ExAdmin Virtual Directory is not Configured for Integrated Windows Authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18696	EMG2-251 Exch2K3	SV-20332r1_rule	ECSC-1	Medium

Description
Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to this virtual directory. This setting should be set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual directory, Basic authentication transmits the password in the clear, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendations may result in unrestricted access to this directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.

Description

Identification and Authentication provide the foundation for access control. The ExAdmin Virtual Directory is used by the Exchange System Manager to access mailboxes and Public Folders. This feature controls the authentication method used to connect to this virtual directory. This setting should be set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual directory, Basic authentication transmits the password in the clear, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendations may result in unrestricted access to this directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22414r1_chk )
Validate ExAdmin Virtual Directory authentication settings. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>ExAdmin>>Properties>>Access Tab>>Authentication Settings>>Authentication button "Integrated Windows Authentication" should be selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Check Text ( C-22414r1_chk )

Validate ExAdmin Virtual Directory authentication settings.

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>ExAdmin>>Properties>>Access Tab>>Authentication Settings>>Authentication button

"Integrated Windows Authentication" should be selected.

Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text (F-19342r1_fix)
Configure the ExAdmin Virtual Directory Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>ExAdmin>>Properties>>Access Tab>>Authentication Settings>>Authentication button Select "Integrated Windows Authentication".