BIO U.10.1.1 ISO A.8.24

Outlook S/MIME Bericht Formaten Configureren

πŸ“… 2025-10-30
β€’
⏱️ 8 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Het configureren van S/MIME (Secure/Multipurpose Internet Mail Extensions) in Outlook biedt end-to-end encryptie en digitale handtekeningen voor e-mail, wat essentieel is voor het beschermen van vertrouwelijke communicatie en het waarborgen van authenticiteit van berichten.

Aanbeveling
IMPLEMENT
Risico zonder
High
Risk Score
8/10
Implementatie
40u (tech: 20u)
Van toepassing op:
βœ“ Microsoft Office 365 ProPlus
βœ“ Microsoft Outlook 2016
βœ“ Microsoft Outlook 2019
βœ“ Microsoft Outlook 2021
βœ“ Microsoft 365 Apps

Standaard e-mail is onversleuteld en kan worden onderschept tijdens transport (man-in-the-middle) of op servers (admin toegang, breaches, lawful intercept). S/MIME lost dit op: **End-to-End Encryptie**: Alleen verzender en ontvanger kunnen e-mail lezen. Zelfs e-mail servers, ISPs, of governments kunnen content niet zien. **Digitale Handtekeningen**: Verifieer dat e-mail daadwerkelijk van claimed sender komt (anti-spoofing) en niet is gewijzigd (integrity). **Non-Repudiation**: Ondertekende e-mails kunnen niet worden ontkend door verzender. **Compliance**: Vereist voor regulated industries (healthcare HIPAA, finance PCI-DSS, government). S/MIME is kritiek voor: Confidential business communications (M&A, strategic planning), Personal Identifiable Information (PII) via e-mail, Legal communications (attorney-client privilege), Executive communications (C-level, board), Compliance-regulated industries. Zonder S/MIME: E-mail travels in plaintext, susceptible voor interceptie, Spoofing attacks (CEO fraud via fake emails), No legal proof of sender authenticity, compliance overtredingen voor sensitive data.

PowerShell Modules Vereist
Primary API: Registry / groep beleid / Intune
Connection: Lokale registry, GPO, of Intune configuration
Required Modules: Windows PowerShell 5.1 of hoger, PKI certificaatn

Implementatie

S/MIME configuration involves: **PKI Infrastructure**: certificaat Authority (CA) om S/MIME certificaatn uit te geven aan users. **certificaat Deployment**: Distribueer private keys (signing/decryption) naar users, public keys (verification/versleuteling) via directory. **Outlook Configuration**: configureer S/MIME settings via registry/GPO: default signing/versleuteling, certificaat selection, algorithm preferences (AES256). **Trust Chain**: zorg ervoor dat root CA certificaatn gedistribueerd naar alle users voor verification. Deze configuration enables automatische of handmatige S/MIME voor vertrouwelijke communications.

Vereisten

  1. PKI infrastructure (internal CA of commercial CA zoals DigiCert)
  2. S/MIME certificaatn voor alle users die veilige e-mail gebruiken
  3. certificaat deployment mechanism (GPO, Intune, SCCM)
  4. Root en intermediate CA certificaatn gedistribueerd via vertrouwde Root store
  5. Outlook 2016+ (S/MIME support)
  6. User training over S/MIME usage: wanneer encrypten/ondertekenen
  7. Exchange server/Exchange Online met S/MIME support
  8. Global adres List (GAL) met public key publishing

Implementatie

**FASE 1 - PKI Setup**: Implementeer internal CA of procure commercial S/MIME certificaatn. configureer certificaat templates met Email bescherming + Digital Signature EKU. Auto-enrollment voor domain users (indien internal PKI).

**FASE 2 - certificaat Deployment**: Distribute private keys via auto-enrollment (internal) of handmatige import. Publish public keys naar GAL (Active Directory) voor recipient versleuteling. Implementeer root/intermediate CAs via GPO (vertrouwde Root Certification Authorities).

**FASE 3 - Outlook S/MIME Config**: **groep beleid**: HKCU\Software\beleidsregels\Microsoft\Office\16.0\OUTLOOK\Security registry keys voor default signing/versleuteling. **Intune**: S/MIME configuration profile met certificaat selection en algorithm preferences (AES256-CBC).

**FASE 4 - Testing**: Pilot met security team: send signed/versleuteld e-mails, verify recipients kunnen ontsleutelen, test revocation (CRL/OCSP).

monitoring

Gebruik PowerShell-script message-formats-smime.ps1 (functie Invoke-Monitoring) – Controleren.

monitor S/MIME adoption rate, certificaat expiration tracking, CRL/OCSP availability, user feedback over versleuteling workflow, incident tracking voor versleuteld e-mail delivery failures.

