draftMicrosoft Exchange 2010 Client Access Server RoleThe Microsoft Exchange Server 2010 STIGs cover four of the five roles available with Microsoft Exchange Server 2010, plus core Exchange Server 2010 global requirements. The Email Services Policy STIG must also be reviewed for each site hosting email services. The core Exchange Server guidance must be reviewed on each server role prior to the role-specific guidance. Also, for the Client Access server, the IIS guidance must be reviewed prior to the OWA checks.DISA, Field Security OperationsSTIG.DOD.MILRelease: 0.5 Benchmark Date: 6 June 20121I - Mission Critical Public<ProfileDescription></ProfileDescription>I - Mission Critical Sensitive<ProfileDescription></ProfileDescription>I - Mission Critical Classified<ProfileDescription></ProfileDescription>II - Mission Support Public<ProfileDescription></ProfileDescription>II - Mission Support Sensitive<ProfileDescription></ProfileDescription>II - Mission Support Classified<ProfileDescription></ProfileDescription>III - Administrative Public<ProfileDescription></ProfileDescription>III - Administrative Sensitive<ProfileDescription></ProfileDescription>III - Administrative Classified<ProfileDescription></ProfileDescription>EXCH-CA-100<GroupDescription></GroupDescription>EXCH-CA-100Encryption must be used for RPC client access.<VulnDiscussion>Failure to require secure connections to the client access server increases the potential for unintended decryption and data loss. This setting controls whether client machines are forced to use secure channels to communicate with the server. If this feature is enabled, clients will only be able to communicate with the server over secure communication channels.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Exchange Management Shell and enter the following command.
Set-RpcClientAccess -Server <'ServerName'> -EncryptionRequired $trueOpen the Exchange Management Shell and enter the following command.
Get-RpcClientAccess | Select Server, EncryptionRequired
If the value of "EncryptionRequired" is not set to "True", this is a finding.EXCH-CA-101<GroupDescription></GroupDescription>EXCH-CA-101Encryption must be used for OWA access.<VulnDiscussion>Failure to require secure connections on a web site increases the potential for unintended decryption and data loss. This setting controls whether client machines should be forced to use secure channels to communicate with this virtual directory. If this feature is enabled, clients will only be able to communicate with the directory if they are capable of supporting secure communication with the server.
If Outlook Web App is approved for use, secure channels and FIPS level encryption are required, as well as appropriate certificate setting. The use of secure communication prevents eavesdroppers from reading or modifying communications between servers and clients. The network and DMZ STIG identify criteria for OWA and Public Folder configuration in the network, including CAC enabled pre-authentication through an application firewall proxy, such as Microsoft ISA.
Note: If OWA is not approved for use, this control is not applicable and the OWA virtual directory should be removed to eliminate the possibility of attack through this vector.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Have the IIS administrator configure the site to require SSL for OWA access.
Open the Exchange Management Shell and enter the following command.
Get-WebBinding
Review the website and verify port 443 is used for OWA access. If not, this is a finding.EXCH-CA-102<GroupDescription></GroupDescription>EXCH-CA-102The Microsoft Active Sync directory must be removed.<VulnDiscussion>To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Active Sync, and the Exchange application default has Active Sync disabled. If an attacker were to intrude into an Exchange Front-End server and reactivate Active Sync, this attack vector could once again be open, provided the virtual directory is present. Once removed, the Active Sync functionality cannot be used without restoring the virtual directory, not a trivial process.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open an Exchange Command Shell and enter the following command.
Remove-ActiveSyncVirtualDirectory ServerName\Microsoft-Server-Active-Sync -Confirm $true
Note: The physical directory must also be deleted.Open the Exchange Management Shell and enter the following command.
Get-ActiveSyncVirtualDirectory | Select Server, Name, Identity, Path
If the value of "Path" (actual directory) exists, this is a finding.
EXCH-CA-103<GroupDescription></GroupDescription>EXCH-CA-103The Public Folder virtual directory must be removed if not in use by the site.<VulnDiscussion>To reduce the vectors through which a server can be attacked, unneeded application components should be disabled or removed. By default, a virtual directory is installed for Public Folders. If an attacker were to intrude into an Exchange Front-End server and be able to access the public folder web site, it would provide an additional attack vector, provided the virtual directory was present. Once removed, the Public functionality cannot be used without restoring the virtual directory.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Exchange Management Shell and enter the following command.
Remove-PublicFolder -Identity <'Identity'> -Server <'ServerName'> -Recurse: $true
Note: This command removes both the root directory and any subdirectories.Open the Exchange Management Shell and enter the following command.
Get-PublicFolder | Select Name, Identity
If public folders are not in use and directories exist, this is a finding.
