Check: EX16-ED-000180
Microsoft Exchange 2016 Edge Transport Server STIG:
EX16-ED-000180
(in versions v2 r5 through v1 r1)
Title
Exchange Internet-facing Receive connectors must offer Transport Layer Security (TLS) before using basic authentication. (Cat II impact)
Discussion
Sending unencrypted email over the Internet increases the risk that messages can be intercepted or altered. TLS is designed to protect confidentiality and data integrity by encrypting email messages between servers and thereby reducing the risk of eavesdropping, interception, and alteration. This setting forces Exchange to offer TLS before using basic authentication.
Check Content
Open the Exchange Management Shell and enter the following command: Get-ReceiveConnector | Select Name, Identity, AuthMechanism For each receive connector, if the value of "AuthMechanism" is not set to "Tls, BasicAuth, BasicAuthRequireTLS", this is a finding.
Fix Text
Open the Exchange Management Shell and enter the following command: Set-ReceiveConnector -Identity <'IdentityName'> -AuthMechanism 'Tls, BasicAuth, BasicAuthRequireTLS' Note: The <IdentityName> value must be in single quotes. Example only for the Identity: <ServerName>\Frontend <ServerName> Repeat the procedure for each receive connector.
Additional Identifiers
Rule ID: SV-221219r879636_rule
Vulnerability ID: V-221219
Group Title: SRG-APP-000219
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001184 |
The information system protects the authenticity of communications sessions. |
Controls
Number | Title |
---|---|
SC-23 |
Session Authenticity |