An error occurred:

Check: EMG2-803 Exch2K3

Microsoft Exchange Server 2003: EMG2-803 Exch2K3 (in version v1 r5)

Title

Virtual Server default outbound security is not anonymous and TLS. (Cat II impact)

Discussion

Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting.

Check Content

Validate the Virtual Server outbound Security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button “Anonymous” and "TLS" should be selected. Criteria: If “Anonymous” and "TLS" are selected, this is not a finding.

Fix Text

Set Virtual Server outbound security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button Select “Anonymous” and "TLS" encryption.

Additional Identifiers

Rule ID: SV-20346r1_rule

Vulnerability ID: V-18703

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check