Check: DTOO267
Microsoft Outlook 2013 STIG:
DTOO267
(in versions v1 r13 through v1 r9)
Title
Retrieving of CRL data must be set for online action. (Cat II impact)
Discussion
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
Check Content
Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" is "Enabled (When online always retrieve the CRL)". Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Office\15.0\outlook\security Criteria: If the value UseCRLChasing is REG_DWORD = 1, this is not a finding.
Fix Text
Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2013 -> Security -> Cryptography -> Signature Status dialog box "Retrieving CRLs (Certificate Revocation Lists)" to "Enabled (When online always retrieve the CRL)".
Additional Identifiers
Rule ID: SV-54031r1_rule
Vulnerability ID: V-17778
Group Title: DTOO267 - Retrieving CRLs - Outlook
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000185 |
The information system, for PKI-based authentication, validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information. |
Controls
| Number | Title |
|---|---|
| IA-5 (2) |
Pki-Based Authentication |