Exchange OWA must use https.

From MS Exchange 2013 Client Access Server Security Technical Implementation Guide

Part of SRG-APP-000439

Associated with: CCI-002418

SV-84397r1_rule Exchange OWA must use https.

Vulnerability discussion

Without protection of the transmitted information, confidentiality and integrity may be compromised since unprotected communications can be intercepted and either read or altered.

Check content

Open the Exchange Management Shell and enter the following command: Get-OWAVirtualDirectory | Select Name, Identity, ExternalUrl, InternalUrl If the value returned is not both ExternalUrl and InternalUrl and these are not set to https://, this is a finding.

Fix text

Open the Exchange Management Shell and enter the following command: Set-OWAVirtualDirectory -Identity '\owa (Default Web Site)' -ExternalUrl 'https://URL' -InternalUrl 'https://URL' Note: The \owa (default web site) value must be in quotes.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer