Title

ExAdmin Virtual Directory is not Configured for Integrated Windows Authentication. (Cat II impact)

Discussion

Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to this virtual directory. This setting should be set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual directory, Basic authentication transmits the password in the clear, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendations may result in unrestricted access to this directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.

Check Content

Validate ExAdmin Virtual Directory authentication settings. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>ExAdmin>>Properties>>Access Tab>>Authentication Settings>>Authentication button "Integrated Windows Authentication" should be selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text

Configure the ExAdmin Virtual Directory Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>ExAdmin>>Properties>>Access Tab>>Authentication Settings>>Authentication button Select "Integrated Windows Authentication".

Additional Identifiers

Rule ID: SV-20332r1_rule

Vulnerability ID: V-18696

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.