StigData/Processed/Office-Outlook2013-1.13.xml
|
<DISASTIG id="Microsoft_Outlook_2013" version="1.13" created="12/14/2018"> <RegistryRule dscresourcemodule="xPSDesiredStateConfiguration"> <Rule id="V-17173" severity="medium" conversionstatus="pass" title="DTOO104 - Disable user name and password" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Disable user name and password" is "Enabled" and a check in the 'outlook.exe' check box is present. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17174" severity="medium" conversionstatus="pass" title="DTOO111 - Enable IE Bind to Object " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Bind to Object" is "Enabled" and a check in the 'outlook.exe' check box is present. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17175" severity="medium" conversionstatus="pass" title="DTOO117 - Saved from URL" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Saved from URL" is "Enabled" and a check in the 'outlook.exe' check box is present. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17183" severity="medium" conversionstatus="pass" title="DTOO123-Block Navigation to URL from Office " dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Navigate URL" is "Enabled" and a check in the 'outlook.exe' check box is present. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17184" severity="medium" conversionstatus="pass" title="DTOO129 - Block Pop-Ups" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Block popups" is "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17470" severity="medium" conversionstatus="pass" title="DTOO272 - Content download from safe zones" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Automatic Picture Download Settings "Do not permit download of content from safe zones" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value UnblockSafeZone is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>UnblockSafeZone</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17546" severity="medium" conversionstatus="pass" title="DTOO219 - Access to Published Calendars " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Access to published calendars" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value RestrictedAccessOnly is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>RestrictedAccessOnly</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17558" severity="medium" conversionstatus="pass" title="DTOO224 - Email Recipient to Safe Sender List" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Junk E-mail "Add e-mail recipients to users' Safe Senders Lists" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value JunkMailTrustOutgoingRecipients is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>JunkMailTrustOutgoingRecipients</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17559" severity="medium" conversionstatus="pass" title="DTOO234 - Active X One-Off Forms" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Allow Active X One Off Forms" is set to "Enabled: Load only Outlook Controls". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value AllowActiveXOneOffForms is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>AllowActiveXOneOffForms</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17562" severity="medium" conversionstatus="pass" title="DTOO246 - Scripts in One-Off Forms" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Custom Form Security "Allow scripts in one-off Outlook forms" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value EnableOneOffFormScripts is REG_DWORD = 0, this is not a finding</RawString> <ValueData>0</ValueData> <ValueName>EnableOneOffFormScripts</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17564" severity="medium" conversionstatus="pass" title="DTOO273 - Block Trusted Zones" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Automatic Picture Download Settings "Block Trusted Zones" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value TrustedZone is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>TrustedZone</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17566" severity="medium" conversionstatus="pass" title="DTOO236 - Add-In Trust Level" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Configure Add-In Trust Level" is set to "Enabled (Trust all loaded and installed COM addins)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value AddinTrust is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>AddinTrust</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17568" severity="medium" conversionstatus="pass" title="DTOO250 - Object Model Prompt for Address Book " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when accessing an address book" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMAddressBookAccess is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMAddressBookAccess</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17569" severity="medium" conversionstatus="pass" title="DTOO241 - Demote Attachments to Level 2" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Attachment Security "Allow users to demote attachments to Level 2" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value AllowUsersToLowerAttachments is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>AllowUsersToLowerAttachments</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17570" severity="medium" conversionstatus="pass" title="DTOO254 - Object Model Prompt for Formula Property" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMFormulaAccess is REG_DWORD = 0, this is not a finding. </RawString> <ValueData>0</ValueData> <ValueName>PromptOOMFormulaAccess</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17571" severity="medium" conversionstatus="pass" title="DTOO253 - Object Model Prompt for Save As" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when executing Save As" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMSaveAs is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMSaveAs</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17572" severity="medium" conversionstatus="pass" title="DTOO251 - Object Model Prompt for Reading Address" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when reading address information" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMAddressInformationAccess is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMAddressInformationAccess</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17573" severity="medium" conversionstatus="pass" title="DTOO252-Object Model Prompt for Meeting Response" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when responding to meeting and task requests" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMMeetingTaskRequestResponse is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMMeetingTaskRequestResponse</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17574" severity="medium" conversionstatus="pass" title="DTOO249 - Object Model Prmpt for auto email send" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security "Configure Outlook object model prompt when sending mail" is set to "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMSend is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMSend</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17575" severity="medium" conversionstatus="pass" title="DTOO256 - Trusted Add-Ins Security" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins "Configure trusted add-ins" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\Outlook\security\trustedaddins In some reported configurations, the registry key remains after disabling the setting but the value is empty. If the registry key exists, with entries, this is a finding. If the registry key exists, but with no entries, this is not a finding. </RawString> <ValueData>0</ValueData> <ValueName>trustedaddins</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17587" severity="medium" conversionstatus="pass" title="DTOO237-Disable "remember password" on eMail Accts" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Disable 'Remember password' for Internet e-mail accounts" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value EnableRememberPwd is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableRememberPwd</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17601" severity="medium" conversionstatus="pass" title="DTOO243 - Level 1 Attachment prompt" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Attachment Security "Do not prompt about Level 1 attachments when closing an item" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value DontPromptLevel1AttachClose is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>DontPromptLevel1AttachClose</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17602" severity="medium" conversionstatus="pass" title="DTOO242 - Level 1 Attachment Prompt on sending. " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Attachment Security "Do not prompt about Level 1 attachments when sending an item" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value DontPromptLevel1AttachSend is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>DontPromptLevel1AttachSend</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17610" severity="medium" conversionstatus="pass" title="DTOO283 - Dwnld articles as HTML attachments" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\rss</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Download full text of articles as HTML attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\rss Criteria: If the value EnableFullTextHTML is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableFullTextHTML</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17613" severity="medium" conversionstatus="pass" title="DTOO277 - Links in Email Messages" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Trust Center "Allow hyperlinks in suspected phishing e-mail messages" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value JunkMailEnableLinks is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>JunkMailEnableLinks</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17615" severity="medium" conversionstatus="pass" title="DTOO279 - Enable RPC Encryption " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\rpc</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Exchange "Enable RPC encryption" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\rpc Criteria: If the value EnableRPCEncryption is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>EnableRPCEncryption</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17624" severity="medium" conversionstatus="pass" title="DTOO221 - Junk Mail UI " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Junk E-mail "Hide Junk Mail UI" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook Criteria: If the value DisableAntiSpam is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>DisableAntiSpam</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17630" severity="medium" conversionstatus="pass" title="DTOO274 - Internet with Safe Zones " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Automatic Picture Download Settings "Include Internet in Safe Zones for Automatic Picture Download" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value Internet is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>Internet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17634" severity="medium" conversionstatus="pass" title="DTOO275 - Incl. Intranet with Safe Zone " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Automatic Picture Download Settings "Include Intranet in Safe Zones for Automatic Picture Download" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value Intranet is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>Intranet</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17671" severity="medium" conversionstatus="pass" title="DTOO240 - Level 1 Attachments" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Attachment Security "Display Level 1 attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value ShowLevel1Attach is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>ShowLevel1Attach</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17672" severity="medium" conversionstatus="pass" title="DTOO270 - External Pictures & content " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2013 >> Security >> Automatic Picture Download Settings "Display pictures and external content in HTML e-mail" is set to "Enabled". NOTE: When this setting is Enabled, Outlook 2007 does block automatic download of content from external servers unless the sender is included in the Safe Senders list. Recipients can choose to download external content from untrusted senders on a message-by-message basis. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value BlockExtContent is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>BlockExtContent</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17673" severity="medium" conversionstatus="pass" title="DTOO227 - Digital Signature handling" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\mailsettings</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013-> Outlook Options -> Mail format "Do not allow signatures for e-mail messages" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\common\mailsettings Criteria: If the value DisableSignatures is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>DisableSignatures</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17674" severity="medium" conversionstatus="pass" title="DTOO230 - No fldr home pages / non-default stores " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other -> Advanced "Do not allow folders in non-default stores to be set as folder home pages" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value NonDefaultStoreScript is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>NonDefaultStoreScript</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17675" severity="medium" conversionstatus="pass" title="DTOO233 - OOM scripts for Public Folders" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for public folders" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PublicFolderScript is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PublicFolderScript</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17676" severity="medium" conversionstatus="pass" title="DTOO232 - OOM scripts for Shared Folders " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other -> Advanced "Do not allow Outlook object model scripts to run for shared folders" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value SharedFolderScript is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>SharedFolderScript</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17678" severity="medium" conversionstatus="pass" title="DTOO285 - Internet Calendar Integration " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\webcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Internet Calendars "Do not include Internet Calendar integration in Outlook" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\webcal Criteria: If the value Disable is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Disable</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17733" severity="medium" conversionstatus="pass" title="DTOO269 - Attachments to Secure Temporary Folder " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography -> Signature Status dialog box "Attachment Secure Temporary Folder" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security\OutlookSecureTempFolder Criteria: If the registry key exists, this is a finding.