Title

Default web site allows anonymous access. (Cat II impact)

Discussion

The Default Web site is the virtual server on which all Exchange virtual directories reside. This feature controls the authentication method used to connect to this virtual server and its virtual directories. Ensure that this is set to Integrated Windows Authentication only. Anonymous access provides for no access control of this virtual server, Basic Authentication transmits the password in the clear and risks exposure, and the other methods are not recommended by Microsoft for this control. Failure to configure this as per the recommendation may result in unrestricted access to this virtual server, passwords being sent in the clear, and/or the inability to correctly authenticate, depending on which change is made. Because CAC authentication will be required and configured via a proxy server such as ISA, settings in this area must assume the presence of an application proxy (such as ISA) between the Public Internet and the Exchange Client Access (Front End) server role.

Check Content

Verify the default web site authentication type for Exchange access. Procedure: IIS Manager >> [SERVER NAME] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button Ensure that "Integrated Windows Authentication" is selected. Criteria: If "Integrated Windows Authentication" is selected, this is not a finding.

Fix Text

Ensure that default authentication is set appropriately. Procedure: IIS Manager >> [server name] >> Websites>>Default Web Site>> Properties >> Directory Security tab>>Authentication and Access Control>>Edit button Select the "Integrated Windows Authentication" checkbox.

Additional Identifiers

Rule ID: SV-20449r1_rule

Vulnerability ID: V-18759

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.