An error occurred:

Check: EMG2-256 Exch2K3

Microsoft Exchange Server 2003: EMG2-256 Exch2K3 (in version v1 r5)

Title

OWA does not require only Integrated Windows Authentication. (Cat I impact)

Discussion

Identification and Authentication provide the foundation for access control. Access to E-mail services applications in the DoD require authentication using DoD Public Key Infrastructure (PKI) certificates. The Exchange Virtual Server, which controls Outlook Web Access (OWA), is used to link Web Access for user E-mail accounts to the Exchange Mailbox store. OWA is designed to provide much of the same functionality provided by using an Outlook client, but through a web browser. This setting controls the authentication method used to connect to this virtual server. OWA does not natively provide Common Access Card (CAC)-Authentication ability. For this reason, access to OWA must be brokered by an application proxy authentication point where CAC (certificate) authentication is available for Internet-based access to E-Mail services. It is the proxy server that must authenticate the user’s membership in domain directory services (for example, Microsoft Active Directory) before establishing an authenticated connection to the OWA server. For this reason, only Integrated Windows Authentication should be selected as the authentication method at this point in the process.

Check Content

Validate OWA Authentication Setting: Procedure: Exchange system Manager >> Administrator Groups>> [administrator group] Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>Exchange>>Properties>>Access Tab>>Authentication Settings>>Authentication Button "Integrated Windows Authentication" should be selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text

Configure OWA Virtual Server Authentication. Procedure: Exchange system Manager >> Administrator Groups>> [administrator group] Servers>> [server name]>>Protocols>>HTTP>Exchange Virtual Server>>Exchange>>Properties>>Access Tab>>Authentication Settings>>Authentication Button Select "Integrated Windows Authentication".

Additional Identifiers

Rule ID: SV-20451r1_rule

Vulnerability ID: V-18760

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check