Check: DTOO269 - Outlook
Microsoft Outlook 2010 STIG:
DTOO269 - Outlook
(in versions v1 r13 through v1 r12)
Title
Attachments using generated name for secure temporary folders must be configured. (Cat II impact)
Discussion
The Secure Temporary Files folder is used to store attachments when they are opened in e-mail. By default, Outlook generates a random name for the Secure Temporary Files folder and saves it in the Temporary Internet Files folder. You can use this setting to designate a specific path and folder to use as the Secure Temporary Files folder. This configuration is not recommended, because it means that all users will have temporary Outlook files in the same predictable location, which is not as secure. If the name of this folder is well known, a malicious user or malicious code might target this location to try and gain access to attachments.
Check Content
The policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Cryptography -> Signature Status dialog box “Attachment Secure Temporary Folder” must be set to “Disabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\outlook\security\OutlookSecureTempFolder Criteria: If the registry key exists, this is a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Security -> Cryptography -> Signature Status dialog box “Attachment Secure Temporary Folder” to “Disabled”.
Additional Identifiers
Rule ID: SV-33572r1_rule
Vulnerability ID: V-17733
Group Title: DTOO269 - Attachments to Secure Temporary Folder
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |