1.13.7 Ensure 'Disable 'Remember password' for Internet e-mail accounts' is set to Enabled

Information

Use this option to hide your user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the 'Remember Password' checkbox and not allow users to have Outlook remember their password.
Note that POP3, IMAP, and HTTP e-mail accounts are all considered Internet e-mail accounts in Outlook. E-mail account options are listed on the Server Type dialog box when users choose 'New' under Tools | Account Settings. The recommended state for this setting is: Enabled.

Rationale:

An attacker who is able to access the user's profile may be able to acquire these cached passwords, they could then use this information to compromise the user's email accounts and other systems that use the same credentials.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Disable 'Remember password' for Internet e-mail accounts

Impact:

Enabling this setting can cause users to be frustrated because they will have to repeatedly enter their email account passwords for any email services that do not accept their Windows credentials. For Exchange servers that are members of the same Active Directory domain enabling this setting should not cause users to be prompted for their credentials since Exchange will accept their domain credentials, but for Exchange servers in untrusted domains and other types of email accounts the users might be forced to reenter their password frequently.

See Also

https://workbench.cisecurity.org/files/552

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5h.

Plugin: Windows

Control ID: 1937ce7fccbf35e4f7647dd90c5a3a521d8d0ba6a9d0bd15cb13ff5043fb7acc