STIGQter STIGQter: STIG Summary: Exchange 2010 Client Access Server STIG Version: 1 Release: 9 Benchmark Date: 27 Jan 2017:

Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.

DISA Rule

SV-50983r2_rule

Vulnerability Number

V-39167

Group Title

Exch-1-502

Rule Version

Exch-1-502

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the Exchange Management Shell and enter the following command:

Set-ActiveSyncVirtualDirectory -Identity "ClientAccessServerName\Microsoft-Server-ActiveSync (Default Web Site)" -ClientCertAuth "Required" -WindowsAuthEnabled:$False -InternalAuthenticationMethods "Certificate" –ExternalAuthenticationMethods “Certificate” –ExternalUrl “https://mail-site.easf.csd.disa.mil/Microsoft-Server-ActiveSync”

Check Contents

Open the Exchange Management Shell and enter the following commands:

Get-ActiveSyncVirtualDirectory -Identity "<Identity Name>\Microsoft-Server-ActiveSync (Default Web Site)" | fl Basic
AuthEnabled,WindowsAuthEnabled,ClientCertAuth,WebSiteSSLEnabled,InternalAuthenticationMethods,ExternalAuthenticationMethods

These should be the results returned:

BasicAuthEnabled : False
WindowsAuthEnabled : False
ClientCertAuth : Required
WebSiteSSLEnabled : True
InternalAuthenticationMethods : {Certificate}
ExternalAuthenticationMethods : {Certificate}

If the values above are not returned, this is a finding.

Vulnerability Number

V-39167

Documentable

False

Rule Version

Exch-1-502

Severity Override Guidance

Open the Exchange Management Shell and enter the following commands:

Get-ActiveSyncVirtualDirectory -Identity "<Identity Name>\Microsoft-Server-ActiveSync (Default Web Site)" | fl Basic
AuthEnabled,WindowsAuthEnabled,ClientCertAuth,WebSiteSSLEnabled,InternalAuthenticationMethods,ExternalAuthenticationMethods

These should be the results returned:

BasicAuthEnabled : False
WindowsAuthEnabled : False
ClientCertAuth : Required
WebSiteSSLEnabled : True
InternalAuthenticationMethods : {Certificate}
ExternalAuthenticationMethods : {Certificate}

If the values above are not returned, this is a finding.

Check Content Reference

M

Target Key

1995

Comments