Title

Exchange with Outlook Web Access is not deployed as Front-end/Back-end Architecture. (Cat II impact)

Discussion

Microsoft® Exchange supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each of these aspects of E-Mail technology using discrete security techniques that are appropriate for each. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and offloads the SSL encryption The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. In a multi-server environment, one or more back-end servers may be cast in the role of ‘Bridgehead’ server. Bridgehead servers are used in large domains that deploy mailbox servers in multiple locations, sometimes spanning wide area network (WAN) (or other slow) connections, or require careful bandwidth management for other reasons. Bridgehead servers work in pairs, one at each side of a location, to manage replication and distribution tasks. The primary advantage of the front-end/back-end server architecture is the ability to expose a single, consistent namespace to end users, for example, https://mail.mycompany.com. Without a front-end server, users must know the name of the server that stores their mailbox.

Check Content

Interview the E-mail administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and System Security plan information. Sites offering Outlook Web Access (OWA) for remote E-mail access from the Internet should have an Exchange 2003 front-end server. In E-mail environments where OWA is not offered, front-end servers are not needed. Criteria: If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.

Fix Text

For OWA enabled environments, the environment should be re-engineered to add at least one front-end server. Consult with network and protocol requirements for additional requirements such as perimeter protection, protocol paths and other configuration requirements that some Exchange configurations assume are in place.

Additional Identifiers

Rule ID: SV-20632r1_rule

Vulnerability ID: V-18858

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.