| Finding ID |
Severity |
Title |
Description |
|
V-251872
|
Medium |
Text in Outlook that represents internet and network paths must not be automatically turned into hyperlinks. |
The ability of Outlook to automatically turn text that represents internet and network paths into hyperlinks would allow users to click on those hyperlinks in an email message and access malicious or otherwise harmful websites. |
|
V-251867
|
Medium |
Outlook Rich Text options must be set for converting to plain text format. |
Outlook automatically converts Rich Text Format (RTF) messages that are sent over the internet to HTML format, so that the message formatting is maintained and attachments are received.
This setting controls how Outlook sends RTF messages to internet recipients. |
|
V-251866
|
Medium |
The default message format must be set to use Plain Text. |
Outlook uses HTML as the default email format. HTML format poses a security risk by embedding information into the email itself, which could allow for release of sensitive information. If a user attempted to insert an HTML link into an email message, the link itself may direct to a malicious... |
|
V-251865
|
Medium |
Read signed email as plain text must be enforced. |
Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays digitally signed email messages in the format which they were received. |
|
V-251863
|
Medium |
Read EMail as plain text must be enforced. |
Outlook can display email messages and other items in three formats: plain text, Rich Text Format (RTF), and HTML. By default, Outlook displays email messages in whatever format they were received. |
|
V-228476
|
Medium |
Check e-mail addresses against addresses of certificates being used must be disallowed.
|
This policy setting controls whether Outlook verifies the user's e-mail address with the address associated with the certificate used for signing. If you enable this policy setting, users can send messages signed with certificates that do not match their e-mail addresses. If you disable or do not configure this policy... |
|
V-228475
|
Medium |
Replies or forwards to signed/encrypted messages must be signed/encrypted.
|
This policy setting controls whether replies and forwards to signed/encrypted mail should also be signed/encrypted. If you enable this policy setting, signing/encryption will be turned on when replying/forwarding a signed or encrypted message, even if the user is not configured for SMIME. If you disable or do not configure this... |
|
V-228474
|
Medium |
Outlook minimum encryption key length settings must be set.
|
This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a message using an... |
|
V-228473
|
Medium |
Outlook must be configured not to prompt users to choose security settings if default settings fail.
|
Check to prompt the user to choose security settings if default settings fail; uncheck to automatically select. |
|
V-228472
|
Medium |
Automatically downloading enclosures on RSS must be disallowed.
|
This policy setting allows you to control whether Outlook automatically downloads enclosures on RSS items. If you enable this policy setting, Outlook will automatically download enclosures on RSS items. If you disable or do not configure this policy setting, enclosures on RSS items are not downloaded by default. |
|
V-228471
|
Medium |
User Entries to Server List must be disallowed.
|
This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose between two options to determine whether Outlook users can add entries to the published server list: - Publish default, allow... |
|
V-228470
|
Medium |
Internet calendar integration in Outlook must be disabled.
|
This policy setting allows the user to determine whether or not to include Internet Calendar integration in Outlook. The Internet Calendar feature in Outlook enables users to publish calendars online (using the webcal:// protocol) and subscribe to calendars that others have published. When users subscribe to an internet calendar, Outlook... |
|
V-228469
|
Medium |
Automatic download of Internet Calendar appointment attachments must be disallowed.
|
This policy setting controls whether Outlook downloads files attached to Internet Calendar appointments. If you enable this policy setting, Outlook automatically downloads all Internet Calendar appointment attachments. If you disable or do not configure this policy setting, Outlook does not download attachments when retrieving Internet Calendar appointments. |
|
V-228468
|
Medium |
Disabling download full text of articles as HTML must be configured.
|
This policy setting controls whether Outlook automatically makes an offline copy of the RSS items as HTML attachments. If you enable this policy setting, Outlook automatically makes an offline copy of RSS items as HTML attachments. If you disable or do not configure this policy setting, Outlook will not automatically... |
|
V-228467
|
Medium |
Outlook must be configured to force authentication when connecting to an Exchange server.
|
This policy setting controls which authentication method Outlook uses to authenticate with Microsoft Exchange Server. Note - Exchange Server supports the Kerberos authentication protocol and NTLM for authentication. The Kerberos protocol is the more secure authentication method and is supported on Windows 2000 Server and later versions. NTLM authentication is... |
|
V-228466
|
Medium |
RPC encryption between Outlook and Exchange server must be enforced.
|
This policy setting controls whether Outlook uses remote procedure call (RPC) encryption to communicate with Microsoft Exchange servers. If you enable this policy setting, Outlook uses RPC encryption when communicating with an Exchange server. Note - RPC encryption only encrypts the data from the Outlook client computer to the Exchange... |
|
V-228465
|
Medium |
Hyperlinks in suspected phishing email messages must be disallowed.
