| V-228421 | Medium | Saved from URL mark to assure Internet zone processing must be enforced.
| Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the... |
| V-228420 | Medium | Enabling IE Bind to Object functionality must be present.
| Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the... |
| V-228423 | Medium | Scripted Window Security must be enforced.
| Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not... |
| V-228422 | Medium | Navigation to URLs embedded in Office products must be blocked.
| To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by... |
| V-228425 | Medium | Links that invoke instances of Internet Explorer from within an Office product must be blocked.
| The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of... |
| V-228424 | Medium | Add-on Management functionality must be allowed.
| Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring... |
| V-228427 | Medium | Protection from zone elevation must be enforced.
| Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine... |
| V-228426 | Medium | File Downloads must be configured for proper restrictions.
| Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur... |
| V-228429 | Medium | Publishing calendars to Office Online must be prevented. | This policy setting controls whether Outlook users can publish their calendars to the Office.com Calendar Sharing Service. If you enable this policy setting, Outlook users cannot publish their... |
| V-228428 | Medium | ActiveX Installs must be configured for proper restriction.
| Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or... |
| V-228445 | Medium | Object Model Prompt for programmatic email send behavior must be configured.
| This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from... |
| V-228449 | Medium | Object Model Prompt behavior for the SaveAs method must be configured. | This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from... |
| V-228448 | Medium | Object Model Prompt behavior for Meeting and Task Responses must be configured. | This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this... |
| V-228444 | Medium | Custom Outlook Object Model (OOM) action execution prompts must be configured.
| This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other... |
| V-228443 | Medium | Scripts in One-Off Outlook forms must be disallowed.
| This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off... |
| V-228442 | Medium | Level 2 file extensions must be blocked and not removed.
| This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level... |
| V-228441 | Medium | Level 1 file extensions must be blocked and not removed.
| This policy setting controls which types of attachments (determined by file extension) Outlook prevents from being delivered. Outlook uses two levels of security to restrict users' access to files... |
| V-228468 | Medium | Disabling download full text of articles as HTML must be configured.
| This policy setting controls whether Outlook automatically makes an offline copy of the RSS items as HTML attachments. If you enable this policy setting, Outlook automatically makes an offline... |
| V-228440 | Medium | The ability to display level 1 attachments must be disallowed.
| This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail... |
| V-251863 | Medium | Read EMail as plain text must be enforced. | Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays email messages in whatever format they were received. |
| V-228472 | Medium | Automatically downloading enclosures on RSS must be disallowed.
| This policy setting allows you to control whether Outlook automatically downloads enclosures on RSS items. If you enable this policy setting, Outlook will automatically download enclosures on RSS... |
| V-228473 | Medium | Outlook must be configured not to prompt users to choose security settings if default settings fail.
| Check to prompt the user to choose security settings if default settings fail; uncheck to automatically select. |
| V-228470 | Medium | Internet calendar integration in Outlook must be disabled.
| This policy setting allows the user to determine whether or not to include Internet Calendar integration in Outlook. The Internet Calendar feature in Outlook enables users to publish calendars... |
| V-228471 | Medium | User Entries to Server List must be disallowed.
| This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose... |
| V-228476 | Medium | Check e-mail addresses against addresses of certificates being used must be disallowed.
| This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing. If you enable this policy setting, users can send... |
| V-251867 | Medium | Outlook Rich Text options must be set for converting to plain text format. | Outlook automatically converts Rich Text Format (RTF) messages that are sent over the internet to HTML format, so that the message formatting is maintained and attachments are received.
This... |
| V-228475 | Medium | Replies or forwards to signed/encrypted messages must be signed/encrypted.
| This policy setting controls whether replies and forwards to signed/encrypted mail should also be signed/encrypted. If you enable this policy setting, signing/encryption will be turned on when... |
| V-228454 | Medium | Run in FIPS compliant mode must be enforced. | This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information... |
| V-228419 | Medium | Disabling of user name and password syntax from being used in URLs must be enforced.
| The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to... |
| V-228456 | Medium | Automatic sending s/Mime receipt requests must be disallowed.
| This policy setting controls how Outlook handles S/MIME receipt requests. If you enable this policy setting, you can choose from four options for handling S/MIME receipt requests in Outlook:- Open... |
| V-228457 | Medium | Retrieving of CRL data must be set for online action. | This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates.Certificate revocation lists (CRLs) are lists of digital certificates that... |
| V-228450 | Medium | Object Model Prompt behavior for accessing User Property Formula must be configured. | This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable... |
| V-228451 | Medium | Trusted add-ins behavior for email must be configured.
