UCF STIG Viewer Logo

Microsoft Outlook 2016 Security Technical Implementation Guide


Date Finding Count (63)
2022-03-11 CAT I (High): 0 CAT II (Med): 63 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles

Findings (MAC II - Mission Support Sensitive)

Finding ID Severity Title
V-228421 Medium Saved from URL mark to assure Internet zone processing must be enforced.
V-228420 Medium Enabling IE Bind to Object functionality must be present.
V-228423 Medium Scripted Window Security must be enforced.
V-228422 Medium Navigation to URLs embedded in Office products must be blocked.
V-228425 Medium Links that invoke instances of Internet Explorer from within an Office product must be blocked.
V-228424 Medium Add-on Management functionality must be allowed.
V-228427 Medium Protection from zone elevation must be enforced.
V-228426 Medium File Downloads must be configured for proper restrictions.
V-228429 Medium Publishing calendars to Office Online must be prevented.
V-228428 Medium ActiveX Installs must be configured for proper restriction.
V-228445 Medium Object Model Prompt for programmatic email send behavior must be configured.
V-228449 Medium Object Model Prompt behavior for the SaveAs method must be configured.
V-228448 Medium Object Model Prompt behavior for Meeting and Task Responses must be configured.
V-228444 Medium Custom Outlook Object Model (OOM) action execution prompts must be configured.
V-228443 Medium Scripts in One-Off Outlook forms must be disallowed.
V-228442 Medium Level 2 file extensions must be blocked and not removed.
V-228441 Medium Level 1 file extensions must be blocked and not removed.
V-228468 Medium Disabling download full text of articles as HTML must be configured.
V-228440 Medium The ability to display level 1 attachments must be disallowed.
V-251863 Medium Read EMail as plain text must be enforced.
V-228472 Medium Automatically downloading enclosures on RSS must be disallowed.
V-228473 Medium Outlook must be configured not to prompt users to choose security settings if default settings fail.
V-228470 Medium Internet calendar integration in Outlook must be disabled.
V-228471 Medium User Entries to Server List must be disallowed.
V-228476 Medium Check e-mail addresses against addresses of certificates being used must be disallowed.
V-251867 Medium Outlook Rich Text options must be set for converting to plain text format.
V-228475 Medium Replies or forwards to signed/encrypted messages must be signed/encrypted.
V-228454 Medium Run in FIPS compliant mode must be enforced.
V-228419 Medium Disabling of user name and password syntax from being used in URLs must be enforced.
V-228456 Medium Automatic sending s/Mime receipt requests must be disallowed.
V-228457 Medium Retrieving of CRL data must be set for online action.
V-228450 Medium Object Model Prompt behavior for accessing User Property Formula must be configured.
V-228451 Medium Trusted add-ins behavior for email must be configured.
V-228438 Medium Users customizing attachment security settings must be prevented.
V-228453 Medium Message formats must be set to use SMime.
V-228436 Medium The Add-In Trust Level must be configured.
V-228437 Medium The remember password for internet e-mail accounts must be disabled.
V-228434 Medium Outlook Object Model scripts must be disallowed to run for public folders.
V-228435 Medium ActiveX One-Off forms must be configured.
V-228458 Medium External content and pictures in HTML email must be displayed.
V-228459 Medium Automatic download content for email in Safe Senders list must be disallowed.
V-228430 Medium Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
V-228433 Medium Outlook Object Model scripts must be disallowed to run for shared folders.
V-228455 Medium Send all signed messages as clear signed messages must be configured.
V-251865 Medium Read signed email as plain text must be enforced.
V-228431 Medium Level of calendar details that a user can publish must be restricted.
V-251866 Medium The default message format must be set to use Plain Text.
V-228447 Medium Object Model Prompt behavior for programmatic access of user address data must be configured.
V-228439 Medium Outlook Security Mode must be configured to use Group Policy settings.
V-228446 Medium Object Model Prompt behavior for programmatic address books must be configured.
V-228461 Medium IE Trusted Zones assumed trusted must be blocked.
V-228452 Medium S/Mime interoperability with external clients for message handling must be configured.
V-251872 Medium Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks.
V-228469 Medium Automatic download of Internet Calendar appointment attachments must be disallowed.
V-228474 Medium Outlook minimum encryption key length settings must be set.
V-228465 Medium Hyperlinks in suspected phishing email messages must be disallowed.
V-228464 Medium Always warn on untrusted macros must be enforced.
V-228467 Medium Outlook must be configured to force authentication when connecting to an Exchange server.
V-228466 Medium RPC encryption between Outlook and Exchange server must be enforced.
V-228432 Medium Access restriction settings for published calendars must be configured.
V-228460 Medium Permit download of content from safe zones must be configured.
V-228463 Medium Intranet with Safe Zones for automatic picture downloads must be configured.
V-228462 Medium Internet with Safe Zones for Picture Download must be disabled.