AspKeepSessionIDSecure (Full Version)

All Forums >> [ISA 2006 Publishing] >> Exchange Publishing

Message -> AspKeepSessionIDSecure (14.Nov.2007 9:11:31 AM)

I have recently deployed an ISA 2006 Server in order to publish our Exchange 2007 OWA server.  We have hired a local security consultant to perform a penetration test on our ISA server.

In the final report, the penetration tests show that cookies being handed out are not marked as secure.  They recommend using the AspKeepSessionIDSecure setting in the IIS metabase.  However, I am not running IIS on the public server, as mentioned above, I am using ISA 2006 to publish the internal IIS server (Exchange 2007 Client Access Server).

How can I configure ISA to force cookies to be encrypted?

Yorgy -> RE: AspKeepSessionIDSecure (14.Nov.2007 1:56:32 PM)

You may find these articles helpful, talks about authentication methods that can help you secure your connections for remote users:

Yorgy -> RE: AspKeepSessionIDSecure (14.Nov.2007 4:06:36 PM)

Thank you for your reply.

However, I have already reviewed those two documents.  There is a lot of information about the cookies and how to configure them to be persistent or not depending on wether the user specifies that he is on a public or private computer.  I fail to find any information however, on how to ensure that the ISA web server  encrypts these cookies.

I know that for an IIS server, you need to modify the AspKeepSessionIDSecure setting in the IIS metabase.  However, ISA doesn't appear to use IIS as it's webserver.

Any other ideas?

tshinder -> RE: AspKeepSessionIDSecure (14.Nov.2007 7:00:54 PM)

ISA doesn't have a Web server.

So what exploit was successful against the ISA Firewall? Was the ISA Firewall compromised in some way, or is this something that would be "nice to have"?


Jim Harrison -> RE: AspKeepSessionIDSecure (14.Nov.2007 8:47:58 PM)

This is nothing less than security by obscurity.
1. The cookies set by ISA will not work outside of the active TCP and HTTP sessions.
2. There is no ASPSessionState or anything else of value to anyone who may try to persist these cookies elsewhere
Therefore, there is no gain to trying to obfuscate these cookies.
Whomever is making these suggestions is regurgistating; not thinking.

SteveMoffat -> RE: AspKeepSessionIDSecure (14.Nov.2007 9:45:21 PM)

As Jim said..


tshinder -> RE: AspKeepSessionIDSecure (14.Nov.2007 10:59:29 PM)

Yes, but the pen tester caused a false sense of urgency, so he was able to trick his customer into paying him for a service not rendered. Pretty good scam, eh?

Tom -> RE: AspKeepSessionIDSecure (14.Nov.2007 11:03:40 PM)

Thank you all for your help.

Page: [1]