1.13.2.1.2 Ensure 'Missing CRLs' is set to Enabled:Error

Information

This policy setting controls whether Outlook considers a missing certificate revocation list (CRL) a warning or an error. Digital certificates contain an attribute that shows where the corresponding CRL is located. CRLs contain lists of digital certificates that have been revoked by their controlling certification authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. If a CRL is missing or unavailable, Outlook cannot determine whether a certificate has been revoked. Therefore, an improperly issued certificate or one that has been compromised might be used to gain access to data.
If you enable this policy setting, you can choose between two options that determine how Outlook functions when a CRL is missing:

* Warning. This option is the default configuration in Outlook and ensures that Outlook displays a warning message when a CRL is missing.
* Error. This option ensures that Outlook displays an error message when a CRL is missing.

If you disable or do not configure this policy setting, Outlook displays a warning message when a CRL is not available. The recommended state for this setting is: Enabled:Error.

Rationale:

Digital certificates contain an attribute that shows where the corresponding CRL is located. CRLs contain lists of digital certificates that have been revoked by their controlling certification authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
If a CRL is missing or unavailable, Outlook cannot determine whether a certificate has been revoked. Therefore, an improperly issued certificate or one that has been compromised might be used to gain access to data.
By default, Outlook displays a warning message when a CRL is not available.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Missing CRLs

Then set the Indicate a missing CRL as a(n): option to Error.

Impact:

Enabling this setting and choosing 'Error' from the drop-down list will prevent Outlook users from using certificates when the appropriate CRL is not available to verify them, which could increase desktop support requests.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Windows

Control ID: 4a6162fc1571c1f485932afda3060948d319381f5aed7abbb9fdd1ac430a9c61