1.13.2.6 Ensure 'S/MIME interoperability with external clients' is set to Enabled:Handle internally

Information

This policy setting controls whether Outlook decodes encrypted messages itself or passes them to an external program for processing.
If you enable this policy setting, you can choose from three options for configuring external S/MIME clients:
- Handle internally. Outlook decrypts all S/MIME messages itself.
- Handle externally. Outlook hands all S/MIME messages off to the configured external program.
- Handle if possible. Outlook attempts to decrypt all S/MIME messages itself. If it cannot decrypt a message, Outlook hands the message off to the configured external program. This option is the default configuration.
If you disable or do not configure this policy setting, the behavior is the equivalent of selecting Enabled Handle if possible. The recommended state for this setting is: Enabled:Handle internally.

Rationale:

In some situations, administrators might wish to use an external program, such as an add-in, to handle S/MIME message decryption. If your organization works with encrypted messages that the decryption functionality in Outlook cannot handle appropriately, this setting can be used to configure Outlook to hand S/MIME messages off to an external program for decryption. If no external program has been authorized, however, misconfiguring this setting could allow unauthorized and potentially dangerous programs to handle encrypted messages, which could compromise security.

Solution

To implement the recommended configuration state, set the following Group Policy setting to Enabled.

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\S/MIME interoperability with external clients

Then set the Behavior for handling S/MIME messages: option to Handle internally.

Impact:

The recommended configuration for this setting is 'Handle internally,' which enforces the default configuration in Outlook and is therefore unlikely to cause usability issues for most users. If you have a designated external program that you would like to use for handling S/MIME messages, you will need to select one of the other two options from the drop-down menu.

See Also

https://workbench.cisecurity.org/files/553

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8(1)

Plugin: Windows

Control ID: 69f9356bc7b00d2434381cdc434529b7871d590e6ec2b629f6b857899ea60c53