UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

OWA Virtual Server has Forms-Based Authentication enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18745 EMG2-271 Exch2K3 SV-20433r1_rule IATS-1 High
Description
Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Outlook Web Access (OWA), is used to enable web access to user E-mail mailboxes. This setting controls whether Forms-based login should be used by the OWA web site. Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user’s mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed. Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through a an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server is must have Forms-based authentication enabled, and Exchange 2003 must have Forms-based Authentication disabled. If Forms-based Authentication is enabled on the Exchange 2003 Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22467r1_chk )
Ensure that 'Forms-based' authentication is not active.

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab

The “Enable Forms-based Authentication” checkbox should be cleared.

Criteria: If the “Enable Forms-based Authentication” checkbox is cleared, this is not a finding.
Fix Text (F-19395r1_fix)
Configure Forms-based Authentication.

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab

Clear the “Enable Forms-based Authentication” checkbox.

Note: This configuration presumes that an application proxy server such as Internet Security and Acceleration (ISA) 2006 is installed between the Internet and the Client Access Server to host the authentication form.