Title

Enable RPC encryption between Outook and Exchange server. (Cat II impact)

Discussion

By default, the remote procedure call (RPC) communication channel between an Outlook 2007 client computer and an Exchange server is not encrypted. If a malicious person is able to eavesdrop on the network traffic between Outlook and the server, they might be able to access confidential information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Account Settings -> Exchange “Enable RPC encryption” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\RPC Criteria: If the value EnableRPCEncryption is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Account Settings -> Exchange “Enable RPC encryption” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18752r1_rule

Vulnerability ID: V-17615

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.