</RawString> <ValueData>0</ValueData> <ValueName>OutlookSecureTempFolder</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17734" severity="medium" conversionstatus="pass" title="DTOO280 - Authentication w/Exchange Svr " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Exchange "Authentication with Exchange Server" is set to "Enabled (Kerberos/NTLM Password Authentication)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value AuthenticationService is REG_DWORD = 9, this is not a finding.</RawString> <ValueData>9</ValueData> <ValueName>AuthenticationService</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17738" severity="medium" conversionstatus="pass" title="DTOO284 - Auto download attachments Internet Cal" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\webcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> Internet Calendars "Automatically download attachments" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\webcal Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableAttachments</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17739" severity="medium" conversionstatus="pass" title="DTOO271 - Auto Download from Safe lists " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Automatic Picture Download Settings "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value UnblockSpecificSenders is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>UnblockSpecificSenders</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17753" severity="medium" conversionstatus="pass" title="DTOO229 - Make Outlook the default program" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\general</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other "Make Outlook the default program for E-mail, Contacts, and Calendar" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\general Criteria: If the value Check Default Client is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Check Default Client</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17755" severity="medium" conversionstatus="pass" title="DTOO260 - SMime message formats" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Message Formats" is set to "Enabled (S\MIME)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value MsgFormats is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>MsgFormats</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17756" severity="medium" conversionstatus="pass" title="DTOO268 - Missing Root Certificates " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography -> Signature Status dialog box "Missing root certificates" is set to "Enabled (Error)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value SigStatusNoTrustDecision is REG_DWORD = 2, this is not a finding.</RawString> <ValueData>2</ValueData> <ValueName>SigStatusNoTrustDecision</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17760" severity="medium" conversionstatus="pass" title="DTOO239 - Outlook Security Mode " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2013 >> Security >> Security Form Settings "Outlook Security Mode" is "Enabled (Use Outlook Security Group Policy)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value AdminSecurityMode is REG_DWORD = 3, this is not a finding.</RawString> <ValueData>3</ValueData> <ValueName>AdminSecurityMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17761.a" severity="medium" conversionstatus="pass" title="DTOO228 - Plain Text Options " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\common\mailsettings\PlainWrapLen</Key> <OrganizationValueRequired>True</OrganizationValueRequired> <OrganizationValueTestString>{0} -ge '30' -and {0} -le '132'</OrganizationValueTestString> <RawString>Criteria: If the value for HKCU\Software\Policies\Microsoft\Office\15.0\common\mailsettings\PlainWrapLen is REG_DWORD = a value of between 30 and 132 (decimal)</RawString> <ValueData /> <ValueName>PlainWrapLen</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17761.b" severity="medium" conversionstatus="pass" title="DTOO228 - Plain Text Options " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail\Message Plain Format Mime</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>value for HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail\Message Plain Format Mime is “REG_DWORD = 1”, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Message Plain Format Mime</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17762" severity="medium" conversionstatus="pass" title="DTOO217 - Prevent publishing to DAV Servers" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to a DAV server" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value DisableDav is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableDav</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17763" severity="medium" conversionstatus="pass" title="DTOO216 - Publishing to Office Online " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Prevent publishing to Office.com" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value DisableOfficeOnline is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisableOfficeOnline</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17766" severity="medium" conversionstatus="pass" title="DTOO238 - Prev't users customizing security set" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Prevent users from customizing attachment security settings" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook Criteria: If the value DisallowAttachmentCustomization is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>DisallowAttachmentCustomization</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17770" severity="medium" conversionstatus="pass" title="DTOO214 - Read EMail as plain text " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> E-mail Options "Read e-mail as plain text" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value ReadAsPlain is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>ReadAsPlain</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17771" severity="medium" conversionstatus="pass" title="DTOO215 - Read signed EMail as plain text " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> E-mail Options "Read signed e-mail as plain text" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value ReadSignedAsPlain is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>ReadSignedAsPlain</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17774" severity="medium" conversionstatus="pass" title="DTOO244 - Lvl 1 File extensions" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2013 >> Security >> Security