3.6 Set 'Allow basic authentication' to 'False'

Information

Use this setting to determine whether you want to allow clients to use basic authentication.

Rationale:

The default behavior of Exchange is to only require Basic Authentication. This type of authentication occurs in plaintext, which increases the possibility that an attacker could capture a user's credentials. In addition to configuring this setting to require client certificates, you can further mitigate the risk that the default behavior poses by configuring IIS to require SSL or TLS user connections to the Exchange servers in your organization.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-OwaVirtualDirectory -Identity 'owa (Default Web Site)' -BasicAuthentication $false

See Also

https://workbench.cisecurity.org/files/1514

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1)(c)

Plugin: Windows

Control ID: f05c6ce632bff615e18bced0c3f72b23e537dadad6c5afecd2ef67253588cc05