Default web site allows anonymous access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18759	EMG1-007 Exch2K3	SV-20449r1_rule	IAIA-1	Medium

Description
The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role.

Description

The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22474r1_chk )
Verify the default web site authentication type for Exchange access. Procedure: IIS Manager >> [SERVER NAME] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button Ensure that "Integrated Windows Authentication" is selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text (F-19412r1_fix)
Ensure that default authentication is set appropriately. Procedure: IIS Manager >> [server name] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button Select the "Integrated Windows Authentication" checkbox.