|
This policy setting controls whether hyperlinks in suspected phishing e-mail messages in Outlook are allowed. If you enable this policy setting, Outlook will allow hyperlinks in suspected phishing messages that are not also classified as junk e-mail. If you disable or do not configure this policy setting, Outlook will not... |
|
V-228464
|
Medium |
Always warn on untrusted macros must be enforced.
|
This policy setting controls the security level for macros in Outlook. If you enable this policy setting, you can choose from four options for handling macros in Outlook: - Always warn. This option corresponds to the "Warnings for all macros" option in the "Macro Security" section of the Outlook Trust... |
|
V-228463
|
Medium |
Intranet with Safe Zones for automatic picture downloads must be configured.
|
This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the local intranet are downloaded without Outlook users explictly choosing to do so. If you enable this policy setting, Outlook will automatically download external content in all e-mail messages sent over the local... |
|
V-228462
|
Medium |
Internet with Safe Zones for Picture Download must be disabled.
|
This policy setting controls whether pictures and external content in HTML e-mail messages from untrusted senders on the Internet are downloaded without Outlook users explicitly choosing to do so. If you enable this policy setting, Outlook will automatically download external content in all e-mail messages sent over the Internet and... |
|
V-228461
|
Medium |
IE Trusted Zones assumed trusted must be blocked.
|
This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items. If you enable this policy setting, Outlook does not automatically download content from Web sites in the Trusted sites zone in Internet Explorer. Recipients can choose... |
|
V-228460
|
Medium |
Permit download of content from safe zones must be configured.
|
This policy setting controls whether Outlook automatically downloads content from safe zones when displaying messages. If you enable this policy setting content from safe zones will be downloaded automatically. If you disable this policy Outlook will not automatically download content from safe zones. Recipients can choose to download external content... |
|
V-228459
|
Medium |
Automatic download content for email in Safe Senders list must be disallowed. |
This policy setting controls whether Outlook automatically downloads external content in e-mail from senders in the Safe Senders List or Safe Recipients List. If you enable this policy setting, Outlook automatically downloads content for e-mail from people in Safe Senders and Safe Recipients lists. If you disable this policy setting,... |
|
V-228458
|
Medium |
External content and pictures in HTML email must be displayed.
|
This policy setting setting controls whether Outlook downloads untrusted pictures and external content located in HTML e-mail messages without users explicitly choosing to download them. If you enable this policy setting, Outlook will not automatically download content from external servers unless the sender is included in the Safe Senders list.... |
|
V-228457
|
Medium |
Retrieving of CRL data must be set for online action. |
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates.Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. If you... |
|
V-228456
|
Medium |
Automatic sending s/Mime receipt requests must be disallowed.
|
This policy setting controls how Outlook handles S/MIME receipt requests. If you enable this policy setting, you can choose from four options for handling S/MIME receipt requests in Outlook:- Open message if receipt can't be sent- Don't open message if receipt can't be sent- Always prompt before sending receipt- Never... |
|
V-228455
|
Medium |
Send all signed messages as clear signed messages must be configured.
|
This policy setting controls whether Outlook sends signed messages as clear text signed messages. If you enable this policy setting, the "Send clear text signed message when sending signed messages" option is selected in the E-mail Security section of the Trust Center. If you disable or do not configure this... |
|
V-228454
|
Medium |
Run in FIPS compliant mode must be enforced. |
This policy setting controls whether Outlook is required to use FIPS-compliant algorithms when signing and encrypting messages. Outlook can run in a mode that complies with Federal Information Processing Standards (FIPS), a set of standards published by the National Institute of Standards and Technology (NIST) for use by non-military United... |
|
V-228453
|
Medium |
Message formats must be set to use SMime.
|
This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. If you enable this policy setting, you can specify whether Outlook can use S/MIME (the default), Exchange, or Fortezza encryption, or any combination of any of... |
|
V-228452
|
Medium |
S/Mime interoperability with external clients for message handling must be configured.
|
This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing. If you enable this policy setting, you can choose from three options for configuring external S/MIME clients:- Handle internally. Outlook decrypts all S/MIME messages itself.- Handle externally. Outlook hands all S/MIME... |
|
V-228451
|
Medium |
Trusted add-ins behavior for email must be configured.
