Title

Make Outlook the default email, calendar, and contacts program. (Cat II impact)

Discussion

By default, Outlook 2007 is made the default program for E-mail, contacts, and calendar services when it is installed, although users can designate other programs as the default programs for these services. If another application is used to provide these services and your organization does not ensure the security of that application, it could be exploited to gain access to sensitive information or launch other malicious attacks. If your organization has policies that govern the use of personal information management software, allowing users to change the default configuration could enable them to violate such policies.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other “Make Outlook the default program for E-mail, Contacts, and Calendar” will be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\General Criteria: If the value Check Default Client is REG_DWORD = 1, this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Tools \ Options -> Other “Make Outlook the default program for E-mail, Contacts, and Calendar” will be set to “Enabled”.

Additional Identifiers

Rule ID: SV-18946r1_rule

Vulnerability ID: V-17753

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.