1.13.2.1.3 Ensure 'Missing Root Certificates' is set to Enabled:Warning

Information

This policy setting controls how Outlook functions when a root certificate is missing.
If you enable this policy setting, you can choose from three options that determine how Outlook functions when a CRL is missing.
- Neither Error nor Warning. This option displays neither an error nor a warning, and enforces the default configuration in Outlook.
- Warning. This option ensures that Outlook displays a warning message when a CRL is missing.
- Error. This option ensures that Outlook displays an error message when a CRL is missing.
If you disable or do not configure this policy setting, users are not prompted with a warning or an error when a root certificate cannot be located. The recommended state for this setting is: Enabled:Warning.

Rationale:

When Outlook accesses a certificate, it validates that it can trust the certificate by examining the root certificate of the issuing CA. If the root certificate can be trusted, then certificates issued by the CA can also be trusted.
If Outlook cannot find the root certificate, it cannot validate that any certificates issued by that CA can be trusted. An attacker may compromise a root certificate and then remove the certificate in an attempt to conceal the attack.
By default, users are not prompted with a warning or an error when a root certificate cannot be located.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Missing root certificates

Then set the Indicate a missing root certificate as a(n): option to Warning.

Impact:

Enabling this setting will prevent Outlook users from using certificates when the appropriate root certificate is not available to verify them, which could increase desktop support requests.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)(a)

Plugin: Windows

Control ID: ba3600bdc0713ef55d42c6359fa78c99bbf65a0a1cdd35b7561d93ed0681b57f