Detections
Analytics
1.13.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to Enabled:When online always retrieve the CRL
Information
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.If you enable this policy setting, you can choose from three options to govern how Outlook uses CRLs:
* Use system Default. Outlook relies on the CRL download schedule that is configured for the operating system.
* When online always retrieve the CRL. This option is the default configuration in Outlook.
* Never retrieve the CRL. Outlook will not attempt to download the CRL for a certificate, even if it is online. This option can reduce security.
If you disable or do not configure this policy setting, when Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. The recommended state for this setting is: Enabled:When online always retrieve the CRL.
Rationale:
Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
By default, when Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. If this configuration is changed, Outlook might improperly trust a revoked certificate, which could put users' computers and data at risk.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Enabled.User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists)
Then set the . . . option to When online always retrieve the CRL.
Impact:
The recommended setting enforces the default configuration in Outlook, and therefore is unlikely to cause significant usability issues for most users.
See Also
Item Details
Audit Name: CIS Microsoft Office Outlook 2013 v1.1.0 Level 1
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(2)
Plugin: Windows
Control ID: 3297d2cf0771da555aab170b4ec3567bd8115ff4ce5dcc3b06d690de182fb1ae