Title

Configure "retrieving Certificate Revokation List" (CRL) data - Outlook (Cat II impact)

Discussion

Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised. By default, when Outlook 2007 handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. If this configuration is changed, Outlook might improperly trust a revoked certificate, which could put users' computers and data at risk.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Retrieving CRLs (Certificate Revocation Lists)” will be set to “Enabled (When online always retrieve the CRL)”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Security Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography -> Signature Status dialog box “Retrieving CRLs (Certificate Revocation Lists)” will be set to “Enabled (When online always retrieve the CRL)”.

Additional Identifiers

Rule ID: SV-18995r1_rule

Vulnerability ID: V-17778

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.