2.5.14.2.1.2 Ensure 'Missing CRLs' is set to 'Enabled: Error'

Information

This policy setting controls whether Outlook considers a missing certificate revocation list (CRL) a warning or an error.

Digital certificates contain an attribute that shows where the corresponding CRL is located. CRLs contain lists of digital certificates that have been revoked by their controlling certification authorities (CAs), typically because the certificates were issued improperly, or their associated private keys were compromised.

The recommended state for this setting is: Enabled: Error.

Rationale:

If a CRL is missing or unavailable, Outlook cannot determine whether a certificate has been revoked. An improperly issued certificate or one that has been compromised might be used to gain access to data.

Impact:

Users will be prevented from using certificates when the appropriate CRL is not available to verify them. This could increase desktop support requests.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Error.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Missing CRLs

Default Value:

Disabled. (Warning displayed.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(2)

Plugin: Windows

Control ID: 2abb9210eb219706b21df1025befc2057d10ae4db607de2fb2b1c2c3c969a7b8