OWA Virtual Server has Forms-Based Authentication enabled.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18745	EMG2-271 Exch2K3	SV-20433r1_rule	IATS-1	High

Description
Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Outlook Web Access (OWA), is used to enable web access to user E-mail mailboxes. This setting controls whether Forms-based login should be used by the OWA web site. Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user’s mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed. Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through a an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server is must have Forms-based authentication enabled, and Exchange 2003 must have Forms-based Authentication disabled. If Forms-based Authentication is enabled on the Exchange 2003 Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.

Description

Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Outlook Web Access (OWA), is used to enable web access to user E-mail mailboxes. This setting controls whether Forms-based login should be used by the OWA web site. Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user’s mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed. Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through a an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server is must have Forms-based authentication enabled, and Exchange 2003 must have Forms-based Authentication disabled. If Forms-based Authentication is enabled on the Exchange 2003 Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22467r1_chk )
Ensure that 'Forms-based' authentication is not active. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab The “Enable Forms-based Authentication” checkbox should be cleared. Criteria: If the “Enable Forms-based Authentication” checkbox is cleared, this is not a finding.

Check Text ( C-22467r1_chk )

Ensure that 'Forms-based' authentication is not active.

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab

The “Enable Forms-based Authentication” checkbox should be cleared.

Criteria: If the “Enable Forms-based Authentication” checkbox is cleared, this is not a finding.

Fix Text (F-19395r1_fix)
Configure Forms-based Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab Clear the “Enable Forms-based Authentication” checkbox. Note: This configuration presumes that an application proxy server such as Internet Security and Acceleration (ISA) 2006 is installed between the Internet and the Client Access Server to host the authentication form.

Fix Text (F-19395r1_fix)

Configure Forms-based Authentication.

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab

Clear the “Enable Forms-based Authentication” checkbox.

Note: This configuration presumes that an application proxy server such as Internet Security and Acceleration (ISA) 2006 is installed between the Internet and the Client Access Server to host the authentication form.