Title

E-mail web services are not protected by having an application proxy server outside the enclave. (Cat I impact)

Discussion

Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance. Web-based applications such as Exchange 2003 Outlook Web Access (OWA) reside on Windows domain Member Servers, and are classified as ‘internal’, or private web servers. In order for the DoD to grant web-based access to E-mail services, careful authentication, encryption, and other precautions are needed. Authentication, via Common Access Card, is not a feature of Exchange 2003. Add to that, it is risky to admit Internet-sourced web traffic, even with SSL or TLS encryption, into the enclave without some inspection, such as for suspicious URL formation. Also, ensuring that only the desired protocols are allowed reduces risk as well as excess traffic. An application proxy server, such as Microsoft Internet Security and Acceleration (ISA) server is an effective firewall and proxy that offers all of these features when properly equipped and configured. Failure to require CAC authentication of each user, a new security context for the transaction, and FIPS 140-2 compliant encryption for the Internet leg of the transaction, all increase risk of compromise to the OWA web server.

Check Content

For sites not using Exchange 2003 E-mail web services, this check is N/A. Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft ISA server 2006 is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction. Criteria: If the site employs an application proxy server such as Microsoft ISA, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.

Fix Text

Procedure: Install an application proxy server capable of authenticating a CAC-enabled transaction, continue the transaction in a new security context, and require FIPS 140-2 encryption for the Internet connection to the end user.

Additional Identifiers

Rule ID: SV-21613r1_rule

Vulnerability ID: V-19548

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.