E-mail web services must be protected by having an application proxy server outside the enclave.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19548	EMG3-108 Exch2K3	SV-21613r1_rule	EBBD-1	High

Description
Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance. Web-based applications such as Exchange Outlook Web App (OWA) reside on Windows domain Member Servers, and are classified as ‘internal’, or private web servers. In order for the DoD to grant web-based access to E-mail services, careful authentication, encryption, and other precautions are needed. Authentication, via Common Access Card, is not a feature of Exchange 2003. Add to that, it is risky to admit Internet-sourced web traffic, even with SSL or TLS encryption, into the enclave without some inspection, such as for suspicious URL formations. Also, ensuring that only the desired protocols are allowed reduces risk as well as excess traffic. An application proxy server, such as Microsoft Threat Management Gateway (TMG) server is an effective firewall and proxy that offers all of these features when properly equipped and configured. Failure to require CAC authentication of each user, a new security context for the transaction, and FIPS 140-2 compliant encryption for the Internet leg of the transaction, all increase risk of compromise to the OWA web server.

Description

Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance. Web-based applications such as Exchange Outlook Web App (OWA) reside on Windows domain Member Servers, and are classified as ‘internal’, or private web servers. In order for the DoD to grant web-based access to E-mail services, careful authentication, encryption, and other precautions are needed. Authentication, via Common Access Card, is not a feature of Exchange 2003. Add to that, it is risky to admit Internet-sourced web traffic, even with SSL or TLS encryption, into the enclave without some inspection, such as for suspicious URL formations. Also, ensuring that only the desired protocols are allowed reduces risk as well as excess traffic. An application proxy server, such as Microsoft Threat Management Gateway (TMG) server is an effective firewall and proxy that offers all of these features when properly equipped and configured. Failure to require CAC authentication of each user, a new security context for the transaction, and FIPS 140-2 compliant encryption for the Internet leg of the transaction, all increase risk of compromise to the OWA web server.

STIG	Date
Email Services Policy	2012-01-31

Details

Check Text ( C-23796r1_chk )
For sites not using Exchange E-mail web services, this check is N/A. Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft TMG is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction. Criteria: If the site employs an application proxy server such as Microsoft TMG, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.

Check Text ( C-23796r1_chk )

For sites not using Exchange E-mail web services, this check is N/A.

Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft TMG is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction.

Criteria: If the site employs an application proxy server such as Microsoft TMG, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.

Fix Text (F-20244r1_fix)
Procedure: Install an application proxy server capable of authenticating a CAC-enabled transaction, continue the transaction in a new security context, and require FIPS 140-2 encryption for the Internet connection to the end user.