Join the Reckless Community* indicates requiredEmail Address *First Name *Last Name *
Back to Microsoft Exchange 2013 Mailbox Server Security Technical Implementation Guide
Severity: Medium
<VulnDiscussion>The IMAP4 protocol is not approved for use within the DoD. It uses a clear-text-based user name and password and does not support the DoD standard for PKI for email access. User name and password could easily be captured from the network, allowing a malicious user to access other system features. Uninstalling or disabling the service will prevent the use of the IMAP4 protocol.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
Open the Windows Power Shell and enter the following command: Get-ItemProperty 'hklm:\system\currentcontrolset\services\MSExchangeIMAP4be' | Select Start Note: The hklm:\system\currentcontrolset\services\MSExchangeIMAP4 value must be in quotes. If the value of Start is not set to 4, this is a finding.
Open the Windows Power Shell and enter the following command: services.msc Navigate to and double-click on Microsoft Exchange IMAP4 Backend. Click on the "General" tab. In the Startup Type: dropdown, select Disabled. Click the OK button.