General
In standard configuration, users can install add-ins in Microsoft Outlook. These add-ins then have access to all data in the application.
Rationale
Attackers can exploit vulnerable or custom-made add-ins to gain access to user data. By regulating the ability to install add-ins, this attack surface is limited.
No Attic Fix
No automatic fix is available for this check. You can manually change the setting using this instruction:
Manual Instruction
Follow these steps to adjust the setting:
- Go to the Exchange Admin Center https://admin.exchange.microsoft.com
- Expand Roles
- Select User roles
- Double-click on Default Role Assignment Policy to open it
- Click on Manage Permissions
- Turn the following options OFF:
- My Custom Apps - this concerns custom-made add-ins
- My Marketplace Apps - this concerns add-ins from the Microsoft store
- My ReadWriteMailboxApps - this concerns add-ins with Read/Write permissions on the mailbox
- Click on Save
Impact
This change has the following impact on users and administrators. Users will no longer be able to install 3rd party add-ins they wish to use, and administrators will start receiving requests to allow necessary 3rd party add-ins.
CIS Mapping
-
CIS Item: 2.8 (L2) Ensure users installing Outlook add-ins is not allowed (Automated)
-
Profile: E3 Level 2
Comments
0 comments
Please sign in to leave a comment.