| This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook. If you enable this policy setting, a list of... |
| V-228438 | Medium | Users customizing attachment security settings must be prevented.
| This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments... |
| V-228453 | Medium | Message formats must be set to use SMime.
| This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. If you enable... |
| V-228436 | Medium | The Add-In Trust Level must be configured.
| All installed trusted COM addins can be trusted. Exchange Settings for the addins still override if present and this option is selected. |
| V-228437 | Medium | The remember password for internet e-mail accounts must be disabled.
| Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to... |
| V-228434 | Medium | Outlook Object Model scripts must be disallowed to run for public folders.
| This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. If you enable this policy setting, Outlook cannot... |
| V-228435 | Medium | ActiveX One-Off forms must be configured.
| By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook... |
| V-228458 | Medium | External content and pictures in HTML email must be displayed.
| This policy setting setting controls whether Outlook downloads untrusted pictures and external content located in HTML e-mail messages without users explicitly choosing to download them. If you... |
| V-228459 | Medium | Automatic download content for email in Safe Senders list must be disallowed. | This policy setting controls whether Outlook automatically downloads external content in e-mail from senders in the Safe Senders List or Safe Recipients List. If you enable this policy setting,... |
| V-228430 | Medium | Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
| This policy setting controls whether Outlook users can publish their calendars to a DAV server. If you enable this policy setting, Outlook users cannot publish their calendars to a DAV server. If... |
| V-228433 | Medium | Outlook Object Model scripts must be disallowed to run for shared folders.
| This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. If you enable this policy setting, Outlook cannot execute any... |
| V-228455 | Medium | Send all signed messages as clear signed messages must be configured.
| This policy setting controls whether Outlook sends signed messages as clear text signed messages. If you enable this policy setting, the "Send clear text signed message when sending signed... |
| V-251865 | Medium | Read signed email as plain text must be enforced. | Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays digitally signed email messages in the format which... |
| V-228431 | Medium | Level of calendar details that a user can publish must be restricted. | This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service. If you enable this policy setting, you can choose from... |
| V-251866 | Medium | The default message format must be set to use Plain Text. | Outlook uses HTML as the default email format. HTML format poses a security risk by embedding information into the email itself, which could allow for release of sensitive information. If a user... |
| V-228447 | Medium | Object Model Prompt behavior for programmatic access of user address data must be configured. | This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the 'To:' field, using the Outlook object model. If you enable this policy... |
| V-228439 | Medium | Outlook Security Mode must be configured to use Group Policy settings.
| This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: *... |
| V-228446 | Medium | Object Model Prompt behavior for programmatic address books must be configured. | This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose... |
| V-228461 | Medium | IE Trusted Zones assumed trusted must be blocked.
| This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items. If you enable this policy... |
| V-228452 | Medium | S/Mime interoperability with external clients for message handling must be configured.
| This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing. If you enable this policy setting, you can choose from three... |
| V-251872 | Medium | Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks. | The ability of Outlook to automatically turn text that represents internet and network paths into hyperlinks would allow users to click on those hyperlinks in an email message and access malicious... |
| V-228469 | Medium | Automatic download of Internet Calendar appointment attachments must be disallowed.
| This policy setting controls whether Outlook downloads files attached to Internet Calendar appointments. If you enable this policy setting, Outlook automatically downloads all Internet Calendar... |
| V-228474 | Medium | Outlook minimum encryption key length settings must be set.
| This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message.... |
| V-228465 | Medium | Hyperlinks in suspected phishing email messages must be disallowed.
| This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing... |
| V-228464 | Medium | Always warn on untrusted macros must be enforced.
| This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This... |
| V-228467 | Medium | Outlook must be configured to force authentication when connecting to an Exchange server.
| This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note - Exchange Server supports the Kerberos authentication protocol and NTLM... |
| V-228466 | Medium | RPC encryption between Outlook and Exchange server must be enforced.
| This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC... |
| V-228432 | Medium | Access restriction settings for published calendars must be configured.
| This policy setting determines what restrictions apply to users who publish their calendars on Office.com or third-party World Wide Web Distributed Authoring and Versioning (WebDAV) servers. If... |
| V-228460 | Medium | Permit download of content from safe zones must be configured.
| This policy setting controls whether Outlook automatically downloads content from safe zones when displaying messages. If you enable this policy setting content from safe zones will be downloaded... |
| V-228463 | Medium | Intranet with Safe Zones for automatic picture downloads must be configured.
| This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook users explictly choosing to... |
| V-228462 | Medium | Internet with Safe Zones for Picture Download must be disabled.
| This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so.... |
