Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.

From MS Exchange 2013 Mailbox Server Security Technical Implementation Guide

Associated with: CCI-001953

SV-84697r1_rule Exchange Outlook Anywhere (OA) clients must use NTLM authentication to access email.

Vulnerability discussion

Identification and authentication provide the foundation for access control. Access to email services applications require NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email.Note: There is a technical restriction in Exchange OA that requires a direct SSL connection from Outlook to the CA server. There is also a constraint where Microsoft supports that the CA server must participate in the AD domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users.

Check content

Open the Exchange Management Shell and enter the following command: Get-OutlookAnywhere Get-OutlookAnywhere | Select Name, Identity, InternalClientAuthenticationMethod, ExternalClientAuthenticationMethod If the value of InternalClientAuthenticationMethod and the value of ExternalClientAuthenticationMethod is not set to NTLM, this is a finding.

Fix text

Open the Exchange Management Shell and enter the following command: For InternalClientAuthenticationMethod: Set-OutlookAnywhere -Identity ' -InternalClientAuthenticationMethod NTLM For ExternalClientAuthenticationMethod: Set-OutlookAnywhere -Identity ' -ExternalClientAuthenticationMethod NTLM

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.