2.5.14.2.1.5 Ensure 'Retrieving CRLs (Certificate Revocation Lists)' is set to 'Enabled: When online always retrieve the CRL'

Information

This policy setting controls how Outlook retrieves Certificate Revocation Lists (CRLs) to verify the validity of certificates. CRLs are lists of digital certificates that have been revoked by their controlling Certificate Authority (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.

The recommended state for this setting is: Enabled: When online always retrieve the CRL.

Rationale:

Outlook may improperly trust a revoked certificate, which could put the system and data at risk.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: When online always retrieve the CRL:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists)

Default Value:

Disabled. (Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Windows

Control ID: 4d5813ab62eab66abf1bd535c2e3522e8a7835498414a9352ad87ce9f22d2b91