Solved

Exchange 2007, Outlook Anywhere, and Active Directory security

Posted on 2009-07-13
12
454 Views
Last Modified: 2012-05-07
We've been running Exchange 2007 for well over a year now, and we've been using Outlook Anywhere (HTTP/RPC) from the beginning.

The other day however we ran into something we hadn't noticed before and which we've been unable to solve, which is as follows:

If a user has Outlook running using Outlook Anywhere (HTTP/RPC), and we disable their account in Active Directory, they continue to be able to use Outlook to send/receive mail, and can manage their mailbox, including being able to delete mail, for as long as they leave Outlook running.

This came about because we fired someone, and disabled their AD account.  Their manager wanted the mailbox kept as it was, but we later found out that the person had been Outlook for hours afterwards, and wiped all the mail from the account (we were able to recover it, of course, but at a waste of a lot of our time to do that).

Our own testing later confirmed all this - so long as the person doesn't quit the Outlook application, they can keep using their mailbox as long as they like, we've had it going for up to eight full hours on an account which was disabled in AD.

We also confirmed this applied only to Outlook Anywhere - if the user was signed-in to our VPN (which we provide via ISA 2005) and we disabled their account they would be cut-off and couldn't get back in, exactly as you would expect.

Similarly, we've confirmed that once the account was disabled, it was no longer possible to login to OWA, or to continue to use it if you were already logged-in: the problem appears to be specific to Outlook Anywhere.
0
Comment
Question by:WilburWhateley
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:Npatang
Comment Utility
as te hRPC is the part of the IIS, its the IIS which is caching the password, have you tring doing the IISreset and then checked
0
 

Author Comment

by:WilburWhateley
Comment Utility
NPatang: we considered that, as well as possibly cycling the ISA services, but because we have a fairly large number of other users also active on the server, we didn't want to bump them off also.

That's certainly something we could test off-hours, but not something we've tried as yet.
0
 
LVL 12

Expert Comment

by:Saakar
Comment Utility
This might help in your case..
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true

For Basic Authentication, IIS will cache user tokens of authenticated users for performance reasons (think about the domain scenario - you do not want every single request to IIS requiring an access against the Domain Controller on the backend...). However, as soon as you cache user tokens you need to worry about replay/spoofing attacks against the cached user token, and a reasonable defense against this security threat is to periodically flush the user token cache. FlushTokenCache controls whether IIS will immediately flush the user token cache. As soon as you set it to non-zero, IIS will flush all tokens in the user token cache. UserTokenTTL controls the amount of time a user token will be cached before evicted. If it is set to zero, it means that the user token will not be flushed by TTL (in other words, it never gets flushed until the process containing the cache goes away, either through recycling or restarting IIS).
(Extract from)
http://blogs.msdn.com/david.wang/archive/2005/08/07/Information-on-FlushTokenCache-and-the-IIS6-Token-Cache.aspx
 
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
Comment Utility
IISRESET is the only way to kill the connection without making any changes to the system. Whether ISA can do anything more I wouldn't like to say.
Running IISRESET wouldn't kick the RPC over HTTPS users out, it would kick out OWA though. It would have to be done at ISA though.

Simon.
0
 
LVL 1

Expert Comment

by:juggernaughty
Comment Utility
Wilbur,
How did you publish Outlook Anywhere with ISA ? Did you use Basic authentication or NTLM authentication?
0
 
LVL 8

Expert Comment

by:Npatang
Comment Utility
Well its your own wish Wether you want to use basic or NTLM auth on ISA.. Use basic Auth any how your connecion is the secure connection so no issues with that.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:WilburWhateley
Comment Utility
Mestha - what do you mean by "It would have to be done at ISA though"?  Yes, we do publish via ISA, but you're describing doing an IISRESET here.
0
 

Author Comment

by:WilburWhateley
Comment Utility
saakar_rao - Apparently this doesn't work the way Microsoft documents, ours is already set for the default, 15 minutes.
0
 

Author Comment

by:WilburWhateley
Comment Utility
Mestha - the other thing that occurs to me, is this REALLY the way Microsoft intends this should work?  This seems like a pretty glaring security hole that most people wouldn't be aware of.

Granted we're a small company, but there are Fortune 500 companies that use Exchange (my wife works in IT for one of them, in fact).  Could it honestly be Microsoft's expectation that companies that large would find it OK to throw all their OWA users offline every time they fire someone and need to insure they don't still have Outlook Anywhere running?

It would seem to me more prudent if you could just kill their individual session, perhaps via the ISA, but I've yet to find a way to do that.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Its the only way that I know of.

Termination of an employee with immediate effect is rather a special occurrence and shouldn't be happening that often. In most cases termination is a controlled process and therefore procedures can be used.

As for large companies, you would be surprised what they will do. In many of them the IT departments do not care about the users and will turn things off if they are told to to stop a single user from accessing content. I have seen it happen.

I have nothing else to offer other than what I have already stated.

Simon.
0
 

Author Comment

by:WilburWhateley
Comment Utility
As a follow-up then: how would you suggest evening determining if someone had an open Outlook Anywhere session, that would necessitate running the IISRESET?  I can certainly see any VPN connections that are active through ISA, but I haven't found a way, nor found any articles, that would allow someone to see that someone had an open Outlook Anywhere session running.

I'd rather not be routinely running IISRESET and killing everyone on OWA every time we have someone leave, if I can avoid it.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
You cannot tell who is on OWA or Outlook Anywhere because of the way they interface with the server. It is not a constant connection, the connection is being constantly opened and then torn down, because that is how http works. The only exception to that is EAS, which holds a connection open.

The most you can do is run queries against the web logs for connections to /rpc, but at most that will give you an idea who has connected in the last couple of minutes.

Simon.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now