Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-17801 | DTOO248 - Base | SV-19028r1_rule | ECSC-1 | Medium |
Description |
---|
When a control on a custom Outlook 2007 form is bound directly to any of the Address Information fields, the form code can indirectly retrieve the value of the Address Information field by obtaining the Value property of the control. If the custom form was created by a malicious or inexperienced user, sensitive information could be exposed to unauthorized parties. By default, Outlook prompts users when they bind a control to an Address Information field. |
STIG | Date |
---|---|
Microsoft Outlook 2007 | 2015-06-11 |
Check Text ( C-19053r1_chk ) |
---|
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value PromptOOMItemPropertyAccess is REG_DWORD = 0, this is not a finding. |
Fix Text (F-17702r1_fix) |
---|
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”. |