1.13.3.4 Ensure 'Outlook Security Mode' is set to Enabled

Information

This policy setting controls which set of security settings are enforced in Outlook.

If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:

* Outlook Default Security - This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy.

* Use Security Form from 'Outlook Security Settings' Public Folder - Outlook uses the settings from the security form published in the designated public folder.

* Use Security Form from 'Outlook 10 Security Settings' Public Folder - Outlook uses the settings from the security form published in the designated public folder.

* Use Outlook Security Group Policy - Outlook uses security settings from Group Policy.

Important - You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide.

If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.

Note - In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users' security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users' own computers The recommended state for this setting is: Enabled:Use Outlook Security Group Policy.

Rationale:

If users can configure security themselves, they might choose levels of security that leave their computers vulnerable to attack.

By default, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Outlook Security Mode

Then set the Outlook Security Policy: option to Use Outlook Security Group Policy.

Impact:

Enabling this setting prevents users from modifying their own security settings, so it might cause an increase in support calls. However, this setting is essential for ensuring that the other Outlook security settings mentioned in this baseline are applied as suggested.

Note In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users' security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users' own computers.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Windows

Control ID: 4de208f12edf17fb116515cbebfb9e9a5fac5a04e5c40266d5ac10f9924088fc