• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

AspKeepSessionIDSecure

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> AspKeepSessionIDSecure Page: [1]
Login
Message << Older Topic   Newer Topic >>
AspKeepSessionIDSecure - 14.Nov.2007 9:11:31 AM   
mproulx@caisse.biz

 

Posts: 3
Joined: 14.Nov.2007
Status: offline
I have recently deployed an ISA 2006 Server in order to publish our Exchange 2007 OWA server.  We have hired a local security consultant to perform a penetration test on our ISA server.

In the final report, the penetration tests show that cookies being handed out are not marked as secure.  They recommend using the AspKeepSessionIDSecure setting in the IIS metabase.  However, I am not running IIS on the public server, as mentioned above, I am using ISA 2006 to publish the internal IIS server (Exchange 2007 Client Access Server).

How can I configure ISA to force cookies to be encrypted?
Post #: 1
RE: AspKeepSessionIDSecure - 14.Nov.2007 1:56:32 PM   
Yorgy

 

Posts: 158
Joined: 20.Sep.2006
Status: offline
You may find these articles helpful, talks about authentication methods that can help you secure your connections for remote users:

http://www.microsoft.com/technet/isa/2006/authentication.mspx

http://www.microsoft.com/technet/isa/2006/logoff.mspx

HIH
Yorgy


_____________________________

Life is a zoo in a jungle!

(in reply to mproulx@caisse.biz)
Post #: 2
RE: AspKeepSessionIDSecure - 14.Nov.2007 4:06:36 PM   
mproulx@caisse.biz

 

Posts: 3
Joined: 14.Nov.2007
Status: offline
Thank you for your reply.

However, I have already reviewed those two documents.  There is a lot of information about the cookies and how to configure them to be persistent or not depending on wether the user specifies that he is on a public or private computer.  I fail to find any information however, on how to ensure that the ISA web server  encrypts these cookies.

I know that for an IIS server, you need to modify the AspKeepSessionIDSecure setting in the IIS metabase.  However, ISA doesn't appear to use IIS as it's webserver.

Any other ideas?

(in reply to Yorgy)
Post #: 3
RE: AspKeepSessionIDSecure - 14.Nov.2007 7:00:54 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
ISA doesn't have a Web server.

So what exploit was successful against the ISA Firewall? Was the ISA Firewall compromised in some way, or is this something that would be "nice to have"?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mproulx@caisse.biz)
Post #: 4
RE: AspKeepSessionIDSecure - 14.Nov.2007 8:47:58 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
This is nothing less than security by obscurity.
1. The cookies set by ISA will not work outside of the active TCP and HTTP sessions.
2. There is no ASPSessionState or anything else of value to anyone who may try to persist these cookies elsewhere
 
Therefore, there is no gain to trying to obfuscate these cookies.
Whomever is making these suggestions is regurgistating; not thinking.
 

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to tshinder)
Post #: 5
RE: AspKeepSessionIDSecure - 14.Nov.2007 9:45:21 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
As Jim said..

S

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to Jim Harrison)
Post #: 6
RE: AspKeepSessionIDSecure - 14.Nov.2007 10:59:29 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Yes, but the pen tester caused a false sense of urgency, so he was able to trick his customer into paying him for a service not rendered. Pretty good scam, eh?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveMoffat)
Post #: 7
RE: AspKeepSessionIDSecure - 14.Nov.2007 11:03:40 PM   
mproulx@caisse.biz

 

Posts: 3
Joined: 14.Nov.2007
Status: offline
Thank you all for your help.

(in reply to tshinder)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> AspKeepSessionIDSecure Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts