1.13.1.2 Ensure 'Block Trusted Zones' is set to Enabled

Information

This policy setting controls whether pictures from sites in the Trusted Sites security zone are automatically downloaded in Outlook e-mail messages and other items.
If you enable this policy setting, Outlook does not automatically download content from Web sites in the Trusted sites zone in Internet Explorer. Recipients can choose to download external content on a message-by-message basis.
If you disable or do not configure this policy setting, Outlook automatically downloads content from Web sites in the Trusted sites zone in Internet Explorer. The recommended state for this setting is: Enabled.

Rationale:

Malicious users can send HTML e-mail messages with embedded Web beacons, which are pictures and other content from external servers that can be used to track whether specific recipients open the message. Viewing an e-mail message that contains a Web beacon provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail.

To reduce the risk from Web beacons, Outlook disables external content in e-mail messages by default, unless the content is considered 'safe' as determined by the check boxes in the Automatic Download section of the Trust Center. Depending on how these options are configured, safe content can include content in messages from addresses defined in the Safe Senders and Safe Recipients Lists used by the Junk E-mail filter, content from SharePoint discussion boards, and content from Web sites in the Trusted sites zone in Internet Explorer.

By default, Outlook considers trusted sites from Internet Explorer safe, and automatically downloads content from them, which could potentially include Web beacons.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Automatic Picture Download Settings\Block Trusted Zones

Impact:

Enabling this setting means that Outlook does not automatically download external content from Web sites in the Trusted sites zone. This configuration can cause some disruption for users who regularly receive HTML e-mail messages that contain graphics and other external content from sites in this zone, because they will need to download content for each message individually.

See Also

https://workbench.cisecurity.org/files/552

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: 43f6d76b1ec121c4e52aad2d40499153637ec785b7683f3f926aeaf14aa7ea11