1.8 Set 'Automatically download content for e- mail from people in Safe Senders and Safe Recipients Lists' to 'Disabled'

Information

This policy setting controls whether Outlook automatically downloads external content in
e-mail from senders in the Safe Senders List or Safe Recipients List.
If you enable this policy setting, Outlook automatically downloads content for e-mail from
people in Safe Senders and Safe Recipients lists.
If you disable this policy setting, Outlook will not automatically download content from
external servers for messages sent by people listed in users' Safe Senders Lists or Safe
Recipients Lists. Recipients can choose to download external content on a message-by-
message basis.
If you do not configure this policy setting, downloads are permitted when users receive e-
mail from people listed in the user's Safe Senders List or Safe Recipients List. The
recommended state for this setting is- Disabled.

*Rationale*

Malicious e-mail senders can send HTML e-mail messages with embedded Web beacons, or
pictures and other content from external servers that can be used to track whether specific
recipients have opened a message. Viewing an e-mail message that contains a Web beacon
provides confirmation that the recipient's e-mail address is valid, which leaves the
recipient vulnerable to additional spam and harmful e-mail. To help protect users from
Web beacons, Outlook 2010 can be configured to automatically block the display of
external content in e-mail messages. However, because this configuration could block
desirable content from display, Outlook can also be configured to automatically display
external content in any messages sent by people who are listed in users' Safe Senders Lists
or Safe Recipients Lists.
By default, Outlook 2010 automatically displays external content in e-mail messages from
people listed in users' Safe Senders Lists or Safe Recipients Lists, and automatically blocks
external content in other messages. If a malicious sender is accidentally added to a user's
Safe Senders List or Safe Recipients List, Outlook will display external content in all e-mail
messages from the malicious sender, which could include Web beacons.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Disabled.

User Configuration\Administrative Templates\Microsoft Outlook 2010\Security\Automatic
Picture Download Settings\Automatically download content for e-mail from people in
Safe Senders and Safe Recipients Lists

Impact-Disabling this setting means that Outlook 2010 does not automatically download external
content for messages sent by people listed in users' Safe Senders Lists or Safe Recipients
Lists. This configuration can cause some disruption for users who regularly receive HTML
e-mail messages that contain graphics and other external content, because they will need to
download content for each message individually.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: c6db5a94ab9d1848ac5bd108d6125e9f0cb843bfc42098f492d2db9463d70ae9