Trusted add-ins behavior for email must be configured.

From Microsoft Outlook 2013 STIG

Part of DTOO256 - Trusted Add-Ins Security

SV-54002r2_rule Trusted add-ins behavior for email must be configured.

Vulnerability discussion

The Outlook object model includes entry points to access Outlook data, save data to specified locations, and send email messages, all of which can be used by malicious application developers. To help protect these entry points, the Object Model Guard warns users and prompts them for confirmation when untrusted code, including add-ins, attempts to use the object model to obtain email address information, store data outside of Outlook, execute certain actions, and send email messages. To reduce excessive security warnings when add-ins are used, administrators can specify a list of trusted add-ins that can access the Outlook object model silently, without raising prompts. This trusted add-in list should be treated with care, because a malicious add-in could access and forward sensitive information if added to the list.

Check content

Fix text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Security Form Settings -> Programmatic Security -> Trusted Add-ins "Configure trusted add-ins" to "Disabled".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer