1.12 Set 'External send connector authentication: Domain Security' to 'True'

Information

It is preferable to use Exchange Authentication or IPsec for external send connectors. However, if you must use Basic authentication to enable Domain Security, using (Mutual Auth TLS) for external send connectors helps to protect credentials and e-mail sent to other organizations.

If enabled, the Send connector will attempt to establish a mutual Transport Layer Security (TLS) connection with remote servers when sending mail. There are additional configuration steps required before you can start using TLS. For more information about how to configure mutual TLS, see Using Domain Security: Configuring Mutual TLS [http://technet.microsoft.com/en-us/library/bb123543(EXCHG.140).aspx].

Rationale:

Basic authentication sends credentials across the network in plaintext. Domain Security (Mutual Auth TLS) helps protect credentials from interception by unauthorized users.

Solution

To implement the recommended state, execute the following PowerShell cmdlet:

set-sendconnector -Identity -DomainSecureEnabled $true

See Also

https://workbench.cisecurity.org/files/1512

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Windows

Control ID: 927299cc6ba0b57c0abfc60de156037b5067c3aabe57038e746d8e63de9c3d32