Details

Identification and authentication provide the foundation for access control. Access to email services applications requires NTLM authentication. Outlook Anywhere, if authorized for use by the site, must use NTLM authentication when accessing email.

Note: There is a technical restriction in Exchange OA that requires a direct SSL connection from Outlook to the CA server. There is also a constraint where Microsoft supports that the CA server must participate in the AD domain inside the enclave. For this reason, Outlook Anywhere must be deployed only for enclave-sourced Outlook users.

Solution

Open the Exchange Management Shell and enter the following commands:

For InternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity ‘ -InternalClientAuthenticationMethod NTLM

For ExternalClientAuthenticationMethod:

Set-OutlookAnywhere -Identity ‘ -ExternalClientAuthenticationMethod NTLM

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Exchange_2013_Y21M01_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.

References

• 800-53|IA-2(12)
• CAT|II
• CCI|CCI-001953
• Rule-ID|SV-84391r1_rule
• STIG-ID|EX13-CA-000135
• Vuln-ID|V-69769

Source

• Tenable.com/audits