Microsoft Exchange 2010 Client Access Server Role

Overview

Version	Date	Finding Count (10)			Downloads
1	2012-05-31	CAT I (High): 1	CAT II (Med): 8	CAT III (Low): 1	Excel	JSON	XML

STIG Description
The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.

STIG Description

The Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.

Available Profiles

Classified	Public	Sensitive
I - Mission Critical Classified	I - Mission Critical Public	I - Mission Critical Sensitive	II - Mission Support Classified	II - Mission Support Public	II - Mission Support Sensitive	III - Administrative Classified	III - Administrative Public	III - Administrative Sensitive

Findings (MAC III - Administrative Sensitive)

Finding ID	Severity	Title	Description
EXCH-CA-105	High	Forms-based Authentication must not be used.	Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI)...
EXCH-CA-102	Medium	The Microsoft Active Sync directory must be removed.	To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the...
EXCH-CA-100	Medium	Encryption must be used for RPC client access.	Failure to require secure connections to the client access server increases the potential for unintended decryption and data loss. This setting controls whether client machines are forced to use...
EXCH-CA-101	Medium	Encryption must be used for OWA access.	Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure...
EXCH-CA-106	Medium	The Microsoft Exchange forms-based authentication service must be disabled.	Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI)...
EXCH-CA-107	Medium	HTTP authenticated access must be set to Integrated Windows Authentication only.	This feature controls the authentication method used to connect to the OWA virtual directories. Ensure this is set to Integrated Windows Authentication only. Anonymous access provides for no...
EXCH-CA-104	Medium	Web email must use standard ports and protocols.	PPSM standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS connections is 443. Changing the...
EXCH-CA-108	Medium	The Microsoft Exchange IMAP4 service must be disabled.	The IMAP4 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password...
EXCH-CA-109	Medium	The Microsoft Exchange POP3 service must be disabled.	The POP3 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password...
EXCH-CA-103	Low	The Public Folder virtual directory must be removed if not in use by the site.	To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If...