Title

The ability to add signatures to email messages must be allowed. (Cat II impact)

Discussion

Outlook users can create and use signatures in email messages. Users can add signatures to messages manually, and can also configure Outlook to automatically append signatures to new messages, to replies and forwards, or to all three. Signatures typically include details such as the user's name, title, phone numbers, and office location. When an organization has policies that govern the distribution of this kind of information, using signatures might cause some users to inadvertently violate these policies.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013-> Outlook Options -> Mail format "Do not allow signatures for e-mail messages" is set to "Disabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\common\mailsettings Criteria: If the value DisableSignatures is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Mail format "Do not allow signatures for e-mail messages" to "Disabled".

Additional Identifiers

Rule ID: SV-53886r1_rule

Vulnerability ID: V-17673

Group Title: DTOO227 - Digital Signature handling

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.