EXCH-CA-104<GroupDescription></GroupDescription>EXCH-CA-104Web email must use standard ports and protocols.<VulnDiscussion>PPSM standard defined ports and protocols must be used for all Exchange services. The standard port for HTTP connections is 80 and the standard port for HTTPS
connections is 443.
Changing the ports to non-standard values provides only temporary and limited protection against automated attacks since these attacks will not likely connect to the custom port. However, a determined attacker may still be able to determine which ports are used for the HTTP and HTTPS protocols by performing a comprehensive port scan.
Negative impacts to using nonstandard ports include complexity for the system administrator, custom configurations for connecting clients, risk of port conflict with non-exchange applications, and risk of incompatibility with standard port monitoring applications.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Have the web site administrator configure the correct ports according to the PPSM standards.Open a Windows PowerShell Module and enter the following command.
Get-WebBinding -Name <'WebSiteName'>| Format-List
If the Web binding values are not on standard ports, this is a finding.EXCH-CA-105<GroupDescription></GroupDescription>EXCH-CA-105Forms-based Authentication must not be used.<VulnDiscussion>Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Receive Connector, which operates Outlook Web App (OWA), is used to enable web access to user email mailboxes. This setting controls whether forms-based login should be used by the OWA web site.
Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user's mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed.
Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server must have forms-based authentication enabled, and Exchange must have forms-based Authentication disabled.
If forms-based Authentication is enabled on the Exchange Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Exchange Management Shell and enter the following command.
Set-OwaVirtualDirectory -Identity <'IdentityName'> -FormsAuthentication $falseOpen the Exchange Management Shell and enter the following command.
Get-OwaVirtualDirectory | Select Name, Identity, FormsAuthentication
If the value of "FormsAuthentication" is not set to "False", this is a finding.EXCH-CA-106<GroupDescription></GroupDescription>EXCH-CA-106The Microsoft Exchange forms-based authentication service must be disabled.<VulnDiscussion>Identification and Authentication provide the foundation for access control. Access to email services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. There are two sections to using form-based authentication the service must be running and the option to use forms-based authentication must be enabled. Forms-based login enables a user to enter a username and password to logon to the system. By disabling the forms-based authentication service malicious users will not have the ability to enter users name and password to access a system.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Windows Power Shell and enter the following command.
services.msc
Double click the "Microsoft Exchange Forms-Based Authentication" service and select the General tab.
Set the "Startup Type" to "Disabled", click ok.Open the Windows Power Shell and enter the following command.
Get-ItemProperty "hklm:\system\currentcontrolset\services\MSExchangeFDS" | Select Start
If the value of "Start" is not set to "4", this is a finding.EXCH-CA-107<GroupDescription></GroupDescription>EXCH-CA-107HTTP authenticated access must be set to Integrated Windows Authentication only.<VulnDiscussion>This feature controls the authentication method used to connect to the OWA virtual directories.
Ensure this is set to Integrated Windows Authentication only.
Anonymous access provides for no access control. Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to OWA virtual directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.
</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Exchange Management Shell and enter the following command.
Set-OwaVirtualDirectory -WindowsAuthentication $true -Identity <'IdentityName'>Open the Exchange Management Shell and enter the following command.
Get-OwaVirtualDirectory | Select Name, Identity, WindowsAuthentication
If the value of "WindowsAuthentication" is not set to "True", this is a finding.EXCH-CA-108<GroupDescription></GroupDescription>EXCH-CA-108The Microsoft Exchange IMAP4 service must be disabled.<VulnDiscussion>The IMAP4 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network allowing malicious user to access other system features. Uninstalling or disabling the service will prevent the use of the IMAP4 protocol.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Windows Power Shell and enter the following command.
services.msc
Double click the "Microsoft Exchange IMAP4" service and select the General tab.
Set the "Startup Type" to "Disabled", click ok.Open the Windows Power Shell and enter the following command.
Get-ItemProperty "hklm:\system\currentcontrolset\services\MSExchangeIMAP4" | Select Start
If the value of "Start" is not set to "4", this is a finding.EXCH-CA-109<GroupDescription></GroupDescription>EXCH-CA-109The Microsoft Exchange POP3 service must be disabled.<VulnDiscussion>The POP3 protocol is not approved for use within the DoD. It uses a clear text based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network allowing malicious user to access other system features. Uninstalling or disabling the service will prevent the use of the POP3 protocol.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SecurityOverrideGuidance></SecurityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>Open the Windows Power Shell and enter the following command.
services.msc
Double click the "Microsoft Exchange POP3" service and select the General tab.
Set the "Startup Type" to "Disabled", click ok.Open the Windows Power Shell and enter the following command.
Get-ItemProperty "hklm:\system\currentcontrolset\services\MSExchangePOP3" | Select Start
If the value of "Start" is not set to "4", this is a finding.