • V-71227
Rule IDs
  • SV-228453r508021_rule
  • SV-85851
This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. If you enable this policy setting, you can specify whether Outlook can use S/MIME (the default), Exchange, or Fortezza encryption, or any combination of any of these options. Users will not be able to change this configuration. If you disable or do not configure this policy setting, Outlook only uses S/MIME to encrypt and sign messages. If you disable this policy setting, users will not be able to change this configuration.
Checks: C-30686r497681_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Message Formats" is set to "Enabled (S\MIME)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value MsgFormats is REG_DWORD = 1, this is not a finding.

Fix: F-30671r497682_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Message Formats" to "Enabled (S\MIME)".

b
Run in FIPS compliant mode must be enforced.
IA-7 - Medium - CCI-000803 - V-228454 - SV-228454r559729_rule
RMF Control
IA-7
Severity
M
CCI
CCI-000803
Version
DTOO262
Vuln IDs
  • V-228454
  • V-71229
Rule IDs
  • SV-228454r559729_rule
  • SV-85853
This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by the National Institute of Standards and Technology (NIST) for use by non-military United States government agencies and by government contractors. If you enable this policy setting, Outlook runs in a mode that complies with the FIPS 140-1 standard for cryptographic modules. This mode requires the use of the SHA-1 algorithm for signing and 3DES for encryption. If you disable or do not configure this policy setting, Outlook does not run in FIPS-compliant mode. Organizations that do business with the United States government but do not run Outlook in FIPS-compliant mode risk violating the U.S. government's rules regarding the handling of sensitive information.For more information about FIPS, see FIPS - General Information at http://www.itl.nist.gov/fipspubs/geninfo.htm FIPS mode in Windows enforces 3DES, AES 256/192/128, SHA1, and SHA 512/384/256. The 3DES and SHA1 modules are FIPS 140 certified. FIPS mode restricts Outlook to a very short list of SMIME capabilities. Almost all SMIME algorithms are FIPS certified on Windows. Reference https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation#microsoft-fips-140-2-validated-cryptographic-modules to double check that the SMIME capabilities used and specified in certificates are FIPS certified.
Checks: C-30687r497684_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Run in FIPS compliant mode" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value FIPSMode is REG_DWORD = 1, this is not a finding.

Fix: F-30672r497685_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Run in FIPS compliant mode" to "Enabled".

b
Send all signed messages as clear signed messages must be configured.
CM-6 - Medium - CCI-000366 - V-228455 - SV-228455r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO264
Vuln IDs
  • V-228455
  • V-71231
Rule IDs
  • SV-228455r508021_rule
  • SV-85855
This policy setting controls whether Outlook sends signed messages as clear text signed messages. If you enable this policy setting, the "Send clear text signed message when sending signed messages" option is selected in the E-mail Security section of the Trust Center. If you disable or do not configure this policy setting, when users sign e-mail messages with their digital signature and send them, Outlook uses the signature's private key to encrypt the digital signature but sends the messages as clear text, unless they are encrypted separately.
Checks: C-30688r497687_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Send all signed messages as clear signed messages" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value ClearSign is REG_DWORD = 1, this is not a finding.

Fix: F-30673r497688_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Send all signed messages as clear signed messages" to "Enabled".

b
Automatic sending s/Mime receipt requests must be disallowed.
CM-6 - Medium - CCI-000366 - V-228456 - SV-228456r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO266
Vuln IDs
  • V-228456
  • V-71233
Rule IDs
  • SV-228456r508021_rule
  • SV-85857
This policy setting controls how Outlook handles S/MIME receipt requests. If you enable this policy setting, you can choose from four options for handling S/MIME receipt requests in Outlook:- Open message if receipt can't be sent- Don't open message if receipt can't be sent- Always prompt before sending receipt- Never send S/MIME receipts. If you disable or do not configure this policy setting, when users open messages with attached receipt requests, Outlook prompts them to decide whether to send a receipt to the sender with information about the identity of the user who opened the message and the time it was opened. If Outlook cannot send the receipt, the user is still allowed to open the message.
Checks: C-30689r497690_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME receipt requests behavior" is set to "Enabled (Never send S\MIME receipts)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value RespondToReceiptRequests is REG_DWORD = 2, this is not a finding.

