Outlook Anywhere (OA) clients must use approved DoD PKI authentication to access email.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-33607 | Exch-1-402 | SV-44027r1_rule | ECSC-1 | Medium |
| Description |
|---|
| Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. Outlook Anywhere, if authorized for use by the site, must use DoD approved multi-factor authentication tokens (e.g., Common Access Card (CAC) for unclassified systems) when accessing email. Note: There is a technical restriction in Exchange OA that requires a direct SSL connection from Outlook to the CA server. There is also a constraint where Microsoft supports that the CA server must participate in the AD domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users. |
| STIG | Date |
|---|---|
| Exchange 2010 Client Access Server STIG | 2013-01-03 |
Details
| Check Text ( C-41714r1_chk ) |
|---|
| Open the Exchange Management Shell and enter the following command: Get-OutlookAnywhere If the value of 'Client Authentication Method' is not set to 'Certificate', this is a finding. |
| Fix Text (F-37499r1_fix) |
|---|
| Open the Exchange Management Shell and enter the following command: Set-OutlookAnywhere -ClientAuthenticationMethod Certificate |