BIO 10.01.01 ISO A.8.24

Outlook: Minimum S/MIME Versleuteling 256-bit

πŸ“… 2025-10-30
β€’
⏱️ 3 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Minimum versleuteling 256-bit afgedwongen AES-256 voor S/MIME email versleuteling, Blokkeert weak 128-bit algorithms voor compliance met moderne crypto standards.

Aanbeveling
IMPLEMENT IF S/MIME USED
Risico zonder
Low
Risk Score
4/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Outlook

Weak versleuteling is compliance risk: 128-bit AES is deprecated many regulations, 256-bit AES is modern standard (BIO, ISO 27001, NIS2). S/MIME versleuteling: Email content versleuteling (end-to-end), Certificate-based (PKI).

Implementatie

Minimum versleuteling: AES-256 required, 128-bit blocked, Triple-DES blocked (legacy).

Vereisten

  1. Outlook 2016+
  2. S/MIME certificates (if used)
  3. Intune of GPO

Implementatie

Intune Settings Catalog: Outlook\Security\Cryptography β†’ Minimum versleuteling settings: 256-bit AES.

Compliance en Auditing

BIO 10.01 (Strong cryptography - 256-bit minimum), ISO 27001 A.8.24.

Monitoring

Gebruik PowerShell-script minimum-encryption-256.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script minimum-encryption-256.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution function Invoke-Revert { Write-Host "Reverting O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "MinimumEncryptionKeyLength" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution function Invoke-Revert { Write-Host "Reverting O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "MinimumEncryptionKeyLength" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\minimum-encryption-256.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White Write-Host "" Write-Host "Manual configuration:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Outlook 2016" -ForegroundColor White Write-Host "> Outlook Options > Security Settings > Encryption" -ForegroundColor White Write-Host "> Minimum encryption settings: Enabled: 256" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\minimum-encryption-256.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White Write-Host "" Write-Host "Manual configuration:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Outlook 2016" -ForegroundColor White Write-Host "> Outlook Options > Security Settings > Encryption" -ForegroundColor White Write-Host "> Minimum encryption settings: Enabled: 256" -ForegroundColor White } " -ForegroundColor Red exit 1 } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution function Invoke-Revert { Write-Host "Reverting O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "MinimumEncryptionKeyLength" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000004 - Minimum encryption settings must be set to 256-bit in Outlook #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) # Function for monitoring the control function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Green try { $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption # Check if registry path exists if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } # Check the current value $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: MinimumEncryptionKeyLength = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: MinimumEncryptionKeyLength = $actualValue (Expected: $expectedValue - 256-bit minimum)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Function for remediation function Invoke-Remediation { Write-Host "Remediating O365-OU-000004: Minimum encryption settings must be set to 256-bit in Outlook" -ForegroundColor Yellow try { # Check if registry path exists, create if not if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } # Set the registry value to enforce 256-bit minimum encryption $valueName = "MinimumEncryptionKeyLength" $expectedValue = 256 # 256-bit minimum encryption Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue (256-bit minimum encryption)" -ForegroundColor Green # Verify the setting Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } # Main execution if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\minimum-encryption-256.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White Write-Host "" Write-Host "Manual configuration:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Outlook 2016" -ForegroundColor White Write-Host "> Outlook Options > Security Settings > Encryption" -ForegroundColor White Write-Host "> Minimum encryption settings: Enabled: 256" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\minimum-encryption-256.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White Write-Host "" Write-Host "Manual configuration:" -ForegroundColor Cyan Write-Host "Group Policy: User Configuration > Administrative Templates > Microsoft Outlook 2016" -ForegroundColor White Write-Host "> Outlook Options > Security Settings > Encryption" -ForegroundColor White Write-Host "> Minimum encryption settings: Enabled: 256" -ForegroundColor White } " -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low: Weak versleuteling is compliance gaps. alleen relevant if S/MIME used.

Management Samenvatting

Minimum versleuteling: 256-bit AES voor S/MIME. Blokkeert 128-bit. Implementatie: 1-2 uur.