STIGQter: STIG Summary: MS Exchange 2013 Client Access Server Security Technical Implementation Guide Version: 1 Release: 3 Benchmark Date: 24 Jan 2020:

Exchange OWA must use https.

DISA Rule

SV-84397r2_rule

Vulnerability Number

V-69775

Group Title

SRG-APP-000439

Rule Version

EX13-CA-000150

Severity

CAT I

CCI(s)

• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

Open the Exchange Management Shell and enter the following command:

Set-OWAVirtualDirectory -Identity '<IdentityName>\owa (Default Web Site)' -ExternalUrl 'https://URL' -InternalUrl 'https://URL'

Note: The <IdentityName>\owa (default web site) value must be in quotes.

Check Contents

If the exchange server does not provide OWA services, this check is Not Applicable.
If the exchange server does not provide external OWA services, https does not need to be assigned to external URL, it may be blank.
Open the Exchange Management Shell and enter the following command:

Get-OWAVirtualDirectory | Select Name, Identity, ExternalUrl, InternalUrl

If the value returned is not both ExternalUrl and InternalUrl and these are not set to https://, this is a finding.

Vulnerability Number

V-69775

Documentable

False

Rule Version

EX13-CA-000150

Severity Override Guidance

If the exchange server does not provide OWA services, this check is Not Applicable.
If the exchange server does not provide external OWA services, https does not need to be assigned to external URL, it may be blank.
Open the Exchange Management Shell and enter the following command:

Get-OWAVirtualDirectory | Select Name, Identity, ExternalUrl, InternalUrl

If the value returned is not both ExternalUrl and InternalUrl and these are not set to https://, this is a finding.

Check Content Reference

M

Target Key

3097

Comments