HTTP authenticated access must be set to Integrated Windows Authentication only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-33645	Exch-1-208	SV-44065r2_rule	ECSC-1	Medium

Description
This feature controls the authentication method used to connect to the OWA virtual directories. Ensure this is set to Integrated Windows Authentication only. Anonymous access provides for no access control. Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to OWA virtual directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.

Description

This feature controls the authentication method used to connect to the OWA virtual directories. Ensure this is set to Integrated Windows Authentication only. Anonymous access provides for no access control. Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to OWA virtual directory, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made.

STIG	Date
Exchange 2010 Client Access Server STIG	2015-03-10

Details

Check Text ( C-41755r2_chk )
Open the Exchange Management Shell and enter the following command: Get-OwaVirtualDirectory -server ‘’ \| Select Name,Identity,*Authentication If the ‘WindowsAuthentication’ is not ‘True’, this is a finding. If any other result for ‘WindowsAuthentication’ is set to 'True', this is a finding. NOTE: Typical results for this command would result in this display: Name : owa (Default Web Site) Identity : \owa (Default Web Site) BasicAuthentication : False WindowsAuthentication : True DigestAuthentication : False FormsAuthentication : False LiveIdAuthentication : False

Check Text ( C-41755r2_chk )

Open the Exchange Management Shell and enter the following command:

Get-OwaVirtualDirectory -server ‘’ | Select Name,Identity,*Authentication

If the ‘WindowsAuthentication’ is not ‘True’, this is a finding. If any other result for ‘WindowsAuthentication’ is set to 'True', this is a finding.

NOTE: Typical results for this command would result in this display:
Name : owa (Default Web Site)
Identity : \owa (Default Web Site)
BasicAuthentication : False
WindowsAuthentication : True
DigestAuthentication : False
FormsAuthentication : False
LiveIdAuthentication : False

Fix Text (F-37538r1_fix)
Open the Exchange Management Shell and enter the following command: Set-OwaVirtualDirectory -WindowsAuthentication $true -Identity ''