Fix: F-30674r497691_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "S/MIME receipt requests behavior" to "Enabled (Never send S\MIME receipts)".

b
Retrieving of CRL data must be set for online action.
IA-5 - Medium - CCI-000185 - V-228457 - SV-228457r508021_rule
RMF Control
IA-5
Severity
M
CCI
CCI-000185
Version
DTOO267
Vuln IDs
  • V-228457
  • V-71235
Rule IDs
  • SV-228457r508021_rule
  • SV-85859
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates.Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. If you enable this policy setting, you can choose from three options to govern how Outlook uses CRLs: - Use system Default. Outlook relies on the CRL download schedule that is configured for the operating system. - When online always retrieve the CRL. This option is the default configuration in Outlook. - Never retrieve the CRL. Outlook will not attempt to download the CRL for a certificate, even if it is online. This option can reduce security. If you disable or do not configure this policy setting, when Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online.
Checks: C-30690r497693_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" is set to "Enabled (When online always retrieve the CRL)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.

Fix: F-30675r497840_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" to "Enabled (When online always retrieve the CRL)".

b
External content and pictures in HTML email must be displayed.
CM-6 - Medium - CCI-000366 - V-228458 - SV-228458r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO270
Vuln IDs
  • V-228458
  • V-71237
Rule IDs
  • SV-228458r508021_rule
  • SV-85861
This policy setting setting controls whether Outlook downloads untrusted pictures and external content located in HTML e-mail messages without users explicitly choosing to download them. If you enable this policy setting, Outlook will not automatically download content from external servers unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis. If you disable this policy setting, Outlook will display pictures and external content in HTML e-mail automatically.If you do not configure this policy setting, Outlook does not download external content in HTML e-mail and RSS items unless the content is considered safe. Content that Outlook can be configured to consider safe includes: - Content in e-mail messages from senders and to recipients defined in the Safe Senders and Safe Recipients lists. - Content from Web sites in Internet Explorer's Trusted Sites security zone. - Content in RSS items. - Content from SharePoint Discussion Boards. Users can control what content is considered safe by changing the options in the "Automatic Download" section of the Trust Center. If Outlook's default blocking configuration is overridden, in the Trust Center or by some other method, Outlook will display external content in all HTML e-mail messages, including any that include Web beacons.
Checks: C-30691r497696_chk

Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Automatic Picture Download Settings "Display pictures and external content in HTML e-mail" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value BlockExtContent is REG_DWORD = 1, this is not a finding.

Fix: F-30676r497697_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Display pictures and external content in HTML e-mail" to "Enabled".

b
Automatic download content for email in Safe Senders list must be disallowed.
CM-6 - Medium - CCI-000366 - V-228459 - SV-228459r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO271
Vuln IDs
  • V-228459
  • V-71239
Rule IDs
  • SV-228459r508021_rule
  • SV-85863
This policy setting controls whether Outlook automatically downloads external content in e-mail from senders in the Safe Senders List or Safe Recipients List. If you enable this policy setting, Outlook automatically downloads content for e-mail from people in Safe Senders and Safe Recipients lists. If you disable this policy setting, Outlook will not automatically download content from external servers for messages sent by people listed in users' Safe Senders Lists or Safe Recipients Lists. Recipients can choose to download external content on a message-by-message basis. If you do not configure this policy setting, downloads are permitted when users receive e-mail from people listed in the user's Safe Senders List or Safe Recipients List.
Checks: C-30692r497699_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value UnblockSpecificSenders is REG_DWORD = 0, this is not a finding.