Form Settings >> Attachment Security "Remove file extensions blocked as Level 1" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the registry value “FileExtensionsRemoveLevel1” exists, this is a finding. </RawString> <ValueData>0</ValueData> <ValueName>FileExtensionsRemoveLevel1</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17775" severity="medium" conversionstatus="pass" title="DTOO245 - Lvl 2 File Extensions" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2013 >> Security >> Security Form Settings >> Attachment Security "Remove file extensions blocked as Level 2" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security\ Criteria: If the registry value “FileExtensionsRemoveLevel2” exists, this is a finding. </RawString> <ValueData>0</ValueData> <ValueName>FileExtensionsRemoveLevel2</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17776" severity="medium" conversionstatus="pass" title="DTOO218 - Calendar details published by users" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Restrict level of calendar details users can publish" is "Enabled (Disables 'Full details' and 'Limited details')". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value PublishCalendarDetailsPolicy is REG_DWORD = 4000 (hex) or 16384 (Decimal), this is not a finding.</RawString> <ValueData>4000</ValueData> <ValueName>PublishCalendarDetailsPolicy</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17777" severity="medium" conversionstatus="pass" title="DTOO220 - Upload methods" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> Office.com Sharing Service "Restrict upload method" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\pubcal Criteria: If the value SingleUploadOnly is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>SingleUploadOnly</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17778" severity="medium" conversionstatus="pass" title="DTOO267 - Retrieving CRLs - Outlook" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" is "Enabled (When online always retrieve the CRL)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>UseCRLChasing</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17787" severity="medium" conversionstatus="pass" title="DTOO262 - FIPS compliant mode" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Run in FIPS compliant mode" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value FIPSMode is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>FIPSMode</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17790" severity="medium" conversionstatus="pass" title="DTOO257 - No S/Mime interop w/ external clients" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "S/MIME interoperability with external clients" is set to "Enabled (Handle internally)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value ExternalSMime is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>ExternalSMime</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17795" severity="medium" conversionstatus="pass" title="DTOO266 - S/Mime receipt requests " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "S/MIME receipt requests behavior" is "Enabled (Never send S\MIME receipts)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value RespondToReceiptRequests is REG_DWORD = 2, this is not a finding.</RawString> <ValueData>2</ValueData> <ValueName>RespondToReceiptRequests</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17798" severity="medium" conversionstatus="pass" title="DTOO276 - Security settings for macros" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2013 >> Security >> Trust Center "Security setting for macros" is "Enabled (Always warn)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value of "Level" is REG_DWORD = 2, this is not a finding. </RawString> <ValueData>2</ValueData> <ValueName>Level</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17800" severity="medium" conversionstatus="pass" title="DTOO264 - Clear signed messages" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Send all signed messages as clear signed messages" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value ClearSign is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>ClearSign</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17802" severity="medium" conversionstatus="pass" title="DTOO247 - Custom OOM Action Exe. Prompt " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Custom Form Security "Set Outlook object model Custom Actions execution prompt" is "Enabled (Automatically Deny)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value PromptOOMCustomAction is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>PromptOOMCustomAction</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17803" severity="medium" conversionstatus="pass" title="DTOO265 - Signature Warnings" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Signature Warning" is "Enabled (Always warn about invalid signatures)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value WarnAboutInvalid is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>WarnAboutInvalid</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17806" severity="medium" conversionstatus="pass" title="DTOO281 - Sync RSS Feeds w/Common List" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\rss</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Synchronize Outlook RSS Feeds with Common Feed List" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\rss Criteria: If the value SyncToSysCFL is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>SyncToSysCFL</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17807" severity="medium" conversionstatus="pass" title="DTOO223 - Trust EMail from Contacts" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Junk E-mail "Trust E-mail from Contacts" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value JunkMailTrustContacts is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>JunkMailTrustContacts</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17808" severity="medium" conversionstatus="pass" title="DTOO282 - RSS Feeds" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\rss</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>NOTE: Some operational environments may elect to allow use of RSS feeds integrated into Outlook, provided there is a mission need and the network environment meets the following criteria: - Both the website issuing the RSS feeds and the Outlook email client have an available network path to each other. - Neither the website issuing the RSS feeds nor the Outlook email client has a network path to the public Internet. An example of such an environment would be a closed lab or other deployed network where the requisite signoffs, artifacts, and network documentation demonstrate that the public Internet is not available to the Outlook client, preventing unauthorized RSS subscriptions being accessed by users of the Outlook client. If the environment meets the above stated criteria, this requirement is Not Applicable. For all environments where the Outlook email client has access to public Internet websites, RSS integration into Outlook is not permitted, and should be validated as follows: The policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Turn off RSS feature" is set to "Enabled". When this policy setting is enabled, the RSS aggregation feature in Outlook is disabled. