2.5.14.3.2.1 Ensure 'Allow scripts in one-off Outlook forms' is set to 'Disabled'

Information

This policy setting controls whether scripts can run in Outlook forms in which the script and layout are contained within the message.

The recommended state for this setting is: Disabled.

Rationale:

Malicious code can be included within Outlook forms, and can be executed when users open the form.

Impact:

None - this is the default behavior. Unless users have a legitimate business need for such functionality, this setting should be disabled.

Important: For this setting to apply, the Outlook Security Mode setting must be enabled in User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security with Use Outlook Security Group Policy selected, as set in this benchmark in Section 2.5.14.3.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms

Default Value:

Disabled. (Outlook does not run scripts in forms in which the script and the layout are contained within the message.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1)

Plugin: Windows

Control ID: 523448c1332946f0ca80d43701f1a3eb5a2f06d62ec2f3d00c83aa235e99bbf2