2.5.14.2.1.4 Ensure 'Promote Level 2 errors as errors, not warnings' is set to 'Disabled'

Information

This policy setting allows the configuration of Level 2 errors as warnings instead of errors. Level 2 errors occur when the message signature appears to be valid, but there are other issues with the signature.

Note: Potential Level 2 error conditions include the following:

Unknown Signature Algorithm

No Signing Certification Found

Bad Attribute Sets

No Issuer Certificate found

No CRL Found

Out-of-date CRL

Root Trust Problem

Out-of-date CTL

The recommended state for this setting is: Disabled.

Note: The title of the Group Policy text is slightly misleading. Promote Level 2 errors as errors, not warnings should actually read Promote Level 2 errors as warnings, not errors which would align more closely with the description of the various states Enable/Disable.

Rationale:

Cryptographic errors in Outlook are classified as Level 1 (serious errors) or Level 2 (not as serious). By default, Outlook generates a warning, rather than an error, when a level 2 condition occurs: the certificate that generated the warning is treated as valid, and the user is not informed of the problem unless he or she opens the Signature Details dialog box and examines the certificate.

In some cases, treating level 2 conditions as warnings can cause users to overlook potentially significant signature problems.

Impact:

Disabling this setting can cause disruptions for users who work with digital certificates in Outlook. These users may experience an increased number of errors that prevent them from working effectively with e-mail, which could increase desktop support requests.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

User Configuration\Administrative Templates\Microsoft Outlook 2016\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings

Default Value:

Disabled. (Level 2 errors will be treated as errors.)

See Also

https://workbench.cisecurity.org/benchmarks/12129

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-11

Plugin: Windows

Control ID: 411ca9352590658a5eb6ce27858f97c4fd1d2675545edf3a46cf02400890b490