5.1.15 Set 'List of trusted add-ins and hashes' to 'Disabled'

Information

This policy setting can be used to specify a list of trusted add-ins that can be run without
being restricted by the security measures in Outlook. If you enable this policy setting, a list
of trusted add-ins and hashes is made available that you can modify by adding and
removing entries. The list is empty by default. To create a new entry, enter a DLL file name
in the 'Value Name' column and the hash result in the 'Value' column. If you disable or do
not configure this policy setting, the list of trusted add-ins is empty and unused, so the
recommended settings in the Microsoft baselines do not create any usability issues.
However, users who rely on add-ins that access the Outlook object model might be
repeatedly prompted unless administrators enable this setting and add the add-ins to the
list. Note - You can also configure Exchange Security Form settings by enabling the
'Outlook Security Mode' setting in

User Configuration\Administrative
Templates\Microsoft Outlook 2010\Security\Security Form Settings\Microsoft Outlook
2010 Security and selecting 'Use Outlook Security Group Policy' from the drop-down list.
For more information about the Object Model Guard, see Security Behavior of Outlook
(http-//officeredir.microsoft.com/r/rlidGPSecBehaviorOutlookModelO14?clid=1033) in
the MSDN Outlook 2010 Developer Reference. The recommended state for this setting is-
Disabled.

*Rationale*

The Outlook object model includes entry points to access Outlook data, save data to
specified locations, and send e-mail messages, all of which can be used by malicious
application developers. To help protect these entry points, the Object Model Guard warns
users and prompts them for confirmation when untrusted code, including add-ins,
attempts to use the object model to obtain e-mail address information, store data outside of
Outlook, execute certain actions, and send e-mail messages. To reduce excessive security
warnings when add-ins are used, administrators can specify a list of trusted add-ins that
can access the Outlook object model silently, without raising prompts. This trusted add-in
list should be treated with care, because a malicious add-in could access and forward
sensitive information if added to the list.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Disabled.

User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Security
Form Settings\Programmatic Security\Trusted Add-ins\Configure trusted add-ins\- List
of trusted add-ins and hashes

Impact-By default, the list of trusted add-ins is empty and unused, so configuring this setting does
not create any usability issues. However, users who rely on add-ins that access the Outlook
object model might be repeatedly prompted unless administrators enable this setting and
add the add-ins to the list. Note You can also configure Exchange Security Form settings by
enabling the 'Outlook Security Mode' setting in

User Configuration\Administrative
Templates\Classic Administrative Templates (ADM)\Microsoft Office Outlook
2010\Security\Security Form Settings\Microsoft Office Outlook 2010 Security and
selecting Use Outlook Security Group Policy from the drop-down list.

For more information about the Object Model Guard, see Security Behavior of the Outlook Object Model in the
MSDN Outlook Developer Reference.

See Also

https://workbench.cisecurity.org/files/530