UCF STIG Viewer Logo

E-mail Server does not require S/MIME capable clients.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18642 EMG2-323 Exch2K3 SV-20216r1_rule ECSC-1 High
Description
Identification and Authentication provide the foundation for access control. The ability for receiving users to authenticate the source of E-Mail messages helps to ensure that they are not FORGED or SPOOFED before they arrive. MIME (Multipurpose Internet Mail Extensions) is an Internet standard that extends the format of e-mail and other web content to support ASCII and other character sets in both the message and header, text and non-text attachments, and multi-part message bodies. All human-originating E-Mail messages are transmitted in MIME format. S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. Participants in S/MIME message exchanges must obtain and install an individual key/certificate from the DoD. S/MIME clients will require that each participant own a certificate before allowing them to encrypt messages to others. To minimize attack vectors revealed by lack of signed or encrypted E-Mail, all clients in the enterprise must be updated to support S/MIME, and all mail servers must require S/MIME capability.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22340r1_chk )
Ensure that E-Mail servers require S/MIME capable clients.

Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> servers >> [server name] >> [storage group] >> Mailbox store [server name] >> properties >> General tab

The “Clients support S/MIME signatures” should be selected.

Criteria: If the “Clients support S/MIME signatures” is selected, this is not a finding.
Fix Text (F-19273r1_fix)
Configure requirement for S/MIME capable clients.

Procedure: Exchange System Manager >> administrative groups >> [administrative group] >> servers >> [server name] >> [storage group] >> Mailbox store [server name] >> properties >> General tab

Select the “Clients support S/MIME signatures” checkbox.