An error occurred:

Check: EMG2-323 Exch2K3

Microsoft Exchange Server 2003: EMG2-323 Exch2K3 (in version v1 r5)

Title

E-mail Server does not require S/MIME capable clients. (Cat I impact)

Discussion

Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of E-Mail messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpose Internet Mail Extensions) is an Internet standard that extends the format of e-mail and other web content to support ASCII and other character sets in both the message and header, text and non-text attachments, and multi-part message bodies. All human-originating E-Mail messages are transmitted in MIME format. S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. Participants in S/MIME message exchanges must obtain and install an individual key/certificate from the DoD. S/MIME clients will require that each participant own a certificate before allowing them to encrypt messages to others. To minimize attack vectors revealed by lack of signed or encrypted E-Mail, all clients in the enterprise must be updated to support S/MIME, and all mail servers must require S/MIME capability.

Check Content

Ensure that E-Mail servers require S/MIME capable clients. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> servers >> [server name] >> [storage group] >> Mailbox store [server name] >> properties >> General tab The “Clients support S/MIME signatures” should be selected. Criteria: If the “Clients support S/MIME signatures” is selected, this is not a finding.

Fix Text

Configure requirement for S/MIME capable clients. Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> servers >> [server name] >> [storage group] >> Mailbox store [server name] >> properties >> General tab Select the “Clients support S/MIME signatures” checkbox.

Additional Identifiers

Rule ID: SV-20216r1_rule

Vulnerability ID: V-18642

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check