STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Outlook 2016 Security Technical Implementation Guide

V-228435

CAT II (Medium)

ActiveX One-Off forms must be configured.

Rule ID

SV-228435r961092_rule

STIG

Microsoft Outlook 2016 Security Technical Implementation Guide

Version

V2R4

CCIs

CCI-001170

Discussion

By default, third-party ActiveX controls are not allowed to run in one-off forms in Outlook. You can change this behavior so that Safe Controls (Microsoft Forms 2.0 controls and the Outlook Recipient and Body controls) are allowed in one-off forms, or so that all ActiveX controls are allowed to run.

Check Content

Verify the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Allow Active X One Off Forms" is set to "Enabled: Load only Outlook Controls".

Procedure: Use the Windows Registry Editor to navigate to the following key: 

HKCU\Software\Policies\Microsoft\Office\16.0\outlook\security

Criteria: If the value AllowActiveXOneOffForms is REG_DWORD = 0, this is not a finding.

Fix Text

Set the policy value for User Configuration -> Administrative Templates -> Microsoft Outlook 2016 -> Security "Allow Active X One Off Forms" to "Enabled: Load only Outlook Controls".