Title

Outlook must be enforced as the default email, calendar, and contacts program. (Cat II impact)

Discussion

Outlook is made the default program for email, contacts, and calendar services when it is installed, although users can designate other programs as the default programs for these services. If another application is used to provide these services and the organization does not ensure the security of that application, it could be exploited to gain access to sensitive information or launch other malicious attacks. When an organization has policies that govern the use of personal information management software, allowing users to change the default configuration could enable them to violate such policies.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other "Make Outlook the default program for E-mail, Contacts, and Calendar" is set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\options\general Criteria: If the value Check Default Client is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Outlook Options -> Other "Make Outlook the default program for E-mail, Contacts, and Calendar" to "Enabled".

Additional Identifiers

Rule ID: SV-53891r1_rule

Vulnerability ID: V-17753

Group Title: DTOO229 - Make Outlook the default program

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.