2.3.27.14 Ensure 'Encryption type for password protected Office Open XML files' is set to 'Enabled'

Information

This policy setting allows for specification of an encryption type for Office Open XML files.

The chosen encryption type must have a corresponding cryptographic service provider (CSP) installed on the computer that encrypts the file.

Note: This policy setting does not take effect unless the registry key
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0<office application name>\Security\Crypto\CompatMode is set to 0. By default the CompatMode registry key is set to 1.

The recommended state for this setting is: Enabled: Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256.

Rationale:

If unencrypted files are intercepted, sensitive information in the files can be compromised. To protect information confidentiality, Office application files can be encrypted and password protected. Only users who know the correct password will be able to decrypt such files.

Impact:

Consider the needs of the organization and users when selecting an encryption method to enforce. If working for a government agency, contracting for a government agency, or otherwise working with very sensitive information, select a method that complies with policies that govern how such information is processed. Remember to ensure that the selected cryptographic service provider is installed on the computers of all users who need to work with password-protected Office Open XML files.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256:

User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Encryption type for password protected Office Open XML files

Default Value:

Enabled. (CSP used is Microsoft Enhanced RSA and AES Cryptographic Provider, AES-128, 128-bit)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SA-15, 800-53|SC-28, 800-53|SC-28(1)

Plugin: Windows

Control ID: a695eac62780c99efbcdc2131b37dfa8e243d2587d30ce3bf92dead705d7254b