2.3.6 Ensure 'Require client MAPI encryption' is set to 'True'

Information

This policy setting specifies whether encryption is required for Remote Procedure call (RPC) client connections.

Note: This recommendation only applies if RPC over HTTP is enabled in the organization. In Exchange 2019 MAPI over HTTP is enabled by default.

Rationale:

Communications between Outlook and Exchange that are sent unencrypted are vulnerable to being captured by a malicious actor.

Impact:

Client computers running earlier versions of Outlook or Outlook with profiles set to not use encryption will be blocked from connecting to your Exchange servers. This is the default behavior so the impact is minimal to nothing.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

Set-RpcClientAccess -Server 'Server' -EncryptionRequired $true

Default Value:

True

See Also

https://workbench.cisecurity.org/benchmarks/12442

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: 57ee6facd4f5b3ded20865e2a548e497d2b01c11563c0e5277be480726dcae38