|
This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook. If you enable this policy setting, a list of trusted add-ins and hashes is made available that you can modify by adding and removing... |
|
V-228450
|
Medium |
Object Model Prompt behavior for accessing User Property Formula must be configured. |
This policy setting controls what happens when a user designs a custom form in Outlook and attempts to bind an Address Information field to a combination or formula custom field. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access... |
|
V-228449
|
Medium |
Object Model Prompt behavior for the SaveAs method must be configured. |
This policy setting controls what happens when an untrusted program attempts to use the Save As command to programmatically save an item. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to use the Save As command to programmatically save an... |
|
V-228448
|
Medium |
Object Model Prompt behavior for Meeting and Task Responses must be configured. |
This policy setting controls what happens when an untrusted program attempts to programmatically send e-mail in Outlook using the Response method of a task or meeting request. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically send e-mail using... |
|
V-228447
|
Medium |
Object Model Prompt behavior for programmatic access of user address data must be configured. |
This policy setting controls what happens when an untrusted program attempts to gain access to a recipient field, such as the 'To:' field, using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to access a recipient... |
|
V-228446
|
Medium |
Object Model Prompt behavior for programmatic address books must be configured. |
This policy setting controls what happens when an untrusted program attempts to gain access to an Address Book using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to programmatically access an Address Book using the Outlook... |
|
V-228445
|
Medium |
Object Model Prompt for programmatic email send behavior must be configured.
|
This policy setting controls what happens when an untrusted program attempts to send e-mail programmatically using the Outlook object model. If you enable this policy setting, you can choose from four different options when an untrusted program attempts to send e-mail programmatically using the Outlook object model: - Prompt user... |
|
V-228444
|
Medium |
Custom Outlook Object Model (OOM) action execution prompts must be configured.
|
This policy setting controls whether Outlook prompts users before executing a custom action. Custom actions add functionality to Outlook that can be triggered as part of a rule. Among other possible features, custom actions can be created that reply to messages in ways that circumvent the Outlook model's programmatic send... |
|
V-228443
|
Medium |
Scripts in One-Off Outlook forms must be disallowed.
|
This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message. If you enable this policy setting, scripts can run in one-off Outlook forms. If you disable or do not configure this policy setting, Outlook does not run scripts... |
|
V-228442
|
Medium |
Level 2 file extensions must be blocked and not removed.
|
This policy setting controls which types of attachments (determined by file extension) must be saved to disk before users can open them. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2 (users can open the file after saving it to disk).... |
|
V-228441
|
Medium |
Level 1 file extensions must be blocked and not removed.
|
This policy setting controls which types of attachments (determined by file extension) Outlook prevents from being delivered. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can be categorized as Level 1 (users cannot view the... |
|
V-228440
|
Medium |
The ability to display level 1 attachments must be disallowed.
|
This policy setting controls whether Outlook blocks potentially dangerous attachments designated Level 1. Outlook uses two levels of security to restrict users' access to files attached to e-mail messages or other items. Files with specific extensions can be categorized as Level 1 (users cannot view the file) or Level 2... |
|
V-228439
|
Medium |
Outlook Security Mode must be configured to use Group Policy settings.
|
This policy setting controls which set of security settings are enforced in Outlook. If you enable this policy setting, you can choose from four options for enforcing Outlook security settings: * Outlook Default Security - This option is the default configuration in Outlook. Users can configure security themselves, and Outlook... |
|
V-228438
|
Medium |
Users customizing attachment security settings must be prevented.
|
This policy setting prevents users from overriding the set of attachments blocked by Outlook. If you enable this policy setting users will be prevented from overriding the set of attachments blocked by Outlook. Outlook also checks the "Level1Remove" registry key when this setting is specified. If you disable or do... |
|
V-228437
|
Medium |
The remember password for internet e-mail accounts must be disabled.
|
Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to have Outlook remember their password. Note that POP3, IMAP, and HTTP e-mail accounts are all considered Internet e-mail accounts... |
|
V-228436
|
Medium |
The Add-In Trust Level must be configured.
|
All installed trusted COM addins can be trusted. Exchange Settings for the addins still override if present and this option is selected. |
|
V-228435
|
Medium |
ActiveX One-Off forms must be configured.
|
By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so that all ActiveX controls are allowed to run. |
|
V-228434
|
Medium |
Outlook Object Model scripts must be disallowed to run for public folders.
|
This policy setting controls whether Outlook executes scripts that are associated with custom forms or folder home pages for public folders. If you enable this policy setting, Outlook cannot execute any scripts associated with public folders, overriding any configuration changes on users' computers. If you disable this policy setting, Outlook... |
|
V-228433
|
Medium |
Outlook Object Model scripts must be disallowed to run for shared folders.
