Title

Outlook is not configured to use the Restricted Sites Security Zone. (Cat II impact)

Discussion

Outlook needs to run in the context of the restricted sites zone so when it processes messages in an HTML format the content of the message is controlled and the machine is protected from automatically executing mobile code.

Check Content

Procedure: Start the Outlook application. On the Tools menu, select the Options… item. On the Options window, select the Security tab. Determine the value of the Zone option. Criteria: If the Zone option specifies a value other than Restricted sites, then this is a Finding.

Fix Text

In Outlook go to the Tools menu and select the Options... item. In the Options window, select the Security tab. Change the value of the Zone option to Restricted sites only.

Additional Identifiers

Rule ID: SV-6391r1_rule

Vulnerability ID: V-6321

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.