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\rss Criteria: If the REG_DWORD value for "Disable" is 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Disable</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17812" severity="medium" conversionstatus="pass" title="DTOO231 - Unicode use when dragging Email " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\general</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other -> Advanced "Use Unicode format when dragging e-mail message to file system" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\general Criteria: If the value MSGFormat is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>MSGFormat</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-17944" severity="medium" conversionstatus="pass" title="DTOO286 - Disable User Entries to Server list" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\meetings\profile</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Meeting Workspace "Disable user entries to server list" is set to "Enabled (Publish default, disallow others)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\meetings\profile Criteria: If the value ServerUI is REG_DWORD = 2, this is not a finding.</RawString> <ValueData>2</ValueData> <ValueName>ServerUI</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26584" severity="medium" conversionstatus="pass" title="DTOO126 - Add-on Management" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Add-on Management" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26585" severity="medium" conversionstatus="pass" title="DTOO209 - Zone Elevation Protection" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Protection From Zone Elevation" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26586" severity="medium" conversionstatus="pass" title="DTOO211 - Restrict ActiveX Install" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict ActiveX Install" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26587" severity="medium" conversionstatus="pass" title="DTOO132 - Restrict File Download" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Restrict File Download" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26588" severity="medium" conversionstatus="pass" title="DTOO124 - Scripted Window Security" dscresource="xRegistry"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for Computer Configuration -> Administrative Templates -> Microsoft Office 2013 (Machine) -> Security Settings -> IE Security "Scripted Window Security Restrictions" is set to "Enabled" and 'outlook.exe' is checked. Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS Criteria: If the value outlook.exe is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>outlook.exe</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26632" severity="medium" conversionstatus="pass" title="DTOO313 - Automatically download enclosures" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\rss</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Automatically download enclosures" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\rss Criteria: If the value EnableAttachments is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>EnableAttachments</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26633" severity="medium" conversionstatus="pass" title="DTOO344 - Outlook Rich Text options" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Mail Format -> Internet Formatting "Outlook Rich Text options" is "Enabled: Convert to Plain Text format". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value Message RTF Format is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>Message RTF Format</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26634" severity="medium" conversionstatus="pass" title="DTOO314 - Set message format" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\options\mail</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Mail Format -> Internet Formatting -> Message Format "Set message format" is "Enabled: Plain Text". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\mail Criteria: If the value EditorPreference is REG_DWORD = 65536 (dec), this is not a finding.</RawString> <ValueData>65536</ValueData> <ValueName>EditorPreference</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26635" severity="medium" conversionstatus="pass" title="DTOO315 - Outlook Security settings " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Prompt user to choose security settings if default settings fail" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value ForceDefaultProfile is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>ForceDefaultProfile</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26636" severity="medium" conversionstatus="pass" title="DTOO316 - Minimum encryption settings" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Minimum encryption settings" is set to "Enabled: 168 bits". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value MinEncKey is REG_DWORD = 168, this is not a finding.</RawString> <ValueData>168</ValueData> <ValueName>MinEncKey</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26637" severity="medium" conversionstatus="pass" title="DTOO317 - Signed/encrypted messages " dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Replies or forwards to signed/encrypted messages are signed/encrypted" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value NoCheckOnSessionSecurity is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>NoCheckOnSessionSecurity</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-26702" severity="medium" conversionstatus="pass" title="DTOO320 - Check e-mail address against certificate" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography "Do not check e-mail address against address of certificates being used" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value SupressNameChecks is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>SupressNameChecks</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-41492" severity="medium" conversionstatus="pass" title="DTOO424 - Disable weather bar in Outlook" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\15.0\outlook\options\calendar</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Preferences -> Calendar Options -> "Disable Weather Bar" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\15.0\outlook\options\calendar Criteria: If the value disableweather is REG_DWORD = 1, this is not a finding.</RawString> <ValueData>1</ValueData> <ValueName>disableweather</ValueName> <ValueType>Dword</ValueType> </Rule> <Rule id="V-41493" severity="medium" conversionstatus="pass" title="DTOO425 - Disable Internet and network path into hyperlinks" dscresource="cAdministrativeTemplate"> <Ensure>Present</Ensure> <IsNullOrEmpty>False</IsNullOrEmpty> <Key>HKEY_CURRENT_USER\software\policies\Microsoft\office\15.0\outlook\options\autoformat</Key> <OrganizationValueRequired>False</OrganizationValueRequired> <OrganizationValueTestString /> <RawString>Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> "Internet and network path into hyperlinks" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\software\policies\Microsoft\office\15.0\outlook\options\autoformat Criteria: If the value pgrfafo_25_1 is REG_DWORD = 0, this is not a finding.</RawString> <ValueData>0</ValueData> <ValueName>pgrfafo_25_1</ValueName> <ValueType>Dword</ValueType> </Rule> </RegistryRule> </DISASTIG> |