18.9.65.3 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'

Information

This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.

The recommended state for this setting is: Disabled.

Rationale:

Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Search\Allow indexing of encrypted files

Note: This Group Policy path is provided by the Group Policy template Search.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.

Default Value:

Disabled. (Search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.)

Additional Information:

Microsoft Windows Server 2016 Security Technical Implementation Guide:

Version 2, Release 2, Benchmark Date: May 04, 2021



Vul ID: V-224952

Rule ID: SV-224952r569186_rule

STIG ID: WN16-CC-000440

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/3476

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|14.8

Plugin: Windows

Control ID: 3fbc07bf81a1b97aa44a60082130a911c5ef059987ca82e3305349b9fe64bb67