Title

Outlook must be enforced as the default email, calendar, and contacts program. (Cat II impact)

Discussion

Outlook is made the default program for E-mail, contacts, and calendar services when it is installed, although users can designate other programs as the default programs for these services. If another application is used to provide these services and your organization does not ensure the security of that application, it could be exploited to gain access to sensitive information or launch other malicious attacks. If your organization has policies that govern the use of personal information management software, allowing users to change the default configuration could enable them to violate such policies.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Other “Make Outlook the default program for E-mail, Contacts, and Calendar” must be set to “Enabled”. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\14.0\outlook\options\general Criteria: If the value Check Default Client is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2010 -> Outlook Options -> Other “Make Outlook the default program for E-mail, Contacts, and Calendar” to “Enabled”.

Additional Identifiers

Rule ID: SV-33508r1_rule

Vulnerability ID: V-17753

Group Title: DTOO229 - Make Outlook the default program

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.