Title

Enable the feature and configure the maximum S/Mime password time setting. (Cat II impact)

Discussion

Key Management Server (KMS) was a product that could be integrated with certain versions of Microsoft Exchange Server prior to Exchange 2000 SP2. Users must supply a password to use certificates issued by KMS to sign or decrypt e-mail messages. When Outlook 2007 prompts users for the correct password, they can specify a length of time in minutes for Outlook to cache the password. Users will not be prompted to continually reenter the password during the specified time period. By default, Outlook remembers KMS passwords for 30 minutes, which users can change to any number of minutes up to 300. The longer the period of time a user specifies, the greater the chance that an unauthorized person can use the user's computer to access sensitive information.

Check Content

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography “S/MIME password settings” will be set to “Enabled” and Maximum S/MIME password time will be set to 300. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Cryptography\Defaults\Provider\ Microsoft Exchange Cryptographic Provider v1.0 Criteria: If the value MaxPwdTime is REG_DWORD = 12c (hex) or 300 (decimal), this is not a finding.

Fix Text

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography “S/MIME password settings” will be set to “Enabled” and Maximum S/MIME password time will be set to 300.

Additional Identifiers

Rule ID: SV-19014r1_rule

Vulnerability ID: V-17792

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.