Fix: F-30677r497842_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" to "Disabled".

b
Permit download of content from safe zones must be configured.
CM-6 - Medium - CCI-000366 - V-228460 - SV-228460r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO272
Vuln IDs
  • V-228460
  • V-71241
Rule IDs
  • SV-228460r508021_rule
  • SV-85865
This policy setting controls whether Outlook automatically downloads content from safe zones when displaying messages. If you enable this policy setting content from safe zones will be downloaded automatically. If you disable this policy Outlook will not automatically download content from safe zones. Recipients can choose to download external content from untrusted senders on a message-by-message basis. If you do not configure this policy setting, Outlook automatically downloads content from sites that are considered "safe," as defined in the Security tab of the Internet Options dialog box in Internet Explorer. Important - Note that this policy setting is "backward." Despite the name, disabling the policy setting prevents the download of content from safe zones and enabling the policy setting allows it.
Checks: C-30693r497702_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Do not permit download of content from safe zones" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value UnblockSafeZone is REG_DWORD = 1, this is not a finding.

Fix: F-30678r497703_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Do not permit download of content from safe zones" to "Disabled".

b
IE Trusted Zones assumed trusted must be blocked.
CM-6 - Medium - CCI-000366 - V-228461 - SV-228461r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO273
Vuln IDs
  • V-228461
  • V-71243
Rule IDs
  • SV-228461r508021_rule
  • SV-85867
This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items. If you enable this policy setting, Outlook does not automatically download content from Web sites in the Trusted sites zone in Internet Explorer. Recipients can choose to download external content on a message-by-message basis. If you disable or do not configure this policy setting, Outlook automatically downloads content from Web sites in the Trusted sites zone in Internet Explorer.
Checks: C-30694r497705_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Block Trusted Zones" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value TrustedZone is REG_DWORD = 0, this is not a finding.

Fix: F-30679r497706_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Block Trusted Zones" to "Enabled".

b
Internet with Safe Zones for Picture Download must be disabled.
CM-6 - Medium - CCI-000366 - V-228462 - SV-228462r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO274
Vuln IDs
  • V-228462
  • V-71245
Rule IDs
  • SV-228462r508021_rule
  • SV-85869
This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automatically download external content in all e-mail messages sent over the Internet and users will not be able to change the setting. If you disable or do not configure this policy setting, Outlook does not consider the Internet a safe zone, which means that Outlook will not automatically download content from external servers unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis.
Checks: C-30695r497708_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Internet in Safe Zones for Automatic Picture Download" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value Internet is REG_DWORD = 0, this is not a finding.

Fix: F-30680r497709_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Internet in Safe Zones for Automatic Picture Download" to "Disabled".

b
Intranet with Safe Zones for automatic picture downloads must be configured.
CM-6 - Medium - CCI-000366 - V-228463 - SV-228463r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO275
Vuln IDs
  • V-228463
  • V-71247
Rule IDs
  • SV-228463r508021_rule
  • SV-85871
This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook users explictly choosing to do so. If you enable this policy setting, Outlook will automatically download external content in all e-mail messages sent over the local intranet and users will not be able to change the setting. If you disable or do not configure this policy setting, Outlook does not consider the local intranet a safe zone, which means that Outlook will not automatically download content from other servers in the Local Intranet zone unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis.
Checks: C-30696r497711_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Intranet in Safe Zones for Automatic Picture Download" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value Intranet is REG_DWORD = 0, this is not a finding.

Fix: F-30681r497712_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Automatic Picture Download Settings "Include Intranet in Safe Zones for Automatic Picture Download" to "Disabled".

