STIGQter STIGQter: STIG Summary: MS Exchange 2013 Client Access Server Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020: Exchange ActiveSync (EAS) must only use certificate-based authentication to access email.

DISA Rule

SV-84349r1_rule

Vulnerability Number

V-69727

Group Title

SRG-APP-000033

Rule Version

EX13-CA-000035

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Open the Exchange Management Shell and enter the following command:

Set-ActiveSyncVirtualDirectory -Identity ‘<ServerName>\Microsoft-Server-ActiveSync (Default Web Site)’ -BasicAuthEnabled $False -WindowsAuthEnabled $False -ClientCertAuth ‘Required’ -WebSites-InternalAuthenticationMethods ‘Certificate’ -ExternalAuthenticationMethods ‘Certificate’

Note: The <ServerName>Microsoft-Server-ActiveSync (Default Web Site) value must be in quotes.

Check Contents

Open the Exchange Management Shell and enter the following commands:

Get-ActiveSyncVirtualDirectory | Select Name, Identity

Get-ActiveSyncVirtualDirectory -Identity '<ServerName>Microsoft-Server-ActiveSync (Default Web Site)' | fl BasicAuthEnabled, WindowsAuthEnabled, ClientCertAuth, WebSiteSSLEnabled, InternalAuthenticationMethods, ExternalAuthenticationMethods

Note: The <ServerName>Microsoft-Server-ActiveSync (Default Web Site) value must be in quotes.

The command should return the following:

BasicAuthEnabled : False
WindowsAuthEnabled : False
ClientCertAuth : Required
WebSiteSSLEnabled : True
InternalAuthenticationMethods : {Certificate}
ExternalAuthenticationMethods : {Certificate}

If the values above are not returned, this is a finding.

Vulnerability Number

V-69727

Documentable

False

Rule Version

EX13-CA-000035

Severity Override Guidance

Open the Exchange Management Shell and enter the following commands:

Get-ActiveSyncVirtualDirectory | Select Name, Identity

Get-ActiveSyncVirtualDirectory -Identity '<ServerName>Microsoft-Server-ActiveSync (Default Web Site)' | fl BasicAuthEnabled, WindowsAuthEnabled, ClientCertAuth, WebSiteSSLEnabled, InternalAuthenticationMethods, ExternalAuthenticationMethods

Note: The <ServerName>Microsoft-Server-ActiveSync (Default Web Site) value must be in quotes.

The command should return the following:

BasicAuthEnabled : False
WindowsAuthEnabled : False
ClientCertAuth : Required
WebSiteSSLEnabled : True
InternalAuthenticationMethods : {Certificate}
ExternalAuthenticationMethods : {Certificate}

If the values above are not returned, this is a finding.

Check Content Reference

M

Target Key

3097

Comments