Detections
Analytics
1.13.2.4 Ensure 'Message Formats' is set to Enabled:S/MIME and Fortezza
Information
This policy setting controls which message encryption formats Outlook can use. Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza.If you enable this policy setting, you can specify whether Outlook can use S/MIME (the default), Exchange, or Fortezza encryption, or any combination of any of these options. Users will not be able to change this configuration.
If you disable or do not configure this policy setting, Outlook only uses S/MIME to encrypt and sign messages. If you disable this policy setting, users will not be able to change this configuration. The recommended state for this setting is: Enabled:S/MIME and Fortezza.
Rationale:
E-mail typically travels over open networks and is passed from server to server. Messages are therefore vulnerable to interception, and attackers might read or alter their contents. It is therefore important to have a mechanism for signing messages and providing end-to-end encryption.
Outlook supports three formats for encrypting and signing messages: S/MIME, Exchange, and Fortezza. By default, Outlook only uses S/MIME to encrypt and sign messages. If your organization has policies that mandate the use of specific encryption formats, allowing users to choose freely between these formats could cause them to violate such policies.
Solution
To implement the recommended configuration state, set the following Group Policy setting to Enabled.User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Message Formats
Then set the Support the following message formats: option to S/MIME and Fortezza.
Impact:
Enabling this setting and selecting 'S/MIME, Exchange, and Fortezza' from the drop-down list adds support for Fortezza, a hardware based encryption standard created by the National Security Agency (NSA), a division of the United States Department of Defense. If your organization uses Fortezza, you will have to use this setting to add support for Fortezza to Outlook. The recommended SSLF configuration does not eliminate support for S/MIME, so implementing this recommendation should not affect users who need access to the S/MIME encryption and signing functionality in Outlook.
See Also
Item Details
Audit Name: CIS Microsoft Office Outlook 2016 v1.1.0 Level 1
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-13
Plugin: Windows
Control ID: 43c65fc72555d08d123fc8e85b49b83a30a70955209ae30cff80e11fc8967a16