b
Always warn on untrusted macros must be enforced.
SC-18 - Medium - CCI-001662 - V-228464 - SV-228464r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001662
Version
DTOO276
Vuln IDs
  • V-228464
  • V-71249
Rule IDs
  • SV-228464r508021_rule
  • SV-85873
This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in the "Macro Security" section of the Outlook Trust Center. Outlook disables all macros that are not opened from a trusted location, even if the macros are signed by a trusted publisher. For each disabled macro, Outlook displays a security alert dialog box with information about the macro and its digital signature (if present), and allows users to enable the macro or leave it disabled. - Never warn, disable all. This option corresponds to the "No warnings and disable all macros" option in the Trust Center. Outlook disables all macros that are not opened from trusted locations, and does not notify users. - Warning for signed, disable unsigned. This option corresponds to the "Warnings for signed macros; all unsigned macros are disabled" option in the Trust Center. Outlook handles macros as follows: --If a macro is digitally signed by a trusted publisher, the macro can run if the user has already trusted the publisher. --If a macro has a valid signature from a publisher that the user has not trusted, the security alert dialog box for the macro lets the user choose whether to enable the macro for the current session, disable the macro for the current session, or to add the publisher to the Trusted Publishers list so that it will run without prompting the user in the future. --If a macro does not have a valid signature, Outlook disables it without prompting the user, unless it is opened from a trusted location. This option is the default configuration in Outlook. - No security check. This option corresponds to the "No security check for macros (Not recommended)" option in the Trust Center. Outlook runs all macros without prompting users. This configuration makes users' computers vulnerable to potentially malicious code and is not recommended. If you disable or do not configure this policy setting, the behavior is the equivalent of Enabled -- Warning for signed, disable unsigned.
Checks: C-30697r497714_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Security setting for macros" is set to "Enabled (Warn for signed, disable unsigned)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value Level is REG_DWORD = 3, this is not a finding.

Fix: F-30682r497715_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Security setting for macros" to "Enabled (Warn for signed, disable unsigned)".

b
Hyperlinks in suspected phishing email messages must be disallowed.
CM-6 - Medium - CCI-000366 - V-228465 - SV-228465r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO277
Vuln IDs
  • V-228465
  • V-71251
Rule IDs
  • SV-228465r508021_rule
  • SV-85875
This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If you disable or do not configure this policy setting, Outlook will not allow hyperlinks in suspected phishing messages, even if they are not classified as junk e-mail.
Checks: C-30698r497717_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Allow hyperlinks in suspected phishing e-mail messages" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\mail Criteria: If the value JunkMailEnableLinks is REG_DWORD = 0, this is not a finding.

Fix: F-30683r497718_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Trust Center "Allow hyperlinks in suspected phishing e-mail messages" to "Disabled".

b
RPC encryption between Outlook and Exchange server must be enforced.
IA-3 - Medium - CCI-001967 - V-228466 - SV-228466r508021_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
DTOO279
Vuln IDs
  • V-228466
  • V-71253
Rule IDs
  • SV-228466r508021_rule
  • SV-85877
This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note - RPC encryption only encrypts the data from the Outlook client computer to the Exchange server. It does not encrypt the messages themselves as they traverse the Internet. If you disable or do not configure this policy setting, RPC encryption is still used by default. This setting allows you to override the corresponding per-profile setting.
Checks: C-30699r497720_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Enable RPC encryption" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\rpc Criteria: If the value EnableRPCEncryption is REG_DWORD = 1, this is not a finding.

Fix: F-30684r497721_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Enable RPC encryption" to "Enabled".

b
Outlook must be configured to force authentication when connecting to an Exchange server.
IA-3 - Medium - CCI-001967 - V-228467 - SV-228467r508021_rule
RMF Control
IA-3
Severity
M
CCI
CCI-001967
Version
DTOO280
Vuln IDs
  • V-228467
  • V-71255
Rule IDs
  • SV-228467r508021_rule
  • SV-85879
This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure authentication method and is supported on Windows 2000 Server and later versions. NTLM authentication is supported in pre-Windows 2000 environments. If you enable this policy setting, you can choose from three different options for controlling how Outlook authenticates with Microsoft Exchange Server:- Kerberos/NTLM password authentication. Outlook attempts to authenticate using the Kerberos authentication protocol. If this attempt fails, Outlook attempts to authenticate using NTLM. This option is the default configuration.- Kerberos password authentication. Outlook attempts to authenticate using the Kerberos protocol only.- NTLM password authentication. Outlook attempts to authenticate using NTLM only. If you disable or do not configure this policy setting, Outlook will attempt to authenticate using the Kerberos authentication protocol. If it cannot (because no Windows 2000 or later domain controllers are available), it will authenticate using NTLM.
Checks: C-30700r497723_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Authentication with Exchange Server" is set to "Enabled (Kerberos Password Authentication)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value AuthenticationService is REG_DWORD = 16 (decimal) or 10 (hex), this is not a finding.

