Exchange 2007 Mailbox server IIS RRS feed

  • Question

  • We have a Exchange 2007 CCR cluster with 3 HT/CAS servers on the front end. We recently had a security audit performed and one of the items that they dinged us on was that on the Mailbox servers, the IIS settings for /Exadmin, /Exchange, /Public all had 'Basic Authentication' Enabled. I cannot locate too many resources if 'Basic Authentication' can be safely disabled or not.

    Is this something that is required and would disabling Basic Authentication on the Mailbox/BE servers have nasty consequences?


    Thursday, January 6, 2011 3:44 PM


  • The Basic authentication method is a widely used, industry-standard method for collecting user name and password information. When you use Basic authentication, your Web browser displays a dialog box where you can enter your previously assigned Windows 2000 account user names and passwords. The Web browser then attempts to establish a connection using this information. (The password is Base64-encoded before it is sent over the network.)

    If the server rejects the information, the Web browser repeatedly displays the dialog box until you either enter a valid user name and password or close the dialog box.

    When your Web server verifies that the user name and password that you entered corresponds to a valid Windows user account, a connection is established.

    The advantage of Basic authentication is that it is part of the Hypertext Transfer Protocol (HTTP) specification, and is supported by most browsers. The disadvantage is that Web browsers that use Basic authentication transmit passwords in an unencrypted form. If a non-user monitors communications on your network, they can easily intercept and decipher these passwords by using publicly available tools. Therefore, Basic authentication is not recommended unless you are confident that the connection between the user and your Web server is secure; direct cable connections or a dedicated lines are secure connections.

    I believe Excange VD need Basic auth as the request usually come from other VD's. you should test it before implementing to production environment, cause it depends on infra design.

    Default Authentication Settings for Exchange-related Virtual Directories : http://technet.microsoft.com/en-us/library/gg263433(EXCHG.80).aspx

    Best Rgds, Ashish | Unified Comunication | MCTS |
    • Proposed as answer by emma.yoyo Monday, January 10, 2011 2:05 AM
    • Marked as answer by emma.yoyo Wednesday, January 12, 2011 6:54 AM
    Friday, January 7, 2011 8:10 AM