Ensuring signed SMB and encrypted MAPI protect the integrity of the data
Rule Title: If TLS optimization is used, signed SMB and encrypted MAPI must ensure the integrity and confidentiality of data transmitted over the WAN.
STIG ID: RICX-AG-000032
Rule ID: SV-77277r1_rule Severity: CAT II
Vuln ID: V-62787 Class: Unclass
Protecting the end-to-end security of transport layer security (TLS) is required to ensure the integrity and confidentiality of the data in transit.
Signed SMB and encrypted MAPI traffic use techniques to protect against unauthorized man-in-the-middle devices from making modifications to their exchanged data. Additionally, encrypted MAPI traffic and encrypted SMB3 traffic ensure data confidentiality by transmitting data with protection across the network.
To securely optimize this traffic, a properly configured client and server-side SteelHead appliance with WAN optimization must:
• decrypt and remove signatures on received LAN-side data from the client or server.
• perform bandwidth and application layer optimization.
• use the secure inner channel feature to maintain data integrity and confidentiality of the data transmitted over the WAN.
• convert the received optimized data back to its native form.
• encrypt and apply signatures for LAN side transmission of data to the client or server.
To query the Windows domain controller for the necessary cryptographic information to optimize this traffic, the server-side SteelHead appliance must join a Windows domain. The SteelHead appliance can require other configuration settings, both on the SteelHead appliance, and in the Windows domain. This cryptographic information is only useful for the lifetime of an individual connection or session. The information is obtained at the beginning of a connection, and transferred to the client-side SteelHead appliance as needed, using the secure inner channel feature. You must configure the secure inner channel to ensure maximum security.
Only the server-side SteelHead appliance is required to join the domain, and it does so using a machine account in the same way that a Windows device joins the domain using a machine account. The SteelHead appliance joins the domain to obtain a client-user session key (CUSK) or server-user session key (SUSK), which allows the SteelHead appliance to sign and/or decrypt MAPI on behalf of the Windows user that is establishing the relevant session.
The server-side SteelHead appliance must join a domain that is either:
• the user domain. The domain must have a trust relationship with the domains that includes the application servers you want to optimize (that is, the file server, Exchange server, and so on).
• a domain with a bidirectional trust relationship with the user domain. The domain might include some or all of the Windows application servers for SteelHead appliance optimization (that is, the file server and Exchange server). Production deployments can have multiple combinations of client and server Windows operating system versions and can include different configuration settings for signed SMB and encrypted MAPI. The Windows NT LAN Manager (NTLM) is not approved for use for DoD implementations. Therefore it is possible that the security authentication between clients and servers can use Kerberos, or a combination of the two.
Verifying the SMB and MAPI security settings
Verify that signed SMB and encrypted MAPI is configured to ensure the integrity and confidentiality of data transmitted over the WAN.
To verify that signed SMB1 is secure:
1. Choose Optimization > Protocols: CIFS (SMB1) to display the CIFS (SMB1) page.
2. Under SMB Signing, verify that the Enable SMB Signing, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes are selected.
To verify that signed SMB2/3 is secure:
1. Choose Optimization > Protocols: SMB2/3 to display the SMB2/3 page.
2. Under Signing, verify that the Enable SMB2 and SMB3 Signing, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes are selected.
To verify that MAPI is secure:
1. Choose Optimization > Protocols: MAPI to display the MAPI page.
2. Under Settings, verify that the Enable Encrypted Optimization, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes are selected.
3. If any SMB Signing or Encrypted MAPI is selected and “In Domain Mode, Status: In a Domain” is not displayed on the page, this is a security vulnerability finding.
Configuring the SMB and MAPI security settings
Configure signed SMB and encrypted MAPI optimization services to ensure the integrity and confidentiality of data transmitted over the WAN.
To configure signed SMB and encrypted MAPI for security:
1. On the server-side SteelHead appliance connect to the Management Console.
2. Choose Optimization > Windows Domain Auth to display the Windows Domain Auth page.
3. Under Kerberos, click Add a New User to expand the page.
4. Type the Active Directory Domain Name.
5. Type the User Domain ID.
6. Type the User Account Password and confirm it.
7. Select the Enable RODC Password Replication Policy check box.
8. Type the Domain Controller Name(s) or IP Addresses.
9. Click Add.
10. Verify that “In Domain Mode, Status: In a Domain” is displayed on the page.
To configure SMB1:
1. Choose Optimization > Protocols: CIFS (SMB1) to display the CIFS (SMB1) page.
2. Select the Enable SMB Signing, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes.
3. Click Apply.
To configure SMB2/3:
1. Choose Optimization > Protocols: SMB2/3 to display the SMB2/3 page.
2. Select the Enable SMB2 and SMB3 Signing, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes.
3. Click Apply.
To configure MAPI:
1. Choose Optimization > Protocols: MAPI to display the MAPI page.
2. Select the Enable Encrypted Optimization, NTLM Delegation Mode, and Enable Kerberos Authentication Support check boxes.
3. Click Apply.