2.3.27.12 Ensure 'Encryption mode for Information Rights Management (IRM)' is set to 'Enabled: Cipher Block Chaining (CBC)'

Information

This setting controls the encryption mode that Office uses to protect content with Information Rights Management.

For Microsoft 365 Apps (Version 2304 or later): Cipher Block Chaining (CBC) mode is used

For earlier Microsoft 365 Apps and Office LTSC 2021, 2019, and 2016: Electronic Codebook (ECB) mode is used

The recommended state for this setting is: Enabled: Cipher Block Chaining (CBC).

Rationale:

Electronic Codebook (ECB) has several weaknesses, such as the lack of diffusion, determinism, and susceptibility to pattern attacks. As a result, organizations like NIST and ISO recommend against its use.

To ensure a higher level of security, Cipher Block Chaining (CBC) can be enforced. This block cipher mode will be used to encrypt IRM content with applications like Excel, PowerPoint, Word, Visio, or Outlook, regardless of their versions.

Impact:

There is no impact or additional overhead associated with using CBC over ECB.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Cipher Block Chaining (CBC):

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Encryption mode for Information Rights Management (IRM)

Default Value:

For Microsoft 365 Apps (Version 2304 or later): Cipher Block Chaining (CBC) mode is used by default

For earlier Microsoft 365 Apps and Office LTSC 2021, 2019, and 2016: Electronic Codebook (ECB) mode is used by default

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-15

Plugin: Windows

Control ID: 39dd61897c869ef5485fca941fb26e2364e448a6173e933ade6f8ae3c145a07d