2.19 Set 'Require client MAPI encryption' to 'True'

Information

Certificates can reside in the certificate store on a mobile device or on a smart card. A certificate authentication method uses the Extensible Authentication Protocol (EAP) and the Transport Layer Security (TLS) protocol. During EAP-TLS certificate authentication, the client and the server prove their identities to each other. For example, an Exchange ActiveSync client presents its user certificate to the Client Access server, and the Client Access server presents its computer certificate to the mobile device to provide mutual authentication.

Rationale:

Communications between Outlook and Exchange that are sent unencrypted are vulnerable to being captured by a malicious third party.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-RpcClientAccess -Server CAS01 EncryptionRequired $true

See Also

https://workbench.cisecurity.org/files/1512

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Windows

Control ID: 63e3f04cec289fee404b681d6ed0f4772c622bcc8caea719aab33053c500046f