Fix: F-30685r497724_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Exchange "Authentication with Exchange Server" to "Enabled (Kerberos Password Authentication)".

b
Disabling download full text of articles as HTML must be configured.
CM-6 - Medium - CCI-000366 - V-228468 - SV-228468r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO283
Vuln IDs
  • V-228468
  • V-71259
Rule IDs
  • SV-228468r508021_rule
  • SV-85883
This policy setting controls whether Outlook automatically makes an offline copy of the RSS items as HTML attachments. If you enable this policy setting, Outlook automatically makes an offline copy of RSS items as HTML attachments. If you disable or do not configure this policy setting, Outlook will not automatically make an offline copy of RSS items as HTML attachments.
Checks: C-30701r497726_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Download full text of articles as HTML attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\rss Criteria: If the value EnableFullTextHTML is REG_DWORD = 0, this is not a finding.

Fix: F-30686r497727_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Download full text of articles as HTML attachments" to "Disabled".

b
Automatic download of Internet Calendar appointment attachments must be disallowed.
SC-18 - Medium - CCI-001169 - V-228469 - SV-228469r508021_rule
RMF Control
SC-18
Severity
M
CCI
CCI-001169
Version
DTOO284
Vuln IDs
  • V-228469
  • V-71261
Rule IDs
  • SV-228469r508021_rule
  • SV-85885
This policy setting controls whether Outlook downloads files attached to Internet Calendar appointments. If you enable this policy setting, Outlook automatically downloads all Internet Calendar appointment attachments. If you disable or do not configure this policy setting, Outlook does not download attachments when retrieving Internet Calendar appointments.
Checks: C-30702r497729_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Automatically download attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding.

Fix: F-30687r497730_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Automatically download attachments" to "Disabled".

b
Internet calendar integration in Outlook must be disabled.
CM-7 - Medium - CCI-000381 - V-228470 - SV-228470r508021_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
DTOO285
Vuln IDs
  • V-228470
  • V-71263
Rule IDs
  • SV-228470r508021_rule
  • SV-85887
This policy setting allows you to determine whether or not you want to include Internet Calendar integration in Outlook. The Internet Calendar feature in Outlook enables users to publish calendars online (using the webcal:// protocol) and subscribe to calendars that others have published. When users subscribe to an Internet calendar, Outlook queries the calendar at regular intervals and downloads any changes as they are posted. If you enable this policy setting, all Internet calendar functionality in Outlook is disabled. If you disable or do not configure this policy setting, Outlook allows users to subscribe to Internet calendars.
Checks: C-30703r497732_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\webcal Criteria: If the value Disable is REG_DWORD = 1, this is not a finding.

Fix: F-30688r497733_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" to "Enabled".

b
User Entries to Server List must be disallowed.
CM-7 - Medium - CCI-000381 - V-228471 - SV-228471r508021_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
DTOO286
Vuln IDs
  • V-228471
  • V-71265
Rule IDs
  • SV-228471r508021_rule
  • SV-85889
This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose between two options to determine whether Outlook users can add entries to the published server list: - Publish default, allow others. This option is the default configuration in Outlook. - Publish default, disallow others. This option prevents users from adding servers to the default published server list. If you disable or do not configure this policy setting, when users create a meeting workspace, they can choose a server from a default list provided by administrators or manually enter the address of a server that is not listed. This is the equivalent of Enabled -- Publish default, allow others.
Checks: C-30704r497735_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Meeting Workspace "Disable user entries to server list" is set to "Enabled (Publish default, disallow others)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\meetings\profile Criteria: If the value ServerUI is REG_DWORD = 2, this is not a finding.

