Title

The remember password for internet e-mail accounts must be disabled. (Cat II impact)

Discussion

As a security precaution, password caching for email Internet protocols such as POP3 or IMAP may lead to password discovery and eventually to data loss. An attacker that is able to access the users' profile may be able to acquire these cached passwords; they could then use this information to compromise the users' email accounts and other systems that use the same credentials.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Disable 'Remember password' for Internet e-mail accounts" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value EnableRememberPwd is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security "Disable 'Remember password' for Internet e-mail accounts" to "Enabled".

Additional Identifiers

Rule ID: SV-53923r1_rule

Vulnerability ID: V-17587

Group Title: DTOO237-Disable "remember password" on eMail Accts

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.