OWA does not require only Integrated Windows Authentication.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-18760	EMG2-256 Exch2K3	SV-20451r1_rule	IAIA-1	High

Description
Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which controls Outlook Web Access (OWA), is used to link Web Access for user E-mail accounts to the Exchange Mailbox store. OWA is designed to provide much of the same functionality provided by using an Outlook client, but through a web browser. This setting controls the authentication method used to connect to this virtual server. OWA does not natively provide Common Access Card (CAC)-Authentication ability. For this reason, access to OWA must be brokered by an application proxy authentication point where CAC (certificate) authentication is available for Internet-based access to E-Mail services. It is the proxy server that must authenticate the user’s membership in domain directory services (for example, Microsoft Active Directory) before establishing an authenticated connection to the OWA server. For this reason, only Integrated Windows Authentication should be selected as the authentication method at this point in the process.

Description

Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which controls Outlook Web Access (OWA), is used to link Web Access for user E-mail accounts to the Exchange Mailbox store. OWA is designed to provide much of the same functionality provided by using an Outlook client, but through a web browser. This setting controls the authentication method used to connect to this virtual server. OWA does not natively provide Common Access Card (CAC)-Authentication ability. For this reason, access to OWA must be brokered by an application proxy authentication point where CAC (certificate) authentication is available for Internet-based access to E-Mail services. It is the proxy server that must authenticate the user’s membership in domain directory services (for example, Microsoft Active Directory) before establishing an authenticated connection to the OWA server. For this reason, only Integrated Windows Authentication should be selected as the authentication method at this point in the process.

STIG	Date
Microsoft Exchange Server 2003	2014-08-19

Details

Check Text ( C-22475r1_chk )
Validate OWA Authentication Setting: Procedure: Exchange system Manager >> Administrator Groups>> [administrator group] Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>Exchange>>Properties>>Access Tab>>Authentication Settings>>Authentication Button "Integrated Windows Authentication" should be selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Check Text ( C-22475r1_chk )

Validate OWA Authentication Setting:

Procedure: Exchange system Manager >> Administrator Groups>> [administrator group] Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>Exchange>>Properties>>Access Tab>>Authentication Settings>>Authentication Button

"Integrated Windows Authentication" should be selected.

Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text (F-19413r1_fix)
Configure OWA Virtual Server Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group] Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>Exchange>>Properties>>Access Tab>>Authentication Settings>>Authentication Button Select "Integrated Windows Authentication".