Details
This policy setting controls how Outlook retrieves Certificate Revocation Lists to verify the validity of certificates. Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
If you enable this policy setting, you can choose from three options to govern how Outlook uses CRLs:
* Use system Default. Outlook relies on the CRL download schedule that is configured for the operating system.
* When online always retrieve the CRL. This option is the default configuration in Outlook.
* Never retrieve the CRL. Outlook will not attempt to download the CRL for a certificate, even if it is online. This option can reduce security.
If you disable or do not configure this policy setting, when Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. The recommended state for this setting is: Enabled:When online always retrieve the CRL.
Rationale:
Certificate revocation lists (CRLs) are lists of digital certificates that have been revoked by their controlling certificate authorities (CAs), typically because the certificates were issued improperly or their associated private keys were compromised.
By default, when Outlook handles a certificate that includes a URL from which a CRL can be downloaded, Outlook will retrieve the CRL from the provided URL if Outlook is online. If this configuration is changed, Outlook might improperly trust a revoked certificate, which could put users’ computers and data at risk.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Enabled.
User ConfigurationAdministrative TemplatesMicrosoft Outlook 2013SecurityCryptographySignature Status dialog boxRetrieving CRLs (Certificate Revocation Lists)
Then set the . . . option to When online always retrieve the CRL.
Impact:
The recommended setting enforces the default configuration in Outlook, and therefore is unlikely to cause significant usability issues for most users.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.