Title

Enable the "turn off RSS Feeds" feature in Outlook. (Cat II impact)

Discussion

By default, users can subscribe to RSS feeds from within Outlook 2007 and read RSS items like e-mail messages. If your organization has policies that govern the use of external resources such as RSS feeds, allowing users to subscribe to the RSS feed in Outlook might enable them to violate those policies.

Check Content

NOTE: For operational environments requiring the use of RSS feeds integrated into Outlook for mission need, the network environment must meet the following criteria: - both the web site issuing the RSS feeds and the Outlook email client both have an available network path to each other. - neither the web site issuing the RSS feeds nor the Outlook email client have a network path to the public Internet. An example of such an environment would be a closed lab or other deployed network where the requisite signoffs, artifacts, and network documentation demonstrate that the Public Internet is not available to the Outlook client, preventing unauthorized RSS subscriptions being accessed by users of the Outlook client. If an operational environment has RSS Feeds enabled, and the mission need is documented and approved by the ISSO/ISSM, and the network meets the appropriate requirement, this is Not a Finding. For all environments where the Outlook email client has access to public Internet web sites, RSS integration into Outlook is not permitted, and should be validated as follows. Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Office Outlook 2007 >> Tools|Account Settings >> RSS Feeds "Turn off RSS feature" is set to "Enabled". Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS Criteria: If the environment meets the above stated criteria, and value "Disable" is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration >> Administrative Templates >> Microsoft Office Outlook 2007 >> Tools|Account Settings >> RSS Feeds “Turn off RSS feature” to “Enabled”. Click Apply.

Additional Identifiers

Rule ID: SV-19042r2_rule

Vulnerability ID: V-17808

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.