1.13.3.2.1 Ensure 'Allow scripts in one-off Outlook forms' is set to Disabled

Information

This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message.
If you enable this policy setting, scripts can run in one-off Outlook forms.
If you disable or do not configure this policy setting, Outlook does not run scripts in forms in which the script and the layout are contained within the message.
Important: This policy setting only applies if the 'Outlook Security Mode' policy setting under 'Microsoft Outlook <version>\Security\Security Form Settings' is configured to 'Use Outlook Security Group Policy.' The recommended state for this setting is: Disabled.

Rationale:

Malicious code can be included within Outlook forms, and such code could be executed when users open the form.
By default, Outlook does not run scripts in forms in which the script and the layout are contained within the message.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Disabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms

Impact:

Disabling this setting enforces the default configuration in Outlook, and is therefore unlikely to cause significant usability issues for most users.
Allowing scripts to run in one-off Outlook forms can pose a significant risk. Unless your users have a legitimate business need for such functionality, this setting should be disabled. If your organization uses forms with scripts, consider redesigning these forms.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(4)

Plugin: Windows

Control ID: 6b622b58c27244d44763062f6d1d497b6e83ebf982ae34ad3efa238962d0ef8a