2.14 Set 'Promote Level 2 errors as errors, not warnings' to 'Disabled'

Information

This policy setting allows you to treat Level 2 errors as warnings instead of errors. Level 2
errors occur when the message signature appears to be valid, but there are other issues
with the signature.
If you enable this policy setting, Level 2 errors will be treated as warnings.
If you disable or do not configure this policy setting, Level 2 errors will be treated as errors
When you specify a value for PromoteErrorsAsWarnings, note that potential Level 2 error
conditions include the following-

. Unknown Signature Algorithm
. No Signing Certification Found
. Bad Attribute Sets
. No Issuer Certificate found
. No CRL Found
. Out-of-date CRL
. Root Trust Problem
. Out-of-date CTL The recommended state for this setting is- Disabled.


*Rationale*

Cryptographic errors in Outlook are classified as Level 1 (serious errors) or Level 2 (not as
serious). By default, Outlook generates a warning, rather than an error, when a level 2
condition occurs- the certificate that generated the warning is treated as valid, and the user
is not informed of the problem unless he or she opens the Signature Details dialog box and
examines the certificate. Potential level 2 conditions include the following-

. Unknown Signature Algorithm
. No Signing Certification Found
. Bad Attribute Sets
. No Issuer Cert found
. No CRL Found
. Out of Date CRL
. Root Trust Problem
. Out of Date CRTIn some cases, treating level 2 conditions as warnings can cause users to overlook
potentially significant signature problems.

Solution

To implement the recommended configuration state, set the following Group Policy setting
to Disabled.

User Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as
errors, not warnings

Impact-Disabling this setting can cause disruptions for users who work with digital certificates in
Outlook. These users may experience an increased number of errors that prevent them
from working effectively with e-mail, which could increase desktop support requests.

See Also

https://workbench.cisecurity.org/files/530

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11

Plugin: Windows

Control ID: 985d52af01522d225fd375c7f846d06887f951155d8c2d50a3a5a333e8dbd580