Detections
Analytics

2.1 Set 'Retrieving CRLs (Certificate Revocation Lists):' to 'Enabled:When online always retrieve the CRL'

Information

This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the
validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that
have been revoked by their controlling certificate authorities (CAs), typically because the
certificates were issued improperly or their associated private keys were compromised.
If you enable this policy setting, you can choose from three options to govern how Outlook
uses CRLs-. Use system Default. Outlook relies on the CRL download schedule that is configured
for the operating system.

. When online always retrieve the CRL. This option is the default configuration in
Outlook.

. Never retrieve the CRL. Outlook will not attempt to download the CRL for a
certificate, even if it is online. This option can reduce security.
If you disable or do not configure this policy setting, when Outlook handles a certificate
that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL
from the provided URL if Outlook is online. The recommended state for this setting is-
Enabled-When online always retrieve the CRL.


*Rationale*

Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by
their controlling certificate authorities (CAs), typically because the certificates were issued
improperly or their associated private keys were compromised.
By default, when Outlook 2010 handles a certificate that includes a URL from which a CRL
can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is
online. If this configuration is changed, Outlook might improperly trust a revoked
certificate, which could put users' computers and data at risk.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate
Revocation Lists)\Retrieving CRLs (Certificate Revocation Lists)Then set the . . . option to When online always retrieve the CRL.

Impact-The recommended setting enforces the default configuration in Outlook 2010, and
therefore is unlikely to cause significant usability issues for most users.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Windows

Control ID: fd86532cacd196a085e50e0ebe8e95585a9309ee7ece125e259f67eac8037797