Compliance

  1. DISA STIG O365 - S/MIME configuration
  2. BIO U.10.1 - Cryptografische maatregelen
  3. ISO 27001 A.8.24 - Use of cryptography
  4. NIS2 Artikel 21 - versleuteling requirements
  5. HIPAA (healthcare)
  6. PCI-DSS (financial data)
  7. eIDAS (qualified certificaatn)

Remediatie

Gebruik PowerShell-script message-formats-smime.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
# Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: message formats smime " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "messageformatssmime" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: message formats smime " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "messageformatssmime" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\message-formats-smime.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\message-formats-smime.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } elseif ($Revert) { $result = Invoke-Revert exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: [-Monitoring] [-Remediation] [-Revert] [-WhatIf]" -ForegroundColor Yellow } } catch { Write-Host "Script execution error: # Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Revert { Write-Host "Reverting O365-OU-000011: message formats smime " -ForegroundColor Yellow try { if ($WhatIf) { Write-Host " [WhatIf] Would remove registry value" -ForegroundColor Cyan return $true } $valueName = "messageformatssmime" if (Test-Path $RegistryPath) { Remove-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue Write-Host " Removed registry value: $valueName" -ForegroundColor Green } return $true } catch { Write-Host " Error during revert: # Control: O365-OU-000011 - message formats smime #Requires -Version 5.1 # DISA STIG Microsoft Office 365 ProPlus v3r3 param( [string]$RegistryPath = "HKCU:\Software\Policies\Microsoft\Office\16.0\OUTLOOK\Security", [switch]$Monitoring, [switch]$Remediation, [switch]$Revert, [switch]$WhatIf ) function Invoke-Monitoring { Write-Host "Monitoring O365-OU-000011: message formats smime" -ForegroundColor Green try { $valueName = "messageformatssmime" $expectedValue = 1 if (-not (Test-Path $RegistryPath)) { Write-Host "βœ— Registry path does not exist: $RegistryPath" -ForegroundColor Red return $false } $currentValue = Get-ItemProperty -Path $RegistryPath -Name $valueName -ErrorAction SilentlyContinue if ($currentValue -and $currentValue.$valueName -eq $expectedValue) { Write-Host "βœ“ Control compliant: $valueName = $expectedValue" -ForegroundColor Green return $true } else { $actualValue = if ($currentValue) { $currentValue.$valueName } else { "Not Set" } Write-Host "βœ— Control non-compliant: $valueName = $actualValue (Expected: $expectedValue)" -ForegroundColor Red return $false } } catch { Write-Host "βœ— Error checking registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } function Invoke-Remediation { Write-Host "Remediating O365-OU-000011: message formats smime" -ForegroundColor Yellow try { if (-not (Test-Path $RegistryPath)) { Write-Host "Creating registry path: $RegistryPath" -ForegroundColor Yellow New-Item -Path $RegistryPath -Force | Out-Null } $valueName = "messageformatssmime" $expectedValue = 1 Set-ItemProperty -Path $RegistryPath -Name $valueName -Value $expectedValue -Type DWord -Force Write-Host "βœ“ Registry value set successfully: $valueName = $expectedValue" -ForegroundColor Green Start-Sleep -Seconds 1 $complianceResult = Invoke-Monitoring return $complianceResult } catch { Write-Host "βœ— Error configuring registry setting: $($_.Exception.Message)" -ForegroundColor Red return $false } } if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\message-formats-smime.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red return $false } } # Main execution try { if ($Monitoring) { $result = Invoke-Monitoring exit $(if ($result) { 0 } else { 1 }) } elseif ($Remediation) { $result = Invoke-Remediation exit $(if ($result) { 0 } else { 1 }) } else { Write-Host "Usage: .\message-formats-smime.ps1 [-Monitoring] [-Remediation]" -ForegroundColor Yellow Write-Host " -Monitoring: Check current compliance status" -ForegroundColor White Write-Host " -Remediation: Apply recommended configuration" -ForegroundColor White } " -ForegroundColor Red exit 1 }

Risico zonder implementatie

Risico zonder implementatie
High: hoog risico: vertrouwelijke e-mail travels unencrypted, susceptible voor man-in-the-middle, server breaches, lawful intercept. compliance overtredingen voor regulated industries. CEO fraud via spoofed emails.

Management Samenvatting

Implement S/MIME voor end-to-end e-mail encryptie en digitale handtekeningen. Requires PKI infrastructure en certificaat deployment. Kritiek voor confidential communications en compliance. Implementatie: 40 uur.