Fix: F-30689r497736_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Meeting Workspace "Disable user entries to server list" to "Enabled (Publish default, disallow others)".

b
Automatically downloading enclosures on RSS must be disallowed.
CM-7 - Medium - CCI-000381 - V-228472 - SV-228472r508021_rule
RMF Control
CM-7
Severity
M
CCI
CCI-000381
Version
DTOO313
Vuln IDs
  • V-228472
  • V-71267
Rule IDs
  • SV-228472r508021_rule
  • SV-85891
This policy setting allows you to control whether Outlook automatically downloads enclosures on RSS items. If you enable this policy setting, Outlook will automatically download enclosures on RSS items. If you disable or do not configure this policy setting, enclosures on RSS items are not downloaded by default.
Checks: C-30705r497738_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Automatically download enclosures" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\options\rss Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding.

Fix: F-30690r497739_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Account Settings -> RSS Feeds "Automatically download enclosures" to "Disabled".

b
Outlook must be configured not to prompt users to choose security settings if default settings fail.
CM-6 - Medium - CCI-000366 - V-228473 - SV-228473r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO315
Vuln IDs
  • V-228473
  • V-71271
Rule IDs
  • SV-228473r508021_rule
  • SV-85895
Check to prompt the user to choose security settings if default settings fail; uncheck to automatically select.
Checks: C-30706r497741_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prompt user to choose security settings if default settings fail" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value ForceDefaultProfile is REG_DWORD = 0, this is not a finding.

Fix: F-30691r497742_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Prompt user to choose security settings if default settings fail" to "Disabled".

b
Outlook minimum encryption key length settings must be set.
SC-13 - Medium - CCI-002450 - V-228474 - SV-228474r508021_rule
RMF Control
SC-13
Severity
M
CCI
CCI-002450
Version
DTOO316
Vuln IDs
  • V-228474
  • V-71273
Rule IDs
  • SV-228474r508021_rule
  • SV-85897
This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a message using an encryption key that is below the minimum encryption key value set. The user can still choose to ignore the warning and send using the encryption key originally chosen. If you disable or do not configure this policy setting, a dialog warning will be shown to the user if the user attempts to send a message using encryption. The user can still choose to ignore the warning and send using the encryption key originally chosen.
Checks: C-30707r497744_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Minimum encryption settings" is set to "Enabled: 168 bits". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value MinEncKey is REG_DWORD = a8 (hex) or 168 (decimal), this is not a finding.

Fix: F-30692r497745_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Minimum encryption settings" to "Enabled: 168 bits".

b
Replies or forwards to signed/encrypted messages must be signed/encrypted.
CM-6 - Medium - CCI-000366 - V-228475 - SV-228475r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO317
Vuln IDs
  • V-228475
  • V-71275
Rule IDs
  • SV-228475r508021_rule
  • SV-85899
This policy setting controls whether replies and forwards to signed/encrypted mail should also be signed/encrypted. If you enable this policy setting, signing/encryption will be turned on when replying/forwarding a signed or encrypted message, even if the user is not configured for SMIME. If you disable or do not configure this policy setting, signing/encryption is not enforced.
Checks: C-30708r497747_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Replies or forwards to signed/encrypted messages are signed/encrypted" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value NoCheckOnSessionSecurity is REG_DWORD = 1, this is not a finding.

Fix: F-30693r497748_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Replies or forwards to signed/encrypted messages are signed/encrypted" to "Enabled".

b
Check e-mail addresses against addresses of certificates being used must be disallowed.
CM-6 - Medium - CCI-000366 - V-228476 - SV-228476r508021_rule
RMF Control
CM-6
Severity
M
CCI
CCI-000366
Version
DTOO320
Vuln IDs
  • V-228476
  • V-71277
Rule IDs
  • SV-228476r508021_rule
  • SV-85901
This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing. If you enable this policy setting, users can send messages signed with certificates that do not match their e-mail addresses. If you disable or do not configure this policy setting, Outlook verifies that the user's e-mail address matches the certificate being used for signing.
Checks: C-30709r497750_chk

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Do not check e-mail address against address of certificates being used" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security Criteria: If the value SupressNameChecks is REG_DWORD = 1, this is not a finding.

Fix: F-30694r497751_fix

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security -> Cryptography "Do not check e-mail address against address of certificates being used" to "Enabled".