|
This policy setting controls whether Outlook executes scripts associated with custom forms or folder home pages for shared folders. If you enable this policy setting, Outlook cannot execute any scripts associated with shared folders, overriding any configuration changes on users' computers. If you disable this policy setting, Outlook will automatically... |
|
V-228432
|
Medium |
Access restriction settings for published calendars must be configured.
|
This policy setting determines what restrictions apply to users who publish their calendars on Office.com or third-party World Wide Web Distributed Authoring and Versioning (WebDAV) servers. If you enable or disable this policy setting, calendars that are published on Office.com must have restricted access (users other than the calendar owner/publisher... |
|
V-228431
|
Medium |
Level of calendar details that a user can publish must be restricted. |
This policy setting controls the level of calendar details that Outlook users can publish to the Microsoft Outlook Calendar Sharing Service. If you enable this policy setting, you can choose from three levels of detail: * All options are available - This level of detail is the default configuration. *... |
|
V-228430
|
Medium |
Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
|
This policy setting controls whether Outlook users can publish their calendars to a DAV server. If you enable this policy setting, Outlook users cannot publish their calendars to a DAV server. If you disable or do not configure this policy setting, Outlook users can share their calendars with others by... |
|
V-228429
|
Medium |
Publishing calendars to Office Online must be prevented. |
This policy setting controls whether Outlook users can publish their calendars to the Office.com Calendar Sharing Service. If you enable this policy setting, Outlook users cannot publish their calendars to Office.com. If you disable do not configure this policy setting, Outlook users can share their calendars with selected others by... |
|
V-228428
|
Medium |
ActiveX Installs must be configured for proper restriction.
|
Microsoft ActiveX controls allow unmanaged, unprotected code to run on the user computers. ActiveX controls do not run within a protected container in the browser like the other types of HTML or Microsoft Silverlight-based controls. Disabling or not configuring this setting does not block prompts for ActiveX control installations, and... |
|
V-228427
|
Medium |
Protection from zone elevation must be enforced.
|
Internet Explorer places restrictions on each web page users can use the browser to open. Web pages on a user's local computer have the fewest security restrictions and reside in the Local Machine zone, making this security zone a prime target for malicious users and code. Disabling or not configuring... |
|
V-228426
|
Medium |
File Downloads must be configured for proper restrictions.
|
Disabling this setting allows websites to present file download prompts via code without the user specifically initiating the download. User preferences may also allow the download to occur without prompting or interaction with the user. Even if Internet Explorer prompts the user to accept the download, some websites abuse this... |
|
V-228425
|
Medium |
Links that invoke instances of Internet Explorer from within an Office product must be blocked.
|
The Pop-up Blocker feature in Internet Explorer can be used to block most unwanted pop-up and pop-under windows from appearing. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a... |
|
V-228424
|
Medium |
Add-on Management functionality must be allowed.
|
Internet Explorer add-ons are pieces of code, run in Internet Explorer, to provide additional functionality. Rogue add-ons may contain viruses or other malicious code. Disabling or not configuring this setting could allow malicious code or users to become active on user computers or the network. For example, a malicious user... |
|
V-228423
|
Medium |
Scripted Window Security must be enforced.
|
Malicious websites often try to confuse or trick users into giving a site permission to perform an action allowing the site to take control of the users' computers in some manner. Disabling or not configuring this setting allows unknown websites to:
-Create browser windows appearing to be from the local... |
|
V-228422
|
Medium |
Navigation to URLs embedded in Office products must be blocked.
|
To protect users from attacks, Internet Explorer usually does not attempt to load malformed URLs. This functionality can be controlled separately for instances of Internet Explorer spawned by Office applications (for example, if a user clicks a link in an Office document or selects a menu option that loads a... |
|
V-228421
|
Medium |
Saved from URL mark to assure Internet zone processing must be enforced.
|
Typically, when Internet Explorer loads a web page from a Universal Naming Convention (UNC) share that contains a Mark of the Web (MOTW) comment, indicating the page was saved from a site on the Internet, Internet Explorer runs the page in the Internet security zone instead of the less restrictive... |
|
V-228420
|
Medium |
Enabling IE Bind to Object functionality must be present.
|
Internet Explorer performs a number of safety checks before initializing an ActiveX control. It will not initialize a control if the kill bit for the control is set in the registry, or if the security settings for the zone in which the control is located do not allow it to... |
|
V-228419
|
Medium |
Disabling of user name and password syntax from being used in URLs must be enforced.
|
The Uniform Resource Locator (URL) standard allows user authentication to be included in URL strings in the form http://username:password@example.com. A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate website but actually opens a deceptive (spoofed) website. For example, the URL http://www.wingtiptoys.com@example.com... |
