← Back to Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

V-259703

CAT II (Medium)

Exchange Outlook Anywhere clients must use NTLM authentication to access email.

Rule ID

SV-259703r961494_rule

STIG

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-001953

Discussion

Identification and authentication provide the foundation for access control. Access to email services applications require NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email. Note: There is a technical restriction in Exchange Outlook Anywhere that requires a direct SSL connection from Outlook to the Certificate Authority (CA) server. There is also a constraint where Microsoft supports that the CA server must participate in the Active Director (AD) domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users.

Check Content

Open the Exchange Management Shell and enter the following command:

Get-OutlookAnywhere

Get-OutlookAnywhere | Select-Object -Property Name, Identity, InternalClientAuthenticationMethod, ExternalClientAuthenticationMethod

If the value of "InternalClientAuthenticationMethod" and the value of "ExternalClientAuthenticationMethod" are not set to NTLM, this is a finding.

Fix Text

Open the Exchange Management Shell and enter the following command:

For InternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity '<IdentityName'> -InternalClientAuthenticationMethod NTLM

For ExternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity '<IdentityName'> -ExternalClientAuthenticationMethod NTLM