5.1.17 Set 'Outlook Security Policy:' to 'Enabled:Use Outlook Security Group Policy'

Information

This policy setting controls which set of security settings are enforced in Outlook.
If you enable this policy setting, you can choose from four options for enforcing Outlook
security settings-. Outlook Default Security - This option is the default configuration in Outlook. Users
can configure security themselves, and Outlook ignores any security-related settings
configured in Group Policy.

. Use Security Form from 'Outlook Security Settings' Public Folder - Outlook uses the
settings from the security form published in the designated public folder.

. Use Security Form from 'Outlook 10 Security Settings' Public Folder - Outlook uses
the settings from the security form published in the designated public folder.
. Use Outlook Security Group Policy - Outlook uses security settings from Group

Policy.Important- You must enable this policy setting if you want to apply the other Outlook
security policy settings mentioned in this baseline.
If you disable or do not configure this policy setting, Outlook users can configure security
for themselves, and Outlook ignores any security-related settings that are configured in
Group Policy.

Note- In previous versions of Outlook, when security settings were published in a form in
Exchange Server public folders, users who needed these settings required the
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings
registry key to be set on their computers for the settings to apply. In Outlook, the
CheckAdminSettings registry key is no longer used to determine users' security settings.
Instead, the Outlook Security Mode setting can be used to determine whether Outlook
security should be controlled directly by Group Policy, by the security form from the
Outlook Security Settings Public Folder, or by the settings on users' own computers. The
recommended state for this setting is- Enabled-Use Outlook Security Group Policy.

*Rationale*

If users can configure security themselves, they might choose levels of security that leave
their computers vulnerable to attack.By default, Outlook 2010 users can configure security for themselves, and Outlook ignores
any security-related settings that are configured in Group Policy.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security
Form Settings\Outlook Security Mode\Outlook Security Mode

Then set the Outlook Security Policy- option to Use Outlook Security Group Policy.

Impact-
Enabling this setting prevents users from modifying their own security settings, so it might
cause an increase in support calls. However, this setting is essential for ensuring that the
other Outlook 2010 security settings mentioned in this baseline are applied as suggested.Note- In previous versions of Outlook, when security settings were published in a form in
Exchange Server public folders, users who needed these settings required the
HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings
registry key to be set on their computers for the settings to apply. In Outlook 2010, the
CheckAdminSettings registry key is no longer used to determine users' security settings.
Instead, the Outlook Security Mode setting can be used to determine whether Outlook
security should be controlled directly by Group Policy, by the security form from the
Outlook Security Settings Public Folder, or by the settings on users' own computers.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: a24157858a010816bed255531609296ed69856c07db9b232ef5a28856a79ae50