User Entries to Server List must be disallowed.

From Microsoft Outlook 2016 Security Technical Implementation Guide

Part of SRG-APP-000141

Associated with: CCI-000381

SV-85889r1_rule User Entries to Server List must be disallowed.

Vulnerability discussion

This policy setting controls whether Outlook users can add entries to the list of SharePoint servers when establishing a meeting workspace. If you enable this policy setting, you can choose between two options to determine whether Outlook users can add entries to the published server list: - Publish default, allow others. This option is the default configuration in Outlook. - Publish default, disallow others. This option prevents users from adding servers to the default published server list. If you disable or do not configure this policy setting, when users create a meeting workspace, they can choose a server from a default list provided by administrators or manually enter the address of a server that is not listed. This is the equivalent of Enabled -- Publish default, allow others.

Check content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Meeting Workspace "Disable user entries to server list" is set to "Enabled (Publish default, disallow others)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\16.0\meetings\profile Criteria: If the value ServerUI is REG_DWORD = 2, this is not a finding.

Fix text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Meeting Workspace "Disable user entries to server list" to "Enabled (Publish default, disallow others)".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer