I have recently deployed an ISA 2006 Server in order to publish our Exchange 2007 OWA server. We have hired a local security consultant to perform a penetration test on our ISA server.
In the final report, the penetration tests show that cookies being handed out are not marked as secure. They recommend using the AspKeepSessionIDSecure setting in the IIS metabase. However, I am not running IIS on the public server, as mentioned above, I am using ISA 2006 to publish the internal IIS server (Exchange 2007 Client Access Server).
How can I configure ISA to force cookies to be encrypted?
However, I have already reviewed those two documents. There is a lot of information about the cookies and how to configure them to be persistent or not depending on wether the user specifies that he is on a public or private computer. I fail to find any information however, on how to ensure that the ISA web server encrypts these cookies.
I know that for an IIS server, you need to modify the AspKeepSessionIDSecure setting in the IIS metabase. However, ISA doesn't appear to use IIS as it's webserver.
From: Redmond, WA
This is nothing less than security by obscurity. 1. The cookies set by ISA will not work outside of the active TCP and HTTP sessions. 2. There is no ASPSessionState or anything else of value to anyone who may try to persist these cookies elsewhere
Therefore, there is no gain to trying to obfuscate these cookies. Whomever is making these suggestions is regurgistating; not thinking.