2.5.14.1.1 Ensure 'Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists' is set to 'Disabled'

Information

This policy setting controls whether Outlook automatically downloads external content in e-mails from senders in the Safe Senders List or Safe Recipients List.

The recommended state for this setting is: Disabled.

Rationale:

Malicious senders can send HTML e-mail messages with embedded Web beacons, or pictures and other content from external servers that can be used to track whether specific recipients have opened a message. Viewing an e-mail message that contains a Web beacon provides confirmation that the recipient's e-mail address is valid, which leaves the recipient vulnerable to additional spam and harmful e-mail.

If a malicious sender is accidentally added to a user's Safe Senders List or Safe Recipients List, Outlook will display external content in all e-mail messages from the malicious sender, which could include Web beacons.

Impact:

Outlook will not automatically download external content for messages sent by people listed in user's Safe Senders Lists or Safe Recipients Lists. This will cause users to have to download content for each message individually.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists

Default Value:

Enabled. (Downloads are permitted when users receive e-mail from people listed in the user's Safe Senders List or Safe Recipients List.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-18(3)

Plugin: Windows

Control ID: c4ff85cf2fc2dd0ce977823b341079c6d14e5dddf824ca989a8044d69bddada9