Solved

Exchange 2007, Outlook Anywhere, and Active Directory security

Posted on 2009-07-13
12
459 Views
Last Modified: 2012-05-07
We've been running Exchange 2007 for well over a year now, and we've been using Outlook Anywhere (HTTP/RPC) from the beginning.

The other day however we ran into something we hadn't noticed before and which we've been unable to solve, which is as follows:

If a user has Outlook running using Outlook Anywhere (HTTP/RPC), and we disable their account in Active Directory, they continue to be able to use Outlook to send/receive mail, and can manage their mailbox, including being able to delete mail, for as long as they leave Outlook running.

This came about because we fired someone, and disabled their AD account.  Their manager wanted the mailbox kept as it was, but we later found out that the person had been Outlook for hours afterwards, and wiped all the mail from the account (we were able to recover it, of course, but at a waste of a lot of our time to do that).

Our own testing later confirmed all this - so long as the person doesn't quit the Outlook application, they can keep using their mailbox as long as they like, we've had it going for up to eight full hours on an account which was disabled in AD.

We also confirmed this applied only to Outlook Anywhere - if the user was signed-in to our VPN (which we provide via ISA 2005) and we disabled their account they would be cut-off and couldn't get back in, exactly as you would expect.

Similarly, we've confirmed that once the account was disabled, it was no longer possible to login to OWA, or to continue to use it if you were already logged-in: the problem appears to be specific to Outlook Anywhere.
0
Comment
Question by:WilburWhateley
  • 5
  • 3
  • 2
  • +2
12 Comments
 
LVL 8

Expert Comment

by:Npatang
ID: 24842538
as te hRPC is the part of the IIS, its the IIS which is caching the password, have you tring doing the IISreset and then checked
0
 

Author Comment

by:WilburWhateley
ID: 24842575
NPatang: we considered that, as well as possibly cycling the ISA services, but because we have a fairly large number of other users also active on the server, we didn't want to bump them off also.

That's certainly something we could test off-hours, but not something we've tried as yet.
0
 
LVL 12

Expert Comment

by:Saakar
ID: 24842819
This might help in your case..
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true

For Basic Authentication, IIS will cache user tokens of authenticated users for performance reasons (think about the domain scenario - you do not want every single request to IIS requiring an access against the Domain Controller on the backend...). However, as soon as you cache user tokens you need to worry about replay/spoofing attacks against the cached user token, and a reasonable defense against this security threat is to periodically flush the user token cache. FlushTokenCache controls whether IIS will immediately flush the user token cache. As soon as you set it to non-zero, IIS will flush all tokens in the user token cache. UserTokenTTL controls the amount of time a user token will be cached before evicted. If it is set to zero, it means that the user token will not be flushed by TTL (in other words, it never gets flushed until the process containing the cache goes away, either through recycling or restarting IIS).
(Extract from)
http://blogs.msdn.com/david.wang/archive/2005/08/07/Information-on-FlushTokenCache-and-the-IIS6-Token-Cache.aspx
 
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24845201
IISRESET is the only way to kill the connection without making any changes to the system. Whether ISA can do anything more I wouldn't like to say.
Running IISRESET wouldn't kick the RPC over HTTPS users out, it would kick out OWA though. It would have to be done at ISA though.

Simon.
0
 
LVL 1

Expert Comment

by:juggernaughty
ID: 24847093
Wilbur,
How did you publish Outlook Anywhere with ISA ? Did you use Basic authentication or NTLM authentication?
0
 
LVL 8

Expert Comment

by:Npatang
ID: 24847320
Well its your own wish Wether you want to use basic or NTLM auth on ISA.. Use basic Auth any how your connecion is the secure connection so no issues with that.
0
 

Author Comment

by:WilburWhateley
ID: 24847931
Mestha - what do you mean by "It would have to be done at ISA though"?  Yes, we do publish via ISA, but you're describing doing an IISRESET here.
0
 

Author Comment

by:WilburWhateley
ID: 24847949
saakar_rao - Apparently this doesn't work the way Microsoft documents, ours is already set for the default, 15 minutes.
0
 

Author Comment

by:WilburWhateley
ID: 24847972
Mestha - the other thing that occurs to me, is this REALLY the way Microsoft intends this should work?  This seems like a pretty glaring security hole that most people wouldn't be aware of.

Granted we're a small company, but there are Fortune 500 companies that use Exchange (my wife works in IT for one of them, in fact).  Could it honestly be Microsoft's expectation that companies that large would find it OK to throw all their OWA users offline every time they fire someone and need to insure they don't still have Outlook Anywhere running?

It would seem to me more prudent if you could just kill their individual session, perhaps via the ISA, but I've yet to find a way to do that.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24852099
Its the only way that I know of.

Termination of an employee with immediate effect is rather a special occurrence and shouldn't be happening that often. In most cases termination is a controlled process and therefore procedures can be used.

As for large companies, you would be surprised what they will do. In many of them the IT departments do not care about the users and will turn things off if they are told to to stop a single user from accessing content. I have seen it happen.

I have nothing else to offer other than what I have already stated.

Simon.
0
 

Author Comment

by:WilburWhateley
ID: 24898010
As a follow-up then: how would you suggest evening determining if someone had an open Outlook Anywhere session, that would necessitate running the IISRESET?  I can certainly see any VPN connections that are active through ISA, but I haven't found a way, nor found any articles, that would allow someone to see that someone had an open Outlook Anywhere session running.

I'd rather not be routinely running IISRESET and killing everyone on OWA every time we have someone leave, if I can avoid it.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24898427
You cannot tell who is on OWA or Outlook Anywhere because of the way they interface with the server. It is not a constant connection, the connection is being constantly opened and then torn down, because that is how http works. The only exception to that is EAS, which holds a connection open.

The most you can do is run queries against the web logs for connections to /rpc, but at most that will give you an idea who has connected in the last couple of minutes.

Simon.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
how to add IIS SMTP to handle application/Scanner relays into office 365.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question