Microsoft Outlook 2016 Security Technical Implementation Guide

Version: 2

Release: 1 Benchmark Date: 23 Oct 2020

Checked	Name	Title
☐	SV-228419r508021_rule	Disabling of user name and password syntax from being used in URLs must be enforced.
☐	SV-228420r508021_rule	Enabling IE Bind to Object functionality must be present.
☐	SV-228421r508021_rule	Saved from URL mark to assure Internet zone processing must be enforced.
☐	SV-228422r508021_rule	Navigation to URLs embedded in Office products must be blocked.
☐	SV-228423r508021_rule	Scripted Window Security must be enforced.
☐	SV-228424r508021_rule	Add-on Management functionality must be allowed.
☐	SV-228425r508021_rule	Links that invoke instances of Internet Explorer from within an Office product must be blocked.
☐	SV-228426r508021_rule	File Downloads must be configured for proper restrictions.
☐	SV-228427r508021_rule	Protection from zone elevation must be enforced.
☐	SV-228428r508021_rule	ActiveX Installs must be configured for proper restriction.
☐	SV-228429r508021_rule	Publishing calendars to Office Online must be prevented.
☐	SV-228430r508021_rule	Publishing to a Web Distributed and Authoring (DAV) server must be prevented.
☐	SV-228431r508021_rule	Level of calendar details that a user can publish must be restricted.
☐	SV-228432r508021_rule	Access restriction settings for published calendars must be configured.
☐	SV-228433r508021_rule	Outlook Object Model scripts must be disallowed to run for shared folders.
☐	SV-228434r508021_rule	Outlook Object Model scripts must be disallowed to run for public folders.
☐	SV-228435r508021_rule	ActiveX One-Off forms must be configured.
☐	SV-228436r508021_rule	The Add-In Trust Level must be configured.
☐	SV-228437r508021_rule	The remember password for internet e-mail accounts must be disabled.
☐	SV-228438r508021_rule	Users customizing attachment security settings must be prevented.
☐	SV-228439r508021_rule	Outlook Security Mode must be configured to use Group Policy settings.
☐	SV-228440r508021_rule	The ability to display level 1 attachments must be disallowed.
☐	SV-228441r508021_rule	Level 1 file extensions must be blocked and not removed.
☐	SV-228442r508021_rule	Level 2 file extensions must be blocked and not removed.
☐	SV-228443r508021_rule	Scripts in One-Off Outlook forms must be disallowed.
☐	SV-228444r508021_rule	Custom Outlook Object Model (OOM) action execution prompts must be configured.
☐	SV-228445r508021_rule	Object Model Prompt for programmatic email send behavior must be configured.
☐	SV-228446r508021_rule	Object Model Prompt behavior for programmatic address books must be configured.
☐	SV-228447r508021_rule	Object Model Prompt behavior for programmatic access of user address data must be configured.
☐	SV-228448r508021_rule	Object Model Prompt behavior for Meeting and Task Responses must be configured.
☐	SV-228449r508021_rule	Object Model Prompt behavior for the SaveAs method must be configured.
☐	SV-228450r508021_rule	Object Model Prompt behavior for accessing User Property Formula must be configured.
☐	SV-228451r508021_rule	Trusted add-ins behavior for email must be configured.
☐	SV-228452r508021_rule	S/Mime interoperability with external clients for message handling must be configured.
☐	SV-228453r508021_rule	Message formats must be set to use SMime.
☐	SV-228454r559729_rule	Run in FIPS compliant mode must be enforced.
☐	SV-228455r508021_rule	Send all signed messages as clear signed messages must be configured.
☐	SV-228456r508021_rule	Automatic sending s/Mime receipt requests must be disallowed.
☐	SV-228457r508021_rule	Retrieving of CRL data must be set for online action.
☐	SV-228458r508021_rule	External content and pictures in HTML email must be displayed.
☐	SV-228459r508021_rule	Automatic download content for email in Safe Senders list must be disallowed.
☐	SV-228460r508021_rule	Permit download of content from safe zones must be configured.
☐	SV-228461r508021_rule	IE Trusted Zones assumed trusted must be blocked.
☐	SV-228462r508021_rule	Internet with Safe Zones for Picture Download must be disabled.
☐	SV-228463r508021_rule	Intranet with Safe Zones for automatic picture downloads must be configured.
☐	SV-228464r508021_rule	Always warn on untrusted macros must be enforced.
☐	SV-228465r508021_rule	Hyperlinks in suspected phishing email messages must be disallowed.
☐	SV-228466r508021_rule	RPC encryption between Outlook and Exchange server must be enforced.
☐	SV-228467r508021_rule	Outlook must be configured to force authentication when connecting to an Exchange server.
☐	SV-228468r508021_rule	Disabling download full text of articles as HTML must be configured.
☐	SV-228469r508021_rule	Automatic download of Internet Calendar appointment attachments must be disallowed.
☐	SV-228470r508021_rule	Internet calendar integration in Outlook must be disabled.
☐	SV-228471r508021_rule	User Entries to Server List must be disallowed.
☐	SV-228472r508021_rule	Automatically downloading enclosures on RSS must be disallowed.
☐	SV-228473r508021_rule	Outlook must be configured not to prompt users to choose security settings if default settings fail.
☐	SV-228474r508021_rule	Outlook minimum encryption key length settings must be set.
☐	SV-228475r508021_rule	Replies or forwards to signed/encrypted messages must be signed/encrypted.
☐	SV-228476r508021_rule	Check e-mail addresses against addresses of certificates being used must be disallowed.