Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-18703 | EMG2-803 Exch2K3 | SV-20346r1_rule | ECSC-1 | Medium |
Description |
---|
Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting. |
STIG | Date |
---|---|
Microsoft Exchange Server 2003 | 2014-08-19 |
Check Text ( C-22421r1_chk ) |
---|
Validate the Virtual Server outbound Security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button “Anonymous” and "TLS" should be selected. Criteria: If “Anonymous” and "TLS" are selected, this is not a finding. |
Fix Text (F-19349r1_fix) |
---|
Set Virtual Server outbound security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button Select “Anonymous” and "TLS" encryption. |