Configure "retrieving Certificate Revokation List" (CRL) data

Configure "retrieving Certificate Revokation List" (CRL) data - Outlook

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17778	DTOO267 - Outlook	SV-18995r1_rule	ECSC-1	Medium

Description
Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. By default, when Outlook 2007 handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. If this configuration is changed, Outlook might improperly trust a revoked certificate, which could put users' computers and data at risk.

Description

Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. By default, when Outlook 2007 handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. If this configuration is changed, Outlook might improperly trust a revoked certificate, which could put users' computers and data at risk.

STIG	Date
Microsoft Outlook 2007	2014-04-03

Details

Check Text ( C-19253r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Retrieving CRLs (Certificate Revocation Lists)” will be set to “Enabled (When online always retrieve the CRL)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.

Check Text ( C-19253r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Retrieving CRLs (Certificate Revocation Lists)” will be set to “Enabled (When online always retrieve the CRL)”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security

Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.

Fix Text (F-17753r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Retrieving CRLs (Certificate Revocation Lists)” will be set to “Enabled (When online always retrieve the CRL)”.