BIO U.10.1.1 ISO A.8.24

Outlook Automatisch Ondertekenen Replies Uitschakelen

πŸ“… 2025-10-30
β€’
⏱️ 5 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Het uitschakelen van automatisch digitaal ondertekenen van reply e-mails geeft gebruikers bewuste controle over wanneer digitale handtekeningen worden gebruikt, wat voorkomt onbedoelde juridische implicaties en certificaat exposure bij niet-vertrouwelijke communicatie.

Aanbeveling
IMPLEMENT
Risico zonder
Low
Risk Score
3/10
Implementatie
2u (tech: 1u)
Van toepassing op:
βœ“ Microsoft Office 365 ProPlus
βœ“ Microsoft Outlook 2016
βœ“ Microsoft Outlook 2019
βœ“ Microsoft Outlook 2021
βœ“ Microsoft 365 Apps

Digitaal ondertekenen van e-mails heeft juridische en security implicaties. Automatisch ondertekenen van alle replies creΓ«ert risks: **Juridische binding**: Digitale handtekeningen hebben legal weight. Automatisch ondertekenen van elke casual reply kan onbedoeld juridische verbintenissen creΓ«ren. **certificaat exposure**: Elk ondertekend bericht exposeert gebruiker's public key en certificaat information, wat gebruikt kan worden voor reconnaissance. **Non-repudiation**: Digitaal ondertekende e-mails kunnen niet worden ontkend (non-repudiation). Dit is gewenst voor formele documenten maar problematisch voor casual communications. **Performance impact**: Signing operations hebben computational overhead, vooral bij large-scale e-mail. **User confusion**: Users begrijpen mogelijk niet wanneer signing gebeurt en wat de implicaties zijn. Door auto-signing uit te schakelen, kunnen users bewust kiezen wanneer digitale handtekeningen appropriate zijn (contracts, formal approvals) vs casual communications (team updates, social).

PowerShell Modules Vereist
Primary API: Registry / groep beleid
Connection: Lokale registry toegang of groep beleid Management
Required Modules: Windows PowerShell 5.1 of hoger

Implementatie

Deze beveiligingsmaatregel configureert de registry-instelling 'noautosignreplies' op waarde 1. Dit voorkomt dat Outlook automatisch reply e-mails digitaal ondertekent. Users kunnen nog steeds handmatig kiezen om specifieke e-mails te ondertekenen via Message Options. Registry pad: HKCU:\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security. Van toepassing op Office 2016 en nieuwer.

Vereisten

  1. Microsoft Office 2016+
  2. S/MIME certificaatn (indien signing gebruikt wordt)
  3. Administrator-rechten voor registry/GPO wijzigingen
  4. Windows PowerShell 5.1+
  5. User training over wanneer digitale handtekeningen appropriate zijn

Implementatie

Gebruik PowerShell-script no-auto-sign-replies.ps1 (functie Invoke-Remediation) – PowerShell script voor het uitschakelen van automatische reply signing..

**groep beleid**: GPMC β†’ Registry item: HKCU\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security, Value: noautosignreplies=1 (DWORD). **Intune**: Settings catalog β†’ Microsoft Outlook 2016 β†’ Security β†’ No auto-sign replies: ingeschakeld.

Monitoring

Gebruik PowerShell-script no-auto-sign-replies.ps1 (functie Invoke-Monitoring) – Controleren.

Monitor registry compliance, user feedback over signing workflow, incident tracking voor onbedoelde juridische implications door auto-signing.

Compliance

  1. DISA STIG O365-OU-000010
  2. BIO U.10.1.1 - Cryptografische maatregelen
  3. ISO 27001 A.8.24 - Use of cryptography

Remediatie

Gebruik PowerShell-script no-auto-sign-replies.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: no auto sign replies " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noautosignreplies" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: no auto sign replies " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noautosignreplies" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-auto-sign-replies.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-auto-sign-replies.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: no auto sign replies " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "noautosignreplies" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - no auto sign replies #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: no auto sign replies" -ForegroundColor Green try { $valueName = "noautosignreplies" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: no auto sign replies" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "noautosignreplies" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-auto-sign-replies.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\no-auto-sign-replies.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
Low: Low risk maar preventable: automatische signing creΓ«ert onbedoelde juridische implications, exposeert certificaatn unnecessary, en users hebben geen controle over signing decisions.

Management Samenvatting

Schakel automatische signing van replies uit. Users kunnen handmatige signing kiezen voor formal communications. Implementatie: 2 uur.