1.13.3.3.1.1 Ensure 'Configure Trusted Add-ins' to 'Disabled'

Information

This policy setting can be used to specify a list of trusted add-ins that can be run without being restricted by the security measures in Outlook.

If you enable this policy setting, a list of trusted add-ins and hashes is made available that you can modify by adding and removing entries. The list is empty by default. To create a new entry, enter a DLL file name in the ''Value Name'' column and the hash result in the ''Value'' column.

If you disable or do not configure this policy setting, the list of trusted add-ins is empty and unused, so the recommended EC and SSLF settings do not create any usability issues. However, users who rely on add-ins that access the Outlook object model might be repeatedly prompted unless administrators enable this setting and add the add-ins to the list.

Note - You can also configure Exchange Security Form settings by enabling the ''Outlook Security Mode'' setting in User Configuration\Administrative Templates\Microsoft Outlook <version>\Security\Security Form Settings\Microsoft Outlook Security and selecting ''Use Outlook Security Group Policy'' from the drop-down list. The recommended state for this setting is: Disabled.

Rationale:

The Outlook object model includes entry points to access Outlook data, save data to specified locations, and send e-mail messages, all of which can be used by malicious application developers. To help protect these entry points, the Object Model Guard warns users and prompts them for confirmation when untrusted code, including add-ins, attempts to use the object model to obtain e-mail address information, store data outside of Outlook, execute certain actions, and send e-mail messages.

To reduce excessive security warnings when add-ins are used, administrators can specify a list of trusted add-ins that can access the Outlook object model silently, without raising prompts. This trusted add-in list should be treated with care, because a malicious add-in could access and forward sensitive information if added to the list.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Disabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Programmatic Security\Trusted Add-ins\Configure trusted add-ins

Impact:

By default, the list of trusted add-ins is empty and unused, so configuring this setting does not create any usability issues. However, users who rely on add-ins that access the Outlook object model might be repeatedly prompted unless administrators enable this setting and add the add-ins to the list.

Note You can also configure Exchange Security Form settings by enabling the 'Outlook Security Mode' setting in User Configuration\Administrative Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook <version>\Security\Security Form Settings\Microsoft Office Outlook Security and selecting Use Outlook Security Group Policy from the drop-down list.

For more information about the Object Model Guard, see Security Behavior of the Outlook Object Model in the MSDN Outlook Developer Reference.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7(5)

Plugin: Windows

Control ID: 91fa764d3311d4925c57300914631662fee814537389e6e62ef10111e9862c7e