UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Configure trusted add-ins behavior for eMail.


Overview

Finding ID Version Rule ID IA Controls Severity
V-17575 DTOO256 - Outlook SV-18689r1_rule ECSC-1 Medium
Description
The Outlook object model includes entry points to access Outlook data, save data to specified locations, and send e-mail messages, all of which can be used by malicious application developers. To help protect these entry points, the Object Model Guard warns users and prompts them for confirmation when untrusted code, including add-ins, attempts to use the object model to obtain e-mail address information, store data outside of Outlook, execute certain actions, and send e-mail messages. To reduce excessive security warnings when add-ins are used, administrators can specify a list of trusted add-ins that can access the Outlook object model silently, without raising prompts. This trusted add-in list should be treated with care, because a malicious add-in could access and forward sensitive information if added to the list.
STIG Date
Microsoft Outlook 2007 2015-06-11

Details

Check Text ( C-18876r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins “Configure trusted add-ins” will be set to “Disabled”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security\TrustedAddins

If the registry key exists, this is a finding.
Fix Text (F-17493r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins “Configure trusted add-ins” will be set to “Disabled”.