STIGQter: STIG Summary: Exchange 2010 Client Access Server STIG Version: 1 Release: 9 Benchmark Date: 27 Jan 2017:

HTTP authenticated access must be set to Integrated Windows Authentication only.

DISA Rule

SV-44065r2_rule

Vulnerability Number

V-33645

Group Title

Exch-1-208

Rule Version

Exch-1-208

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Open the Exchange Management Shell and enter the following command:

Set-OwaVirtualDirectory -WindowsAuthentication $true -Identity '<IdentityName>'

Check Contents

Open the Exchange Management Shell and enter the following command:

Get-OwaVirtualDirectory -server ‘<Identity Name>’ | Select Name,Identity,*Authentication

If the ‘WindowsAuthentication’ is not ‘True’, this is a finding. If any other result for ‘WindowsAuthentication’ is set to 'True', this is a finding.

NOTE: Typical results for this command would result in this display:
Name : owa (Default Web Site)
Identity : <Identity Name>\owa (Default Web Site)
BasicAuthentication : False
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False

Vulnerability Number

V-33645

Documentable

False

Rule Version

Exch-1-208

Severity Override Guidance

Open the Exchange Management Shell and enter the following command:

Get-OwaVirtualDirectory -server ‘<Identity Name>’ | Select Name,Identity,*Authentication

If the ‘WindowsAuthentication’ is not ‘True’, this is a finding. If any other result for ‘WindowsAuthentication’ is set to 'True', this is a finding.

NOTE: Typical results for this command would result in this display:
Name : owa (Default Web Site)
Identity : <Identity Name>\owa (Default Web Site)
BasicAuthentication : False
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False

Check Content Reference

M

Target Key

1995

Comments