Title

OWA Virtual Server has Forms-Based Authentication enabled. (Cat I impact)

Discussion

Identification and Authentication provide the foundation for access control. Access to E-Mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which operates Outlook Web Access (OWA), is used to enable web access to user E-mail mailboxes. This setting controls whether Forms-based login should be used by the OWA web site. Forms-based login enables a user to enter an Account and Password for the web session. The form stores the username and password information in browser cookies, and enables the user’s mailbox server to be located without user participation. The cookies persist throughout the OWA session after which they are destroyed. Because the DoD requires Common Access Card (CAC)-based authentication to applications, OWA access must be brokered through a an application proxy (for example, Internet Security and Acceleration [ISA]), which performs CAC authentication using a proxy-hosted OWA form. The authenticated request is then forwarded directly to OWA, where authentication is repeated without requiring the user to repeat authentication steps. For this scenario to work, the Application Proxy server is must have Forms-based authentication enabled, and Exchange 2003 must have Forms-based Authentication disabled. If Forms-based Authentication is enabled on the Exchange 2003 Front End server, it is evidence that the application proxy server is either not correctly configured, or it may be missing.

Check Content

Ensure that 'Forms-based' authentication is not active. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab The “Enable Forms-based Authentication” checkbox should be cleared. Criteria: If the “Enable Forms-based Authentication” checkbox is cleared, this is not a finding.

Fix Text

Configure Forms-based Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group]>>Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server >> Properties >> Settings tab Clear the “Enable Forms-based Authentication” checkbox. Note: This configuration presumes that an application proxy server such as Internet Security and Acceleration (ISA) 2006 is installed between the Internet and the Client Access Server to host the authentication form.

Additional Identifiers

Rule ID: SV-20433r1_rule

Vulnerability ID: V-18745

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.