2.5.14.6 Ensure 'Disable 'Remember password' for Internet e-mail accounts' is set to 'Enabled'

Information

This policy setting hides the user's ability to cache passwords locally in the computer's registry. When configured, this policy will hide the Remember Password checkbox and not allow users to have Outlook remember their password.

Note: POP3, IMAP, and HTTP e-mail accounts are all considered Internet e-mail accounts in Outlook. E-mail account options are listed on the Server Type dialog box when users choose 'New' under Tools | Account Settings.

The recommended state for this setting is: Enabled.

Rationale:

An attacker who is able to access the user's profile may be able to acquire cached passwords. Cached passwords could then be used to compromise the user's email account(s) and other systems that use the same credentials.

Impact:

Users will have to enter their email account passwords for any email services that do not accept their Windows credentials.

Note: For Exchange servers that are members of the same Active Directory domain, enabling this setting should not cause users to be prompted for their credentials since Exchange will accept their domain credentials.

Note #2: For Exchange servers in untrusted domains and other types of email accounts, users might be forced to reenter their password frequently.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Disable 'Remember password' for Internet e-mail accounts

Default Value:

Disabled. (Passwords can be remembered.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5h.

Plugin: Windows

Control ID: ae19582c5dc7aca3ab081c73ccab73968fe039bf5ebd7fa359c19b388b2ae647