Enable the feature and configure the maximum S/Mime password time setting.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-17792	DTOO259 - Office	SV-19014r1_rule		Medium

Description
Key Management Server (KMS) was a product that could be integrated with certain versions of Microsoft Exchange Server prior to Exchange 2000 SP2. Users must supply a password to use certificates issued by KMS to sign or decrypt e-mail messages. When Outlook 2007 prompts users for the correct password, they can specify a length of time in minutes for Outlook to cache the password. Users will not be prompted to continually reenter the password during the specified time period. By default, Outlook remembers KMS passwords for 30 minutes, which users can change to any number of minutes up to 300. The longer the period of time a user specifies, the greater the chance that an unauthorized person can use the user's computer to access sensitive information.

Description

Key Management Server (KMS) was a product that could be integrated with certain versions of Microsoft Exchange Server prior to Exchange 2000 SP2. Users must supply a password to use certificates issued by KMS to sign or decrypt e-mail messages. When Outlook 2007 prompts users for the correct password, they can specify a length of time in minutes for Outlook to cache the password. Users will not be prompted to continually reenter the password during the specified time period. By default, Outlook remembers KMS passwords for 30 minutes, which users can change to any number of minutes up to 300. The longer the period of time a user specifies, the greater the chance that an unauthorized person can use the user's computer to access sensitive information.

STIG	Date
Microsoft Outlook 2007	2015-09-17

Details

Check Text ( C-19045r1_chk )
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography “S/MIME password settings” will be set to “Enabled” and Maximum S/MIME password time will be set to 300. Procedure: Use the Windows Registry Editor to navigate to the following key: HKCU\Software\Policies\Microsoft\Cryptography\Defaults\Provider\ Microsoft Exchange Cryptographic Provider v1.0 Criteria: If the value MaxPwdTime is REG_DWORD = 12c (hex) or 300 (decimal), this is not a finding.

Check Text ( C-19045r1_chk )

The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography “S/MIME password settings” will be set to “Enabled” and Maximum S/MIME password time will be set to 300.

Procedure: Use the Windows Registry Editor to navigate to the following key:

HKCU\Software\Policies\Microsoft\Cryptography\Defaults\Provider\ Microsoft Exchange Cryptographic Provider v1.0

Criteria: If the value MaxPwdTime is REG_DWORD = 12c (hex) or 300 (decimal), this is not a finding.

Fix Text (F-17692r1_fix)
The policy value for User Configuration -> Administrative Templates -> Microsoft Office Outlook 2007 -> Security -> Cryptography “S/MIME password settings” will be set to “Enabled” and Maximum S/MIME password time will be set to 300.