Set Control Item property prompt for data, to automatically deny.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17801	DTOO248 - Base	SV-19028r1_rule	ECSC-1	Medium

Description
When a control on a custom Outlook 2007 form is bound directly to any of the Address Information fields, the form code can indirectly retrieve the value of the Address Information field by obtaining the Value property of the control. If the custom form was created by a malicious or inexperienced user, sensitive information could be exposed to unauthorized parties. By default, Outlook prompts users when they bind a control to an Address Information field.

Description

When a control on a custom Outlook 2007 form is bound directly to any of the Address Information fields, the form code can indirectly retrieve the value of the Address Information field by obtaining the Value property of the control. If the custom form was created by a malicious or inexperienced user, sensitive information could be exposed to unauthorized parties. By default, Outlook prompts users when they bind a control to an Address Information field.

STIG	Date
Microsoft Outlook 2007	2015-09-17

Details

Check Text ( C-19053r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value PromptOOMItemPropertyAccess is REG_DWORD = 0, this is not a finding.

Check Text ( C-19053r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security

Criteria: If the value PromptOOMItemPropertyAccess is REG_DWORD = 0, this is not a finding.

Fix Text (F-17702r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Security Form Settings -> Custom Form Security “Set control ItemProperty prompt” will be set to “Enabled (Automatically Deny)”.