UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Exchange Outlook Anywhere clients must use NTLM authentication to access email.


Overview

Finding ID Version Rule ID IA Controls Severity
V-228404 EX16-MB-000610 SV-228404r612748_rule Medium
Description
Identification and authentication provide the foundation for access control. Access to email services applications require NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email. Note: There is a technical restriction in Exchange Outlook Anywhere that requires a direct SSL connection from Outlook to the Certificate Authority (CA) server. There is also a constraint where Microsoft supports that the CA server must participate in the Active Director (AD) domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users.
STIG Date
Microsoft Exchange 2016 Mailbox Server Security Technical Implementation Guide 2021-03-25

Details

Check Text ( C-30637r497008_chk )
Open the Exchange Management Shell and enter the following command:

Get-OutlookAnywhere

Get-OutlookAnywhere | Select Name, Identity, InternalClientAuthenticationMethod, ExternalClientAuthenticationMethod

If the value of "InternalClientAuthenticationMethod" and the value of "ExternalClientAuthenticationMethod" are not set to NTLM, this is a finding.
Fix Text (F-30622r497009_fix)
Open the Exchange Management Shell and enter the following command:

For InternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity ' -InternalClientAuthenticationMethod NTLM

For ExternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity ' -ExternalClientAuthenticationMethod NTLM