2.5.1.2.1 (L1) Ensure 'Do not allow users to change permissions on folders' is set to 'Enabled'

Information

This policy setting prevents users from changing their mail folder permissions.

If this policy setting is enabled, Outlook users cannot change permissions on folders; the settings on the Permissions tab are disabled. Enabling this policy setting does not affect existing permissions, and users can still change permissions by sending a sharing message.

The recommended state for this setting is: Enabled

By default, Outlook users can change the permissions for folders under their control by using the Permissions tab of the Properties dialog box for the folder, or by sending a sharing message. If users change the permissions on a folder they control, it might cause sensitive information in items stored in the folder to be compromised by exposing it to unauthorized people.

Solution

To establish the recommended state via configuration profiles, set the following Settings Catalog path to Enabled :

Microsoft Outlook 2016\Account Settings\Exchange\Do not allow users to change permissions on folders

Impact:

Enabling this setting prevents Outlook users from sharing folders they control with other users. Users who want to share folders will need to ask an administrator to make the necessary change.

See Also

https://workbench.cisecurity.org/benchmarks/15808

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2

Plugin: Windows

Control ID: 5457ca66cb4e5518d09ce2bf2eb08e861855e53be8f5adbb01d4146c81586393