Check: O365-OU-000011
Microsoft Office 365 ProPlus STIG:
O365-OU-000011
(in versions v3 r1 through v1 r2)
Title
The minimum encryption key length in Outlook must be at least 168. (Cat II impact)
Discussion
This policy setting allows you to set the minimum key length for an encrypted e-mail message. If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a message using an encryption key that is below the minimum encryption key value set. The user can still choose to ignore the warning and send using the encryption key originally chosen. If you disable or do not configure this policy setting, a dialog warning will be shown to the user if the user attempts to send a message using encryption. The user can still choose to ignore the warning and send using the encryption key originally chosen.
Check Content
Verify the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Minimum encryption settings is set to "Enabled" and a Minimum key size (in bits) of "168" or above. Use the Windows Registry to navigate to the following key: HKCU\software\policies\microsoft\office\16.0\outlook\security If the value for minenckey is set to 168 or above, this is not a finding.
Fix Text
Set the policy value for User Configuration >> Administrative Templates >> Microsoft Outlook 2016 >> Security >> Cryptography >> Minimum encryption settings to "Enabled"and a Minimum key size (in bits) of "168" or above.
Additional Identifiers
Rule ID: SV-223356r961905_rule
Vulnerability ID: V-223356
Group Title: SRG-APP-000630
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002450 |
Implement organization-defined types of cryptography for each specified cryptography use. |
Controls
Number | Title |
---|---|
SC-13 |
Cryptographic Protection |