Details
Use this setting to determine whether you want to allow clients to use basic authentication.
Rationale:
The default behavior of Exchange is to only require Basic Authentication. This type of authentication occurs in plaintext, which increases the possibility that an attacker could capture a user’s credentials. In addition to configuring this setting to require client certificates, you can further mitigate the risk that the default behavior poses by configuring IIS to require SSL or TLS user connections to the Exchange servers in your organization.
Solution
To implement the recommended state, execute the following PowerShell cmdlet:
Set-OwaVirtualDirectory -Identity ‘owa (Default Web Site)’ -BasicAuthentication $false
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Windows.