Virtual Server default outbound security is not anonymous and TLS.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18703	EMG2-803 Exch2K3	SV-20346r1_rule	ECSC-1	Medium

Description
Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting.

Description

Identification and Authentication provide the foundation for access control. The key to preventing SPAM insertion into the SMTP message transfer path is to require authentication at each ‘hop’ of the journey from sender to receiver. Failure to authenticate increases risk that an attacker can insert unauthenticated mail messages, a form of internally SPOOFED SPAM that can be difficult to trace. Encryption ensures confidentiality of data in motion as it traverses network connections. Failure to specify TLS encryption causes message transfer to be sent unencrypted, (including the authentication password), which makes it susceptible to eavesdropping. This setting controls the default authentication and encryption algorithms used for outbound connections using this connector. (That is, the authentication used when delivering outbound mail to another SMTP Virtual Server.) Because E-Mail services environments typically support multi-directional message flow at the Connector level, it is preferred that specific requirements be set there, and let this configuration at the Virtual Server level serve as a default. Authentication type of Anonymous and use of TLS are recommended for this setting.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22421r1_chk )
Validate the Virtual Server outbound Security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button “Anonymous” and "TLS" should be selected. Criteria: If “Anonymous” and "TLS" are selected, this is not a finding.

Fix Text (F-19349r1_fix)
Set Virtual Server outbound security. Procedure: Exchange System Manager >> Administrative Groups >> [administrative group] >> Servers >> [server] >> Protocols >> SMTP >> [specific SMTP virtual server] >> Properties >> Delivery tab >> Outbound Security button Select “Anonymous” and "TLS" encryption.