Controls/EDCA-IAC-023.json
|
{
"id": "EDCA-IAC-023", "title": "Mobile device mailbox policy requires a device password", "description": "The PasswordEnabled property on the default mobile device mailbox policy MUST be True. Requiring a password prevents unauthorised access to the device and the Exchange mailbox data on it. The CIS benchmark requires device passwords to be mandatory.", "verify": true, "subject": "Organization", "category": "Identity and Access Control", "severity": "High", "severityWeight": 8, "frameworks": [ "Best Practice", "CIS" ], "references": [ { "name": "CIS 3.10 (L1): Ensure Require password is set to True", "url": "https://www.cisecurity.org/benchmark/microsoft_exchange_server" }, { "name": "Mobile device mailbox policies in Exchange Server", "url": "https://learn.microsoft.com/exchange/clients/exchange-activesync/mobile-device-mailbox-policies" } ], "remediation": { "automatable": true, "description": "Require a device password in the default mobile device mailbox policy.", "scriptTemplate": "# Require a device password in the default mobile device mailbox policy.\nSet-MobileDeviceMailboxPolicy -Identity Default -PasswordEnabled $true" }, "considerations": "Requiring a password on mobile devices may cause friction for users who previously had no PIN. Communicate this change in advance and provide instructions for setting a compliant password.", "roles": [ "Mailbox" ] } |