Title

RSS feed synchronization with Common Feed List must be disallowed. (Cat II impact)

Discussion

The Common Feed list is a hierarchical set of RSS feeds to which clients such as Outlook 2013, the Feeds list in Internet Explorer, and the Feed Headlines Sidebar gadget in Windows Vista can subscribe. If Outlook subscribes to a very large feed list, performance and availability can be affected, especially if Outlook is configured to download full RSS message bodies or if the feed list is not AutoArchived regularly. By default, Outlook maintains its own list of feeds and does not automatically subscribe to RSS feeds that are added to the Common Feed List.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Synchronize Outlook RSS Feeds with Common Feed List" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\rss Criteria: If the value SyncToSysCFL is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Account Settings -> RSS Feeds "Synchronize Outlook RSS Feeds with Common Feed List" to "Disabled".

Additional Identifiers

Rule ID: SV-54054r1_rule

Vulnerability ID: V-17806

Group Title: DTOO281 - Sync RSS Feeds w/Common List

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.