UCF STIG Viewer Logo

Microsoft Outlook 2013 STIG


Date Finding Count (81)
2018-09-05 CAT I (High): 0 CAT II (Med): 81 CAT III (Low): 0
STIG Description
The Microsoft Outlook 2013 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-17184 Medium Links that invoke instances of Internet Explorer from within an Office product must be blocked.
V-17183 Medium Navigation to URLs embedded in Office products must be blocked.
V-26633 Medium Outlook Rich Text options must be set for converting to plain text format.
V-17573 Medium Object Model Prompt behavior for Meeting and Task Responses must be configured.
V-17675 Medium Outlook Object Model scripts must be disallowed to run for public folders.
V-17777 Medium Upload method for publishing calendars to Office Online must be restricted.
V-17674 Medium Folders in non-default stores, set as folder home pages, must be disallowed.
V-17763 Medium Publishing calendars to Office Online must be prevented.
V-17601 Medium The prompt to display level 1 attachments must be disallowed when closing an item.
V-17602 Medium The prompt to display level 1 attachments must be disallowed when sending an item.
V-17760 Medium Outlook Security Mode must be configured to use Group Policy settings.
V-17587 Medium The remember password for internet e-mail accounts must be disabled.
V-17766 Medium Users customizing attachment security settings must be prevented.
V-17807 Medium Trust EMail from senders in receivers contact list must be enforced.
V-17803 Medium Warning about invalid signatures must be enforced.
V-17734 Medium Outlook must be configured to force authentication when connecting to an Exchange server.
V-17733 Medium Attachments using generated name for secure temporary folders must be configured.
V-17572 Medium Object Model Prompt behavior for programmatic access of user address data must be configured.
V-17615 Medium RPC encryption between Outlook and Exchange server must be enforced.
V-17624 Medium Junk Mail UI must be configured.
V-26702 Medium Check e-mail addresses against addresses of certificates being used must be disallowed.
V-17570 Medium Object Model Prompt behavior for accessing User Property Formula must be configured.
V-17173 Medium Disabling of user name and password syntax from being used in URLs must be enforced.
V-17574 Medium Object Model Prompt for programmatic email send behavior must be configured.
V-17174 Medium The Internet Explorer Bind to Object functionality must be enabled.
V-17175 Medium The Saved from URL mark must be selected to enforce Internet zone processing.
V-17778 Medium Retrieving of CRL data must be set for online action.
V-17546 Medium Access restriction settings for published calendars must be configured.
V-17562 Medium Scripts in One-Off Outlook forms must be disallowed.
V-17564 Medium IE Trusted Zones assumed trusted must be blocked.
V-17787 Medium Run in FIPS compliant mode must be enforced.
V-17566 Medium The Add-In Trust Level must be configured.
V-17569 Medium Action to demote an EMail Level 1 attachment to Level 2 must be configured.
V-17568 Medium Object Model Prompt behavior for programmatic address books must be configured.
V-17755 Medium Message formats must be set to use SMime.
V-17571 Medium Object Model Prompt behavior for the SaveAs method must be configured.
V-17678 Medium Internet calendar integration in Outlook must be disabled.
V-17634 Medium Intranet with Safe Zones for automatic picture downloads must be configured.
V-26635 Medium Outlook must be configured not to prompt users to choose security settings if default settings fail.
V-17771 Medium Read signed email as plain text must be enforced.
V-26637 Medium Replies or forwards to signed/encrypted messages must be signed/encrypted.
V-26636 Medium Outlook minimum encryption key length settings must be set.
V-17774 Medium Level 1 file extensions must be blocked and not removed.
V-17775 Medium Level 2 file extensions must be blocked and not removed.
V-17776 Medium Level of calendar details that a user can publish must be restricted.
V-26632 Medium Automatically downloading enclosures on RSS must be disallowed.
V-17806 Medium RSS feed synchronization with Common Feed List must be disallowed.
V-17753 Medium Outlook must be enforced as the default email, calendar, and contacts program.
V-17802 Medium Custom Outlook Object Model (OOM) action execution prompts must be configured.
V-17630 Medium Internet with Safe Zones for Picture Download must be disabled.
V-17610 Medium Disabling download full text of articles as HTML must be configured.
V-17944 Medium User Entries to Server List must be disallowed.
V-17770 Medium Read EMail as plain text must be enforced.
V-17613 Medium Hyperlinks in suspected phishing email messages must be disallowed.
V-17738 Medium Automatic download of Internet Calendar appointment attachments must be disallowed.
V-17575 Medium Trusted add-ins behavior for email must be configured.
V-17808 Medium RSS Feeds must be disallowed.
V-17739 Medium Automatic download content for email in Safe Senders list must be disallowed.
V-26634 Medium Default message format must be set to use Plain Text.
V-17671 Medium The ability to display level 1 attachments must be disallowed.
V-17558 Medium Recipients of sent email must be unable to be added to the safe senders list.
V-17673 Medium The ability to add signatures to email messages must be allowed.
V-17672 Medium External content and pictures in HTML email must be displayed.
V-17756 Medium Missing Root Certificates warning must be enforced.
V-17761 Medium Plain Text Options for outbound email must be configured.
V-17676 Medium Outlook Object Model scripts must be disallowed to run for shared folders.
V-41492 Medium The use of the weather bar in Outlook must be disabled
V-41493 Medium Text in Outlook that represents Internet and network paths must not be automatically turned into hyperlinks.
V-17470 Medium Permit download of content from safe zones must be configured.
V-26588 Medium Scripted Window Security must be enforced.
V-17790 Medium S/Mime interoperability with external clients for message handling must be configured.
V-17798 Medium Always warn on untrusted macros must be enforced.
V-17800 Medium Send all signed messages as clear signed messages must be configured.
V-17812 Medium Dragging Unicode email messages to file system must be disallowed.
V-26586 Medium ActiveX installs must be configured for proper restrictions.
V-17762 Medium Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
V-17795 Medium Automatic sending s/Mime receipt requests must be disallowed.
V-26587 Medium File Downloads must be configured for proper restrictions.
V-17559 Medium ActiveX One-Off forms must be configured.
V-26585 Medium Protection from zone elevation must be enforced.
V-26584 Medium Add-on Management functionality must be allowed.