Microsoft Security Center: Tip of the Month December 2004

  • Article

Microsoft Exchange Server and ISA Server 2004 Forms-Based Authentication

One of the features in Microsoft Internet Security and Acceleration (ISA) Server 2004 is the ability to protect a computer running Exchange Server software. ISA Server 2004 can do this by preventing unauthenticated connections to Exchange Server.

When forms-based authentication (FBA) is enabled on a computer running ISA Server, the ISA Server firewall generates the form instead of the Exchange Server Outlook Web Access (OWA) Web site generating it. Why is this a good thing?

When the Exchange Server OWA Web site generates the form, a remote user must be able to make an unauthenticated connection to Exchange Server. After making the unauthenticated connection, Exchange Server sends the user the form. The user enters logon credentials and sends those to Exchange Server. The user connects to the Exchange mailbox after successfully authenticating.

The problem with this setup is that the remote user may be an attacker. The attacker can connect to Exchange Server using an unauthenticated connection, just like any other user. However, the savvy attacker may be able to take advantage of this, attempting a denial of service attack or even taking over Exchange Server processes that could compromise user data.

In contrast, with ISA Server FBA, ISA Server generates the form. The user enters network credentials into the form and sends those to ISA Server. ISA Server forwards these credentials to Exchange Server. If Exchange Server tells ISA Server that the user was successfully authenticated, the user connects to the mailbox. If the user is not authenticated, the connection is dropped at the ISA Server firewall. Unauthenticated intruders never get near Exchange Server because ISA Server stops them at the perimeter.

The ISA Server FBA feature also protects the organization from users who may download attachments to untrusted machines. You can configure FBA to prevent users from downloading and saving attachments when connecting to their OWA mailboxes. In addition, the FBA feature can be configured to automatically time out OWA sessions so that if users are away from the computer for a set period of time (which the ISA Server firewall administrator determines), the OWA connection times out and is automatically disconnected.