Enable the Missing Root Certificates warning

Enable the Missing Root Certificates warning - Outlook.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17756	DTOO268 - Outlook	SV-18950r2_rule	ECSC-1	Medium

Description
When Outlook 2007 accesses a certificate, it validates that it can trust the certificate by examining the root certificate of the issuing CA. If the root certificate can be trusted, then certificates issued by the CA can also be trusted. If Outlook cannot find the root certificate, it cannot validate that any certificates issued by that CA can be trusted. An attacker may compromise a root certificate and then remove the certificate in an attempt to conceal the attack. By default, users are not prompted with a warning or an error when a root certificate cannot be located. By default, Outlook displays a warning message when a CRL is not available.

Description

When Outlook 2007 accesses a certificate, it validates that it can trust the certificate by examining the root certificate of the issuing CA. If the root certificate can be trusted, then certificates issued by the CA can also be trusted. If Outlook cannot find the root certificate, it cannot validate that any certificates issued by that CA can be trusted. An attacker may compromise a root certificate and then remove the certificate in an attempt to conceal the attack. By default, users are not prompted with a warning or an error when a root certificate cannot be located. By default, Outlook displays a warning message when a CRL is not available.

STIG	Date
Microsoft Outlook 2007	2015-09-17

Details

Check Text ( C-39975r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box "Missing root certificates" will be set to "Enabled (error)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value SigStatusNoTrustDecision is REG_DWORD = 2, this is not a finding.

Check Text ( C-39975r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box "Missing root certificates" will be set to "Enabled (error)".

Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security

Criteria: If the value SigStatusNoTrustDecision is REG_DWORD = 2, this is not a finding.

Fix Text (F-17655r2_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Missing root certificates” will be set to “Enabled (error)”.