STIGs RMF Controls Compare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
RMF Controls
Compare Versions

Resources

About
Release Notes
VPAT
DISA STIG Library

STIGs updated 2 hours ago

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Outlook 2016 Security Technical Implementation Guide

Version

V2R4

Release Date

Nov 25, 2025

SCAP Benchmark ID

Microsoft_Outlook_2016

Total Checks

64

Tags

other

CAT I: 1CAT II: 63CAT III: 0

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON Download STIG ZIP

Checks (64)

V-228419MEDIUMDisabling of user name and password syntax from being used in URLs must be enforced.V-228420MEDIUMEnabling IE Bind to Object functionality must be present.V-228421MEDIUMSaved from URL mark to assure Internet zone processing must be enforced.V-228422MEDIUMNavigation to URLs embedded in Office products must be blocked.V-228423MEDIUMScripted Window Security must be enforced.V-228424MEDIUMAdd-on Management functionality must be allowed.V-228425MEDIUMLinks that invoke instances of Internet Explorer from within an Office product must be blocked.V-228426MEDIUMFile Downloads must be configured for proper restrictions.V-228427MEDIUMProtection from zone elevation must be enforced.V-228428MEDIUMActiveX Installs must be configured for proper restriction.V-228429MEDIUMPublishing calendars to Office Online must be prevented.V-228430MEDIUMPublishing to a Web Distributed and Authoring (DAV) server must be prevented.V-228431MEDIUMLevel of calendar details that a user can publish must be restricted.V-228432MEDIUMAccess restriction settings for published calendars must be configured.V-228433MEDIUMOutlook Object Model scripts must be disallowed to run for shared folders.V-228434MEDIUMOutlook Object Model scripts must be disallowed to run for public folders.V-228435MEDIUMActiveX One-Off forms must be configured.V-228436MEDIUMThe Add-In Trust Level must be configured.V-228437MEDIUMThe remember password for internet e-mail accounts must be disabled.V-228438MEDIUMUsers customizing attachment security settings must be prevented.V-228439MEDIUMOutlook Security Mode must be configured to use Group Policy settings.V-228440MEDIUMThe ability to display level 1 attachments must be disallowed.V-228441MEDIUMLevel 1 file extensions must be blocked and not removed.V-228442MEDIUMLevel 2 file extensions must be blocked and not removed.V-228443MEDIUMScripts in One-Off Outlook forms must be disallowed.V-228444MEDIUMCustom Outlook Object Model (OOM) action execution prompts must be configured.V-228445MEDIUMObject Model Prompt for programmatic email send behavior must be configured.V-228446MEDIUMObject Model Prompt behavior for programmatic address books must be configured.V-228447MEDIUMObject Model Prompt behavior for programmatic access of user address data must be configured.V-228448MEDIUMObject Model Prompt behavior for Meeting and Task Responses must be configured.V-228449MEDIUMObject Model Prompt behavior for the SaveAs method must be configured.V-228450MEDIUMObject Model Prompt behavior for accessing User Property Formula must be configured.V-228451MEDIUMTrusted add-ins behavior for email must be configured.V-228452MEDIUMS/Mime interoperability with external clients for message handling must be configured.V-228453MEDIUMMessage formats must be set to use SMime.V-228454MEDIUMRun in FIPS compliant mode must be enforced.V-228455MEDIUMSend all signed messages as clear signed messages must be configured.V-228456MEDIUMAutomatic sending s/Mime receipt requests must be disallowed.V-228457MEDIUMRetrieving of CRL data must be set for online action.V-228458MEDIUMExternal content and pictures in HTML email must be displayed.V-228459MEDIUMAutomatic download content for email in Safe Senders list must be disallowed.V-228460MEDIUMPermit download of content from safe zones must be configured.V-228461MEDIUMIE Trusted Zones assumed trusted must be blocked.V-228462MEDIUMInternet with Safe Zones for Picture Download must be disabled.V-228463MEDIUMIntranet with Safe Zones for automatic picture downloads must be configured.V-228464MEDIUMAlways warn on untrusted macros must be enforced.V-228465MEDIUMHyperlinks in suspected phishing email messages must be disallowed.V-228466MEDIUMRPC encryption between Outlook and Exchange server must be enforced.V-228467MEDIUMOutlook must be configured to force authentication when connecting to an Exchange server.V-228468MEDIUMDisabling download full text of articles as HTML must be configured.V-228469MEDIUMAutomatic download of Internet Calendar appointment attachments must be disallowed.V-228470MEDIUMInternet calendar integration in Outlook must be disabled.V-228471MEDIUMUser Entries to Server List must be disallowed.V-228472MEDIUMAutomatically downloading enclosures on RSS must be disallowed.V-228473MEDIUMOutlook must be configured not to prompt users to choose security settings if default settings fail.V-228474MEDIUMOutlook minimum encryption key length settings must be set.V-228475MEDIUMReplies or forwards to signed/encrypted messages must be signed/encrypted.V-228476MEDIUMCheck e-mail addresses against addresses of certificates being used must be disallowed.V-251863MEDIUMRead EMail as plain text must be enforced.V-251865MEDIUMRead signed email as plain text must be enforced.V-251866MEDIUMThe default message format must be set to use Plain Text.V-251867MEDIUMOutlook Rich Text options must be set for converting to plain text format.V-251872MEDIUMText in Outlook that represents internet and network paths must not be automatically turned into hyperlinks.V-279945HIGHThe version of Outlook running on the system must be a supported version.