Detections
Analytics

1.10 Set 'Block Trusted Zones' to 'Enabled'

Information

This policy setting controls whether pictures from sites in the Trusted Sites security zone
are automatically downloaded in Outlook e-mail messages and other items.
If you enable this policy setting, Outlook does not automatically download content from
Web sites in the Trusted sites zone in Internet Explorer. Recipients can choose to download
external content on a message-by-message basis.
If you disable or do not configure this policy setting, Outlook automatically downloads
content from Web sites in the Trusted sites zone in Internet Explorer. The recommended
state for this setting is- Enabled.

*Rationale*

Malicious users can send HTML e-mail messages with embedded Web beacons, which are
pictures and other content from external servers that can be used to track whether specific
recipients open the message. Viewing an e-mail message that contains a Web beacon
provides confirmation that the recipient's e-mail address is valid, which leaves the
recipient vulnerable to additional spam and harmful e-mail.
To reduce the risk from Web beacons, Outlook 2010 disables external content in e-mail
messages by default, unless the content is considered 'safe' as determined by the check
boxes in the Automatic Download section of the Trust Center. Depending on how these
options are configured, safe content can include content in messages from addresses
defined in the Safe Senders and Safe Recipients Lists used by the Junk E-mail filter, content
from SharePoint discussion boards, and content from Web sites in the Trusted sites zone in
Internet Explorer.
By default, Outlook considers trusted sites from Internet Explorer safe, and automatically
downloads content from them, which could potentially include Web beacons.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Automatic
Picture Download Settings\Block Trusted Zones

Impact-Enabling this setting means that Outlook 2010 does not automatically download external
content from Web sites in the Trusted sites zone. This configuration can cause some
disruption for users who regularly receive HTML e-mail messages that contain graphics
and other external content from sites in this zone, because they will need to download
content for each message individually.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: de5a44e7d3e24867b6d1e9250d265958c32723c3c37539705c74584aa5cd3165