1.13.2.5 Ensure 'Minimum Encryption Settings:' is set to Enabled:168

Information

This policy setting allows you to set the minimum key length for an encrypted e-mail message.
If you enable this policy setting, you may set the minimum key length for an encrypted e-mail message. Outlook will display a warning dialog if the user tries to send a message using an encryption key that is below the minimum encryption key value set. The user can still choose to ignore the warning and send using the encryption key originally chosen.
If you disable or do not configure this policy setting, a dialog warning will be shown to the user if the user attempts to send a message using encryption. The user can still choose to ignore the warning and send using the encryption key originally chosen. The recommended state for this setting is: Enabled:168.

Rationale:

Cryptographic keys are used to encrypt and decrypt messages for transmission through unsecured channels. Key sizes are measured in bits, with larger keys generally less vulnerable to attack than smaller ones. 40-bit and 56-bit keys were common in the past, but as computers have become faster and more powerful these smaller key sizes have become vulnerable to brute-force attacks in which the attacking computer rapidly runs through every possible key combination until it successfully decrypts the message. The Advanced Encryption Standard (AES) published by the United States government requires a minimum key size of 128 bits for symmetric encryption, which offers significantly more protection against brute-force attack than smaller key sizes.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2013\Security\Cryptography\Minimum encryption settings

Then set the Minimum key size (in bits): option to 168.

Impact:

Users who see the minimum encryption warning display can still choose to send the message with the selected key, so enabling this setting is unlikely to cause significant disruptions.
128-bit encryption has been widely implemented for several years. Therefore, enabling this setting is unlikely to cause any usability issues for users.

See Also

https://workbench.cisecurity.org/files/552

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-12

Plugin: Windows

Control ID: 5ca4c410829589b41d4dd63c34db876b154563a3563ffdc7d0783f7d5f4df8c8