Title

Do not allow folders in non-default stores to be set as folder home pages - Outlook. (Cat II impact)

Discussion

Outlook 2007 allows users to designate Web pages as home pages for personal or public folders. When a user clicks on a folder, Outlook displays the home page the user has assigned to it. Although this feature provides the opportunity to create powerful public folder applications, scripts can be included on Web pages that access the Outlook object model, which exposes users to security risks. By default, Outlook does not allow users to define folder home pages for folders in non-default stores. If this configuration is changed, users can create and access dangerous folder home pages for Outlook data files (.pst) and other non-default stores, which can compromise the security of the users' data.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other -> Advanced “Do not allow folders in non-default stores to be set as folder home pages” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value NonDefaultStoreScript is REG_DWORD = 0, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other -> Advanced “Do not allow folders in non-default stores to be set as folder home pages” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18844r1_rule

Vulnerability ID: V-17674

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.