UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Default web site allows anonymous access.


Overview

Finding ID Version Rule ID IA Controls Severity
V-18759 EMG1-007 Exch2K3 SV-20449r1_rule IAIA-1 Medium
Description
The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role.
STIG Date
Microsoft Exchange Server 2003 2014-08-19

Details

Check Text ( C-22474r1_chk )
Verify the default web site authentication type for Exchange access.

Procedure: IIS Manager >> [SERVER NAME] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button

Ensure that "Integrated Windows Authentication" is selected.

Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.
Fix Text (F-19412r1_fix)
Ensure that default authentication is set appropriately.

Procedure: IIS Manager >> [server name] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button

Select the "Integrated Windows Authentication" checkbox.