Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
HTTP authenticated access must be set to Integrated Windows Authentication only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| EXCH-CA-107 | EXCH-CA-107 | EXCH-CA-107_rule | Medium |
| Description |
|---|
| This feature controls the authentication method used to connect to the OWA virtual directories. Ensure this is set to Integrated Windows Authentication only. Anonymous access provides for no access control. Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to OWA virtual directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. |
| STIG | Date |
|---|---|
| Microsoft Exchange 2010 Client Access Server Role | 2012-05-31 |
Details
| Check Text ( C-_chk ) |
|---|
| Open the Exchange Management Shell and enter the following command. Get-OwaVirtualDirectory | Select Name, Identity, WindowsAuthentication If the value of "WindowsAuthentication" is not set to "True", this is a finding. |
| Fix Text (F-_fix) |
|---|
| Open the Exchange Management Shell and enter the following command. Set-OwaVirtualDirectory -WindowsAuthentication $true -Identity <'IdentityName'> |