Exchange 2007, Outlook Anywhere, and Active Directory security

We've been running Exchange 2007 for well over a year now, and we've been using Outlook Anywhere (HTTP/RPC) from the beginning.

The other day however we ran into something we hadn't noticed before and which we've been unable to solve, which is as follows:

If a user has Outlook running using Outlook Anywhere (HTTP/RPC), and we disable their account in Active Directory, they continue to be able to use Outlook to send/receive mail, and can manage their mailbox, including being able to delete mail, for as long as they leave Outlook running.

This came about because we fired someone, and disabled their AD account.  Their manager wanted the mailbox kept as it was, but we later found out that the person had been Outlook for hours afterwards, and wiped all the mail from the account (we were able to recover it, of course, but at a waste of a lot of our time to do that).

Our own testing later confirmed all this - so long as the person doesn't quit the Outlook application, they can keep using their mailbox as long as they like, we've had it going for up to eight full hours on an account which was disabled in AD.

We also confirmed this applied only to Outlook Anywhere - if the user was signed-in to our VPN (which we provide via ISA 2005) and we disabled their account they would be cut-off and couldn't get back in, exactly as you would expect.

Similarly, we've confirmed that once the account was disabled, it was no longer possible to login to OWA, or to continue to use it if you were already logged-in: the problem appears to be specific to Outlook Anywhere.
WilburWhateleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NpatangCommented:
as te hRPC is the part of the IIS, its the IIS which is caching the password, have you tring doing the IISreset and then checked
0
WilburWhateleyAuthor Commented:
NPatang: we considered that, as well as possibly cycling the ISA services, but because we have a fairly large number of other users also active on the server, we didn't want to bump them off also.

That's certainly something we could test off-hours, but not something we've tried as yet.
0
SaakarCommented:
This might help in your case..
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/6b2e7fcd-5fad-4ac8-ac0a-dcfbe771e9e1.mspx?mfr=true

For Basic Authentication, IIS will cache user tokens of authenticated users for performance reasons (think about the domain scenario - you do not want every single request to IIS requiring an access against the Domain Controller on the backend...). However, as soon as you cache user tokens you need to worry about replay/spoofing attacks against the cached user token, and a reasonable defense against this security threat is to periodically flush the user token cache. FlushTokenCache controls whether IIS will immediately flush the user token cache. As soon as you set it to non-zero, IIS will flush all tokens in the user token cache. UserTokenTTL controls the amount of time a user token will be cached before evicted. If it is set to zero, it means that the user token will not be flushed by TTL (in other words, it never gets flushed until the process containing the cache goes away, either through recycling or restarting IIS).
(Extract from)
http://blogs.msdn.com/david.wang/archive/2005/08/07/Information-on-FlushTokenCache-and-the-IIS6-Token-Cache.aspx
 
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

MesthaCommented:
IISRESET is the only way to kill the connection without making any changes to the system. Whether ISA can do anything more I wouldn't like to say.
Running IISRESET wouldn't kick the RPC over HTTPS users out, it would kick out OWA though. It would have to be done at ISA though.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
juggernaughtyCommented:
Wilbur,
How did you publish Outlook Anywhere with ISA ? Did you use Basic authentication or NTLM authentication?
0
NpatangCommented:
Well its your own wish Wether you want to use basic or NTLM auth on ISA.. Use basic Auth any how your connecion is the secure connection so no issues with that.
0
WilburWhateleyAuthor Commented:
Mestha - what do you mean by "It would have to be done at ISA though"?  Yes, we do publish via ISA, but you're describing doing an IISRESET here.
0
WilburWhateleyAuthor Commented:
saakar_rao - Apparently this doesn't work the way Microsoft documents, ours is already set for the default, 15 minutes.
0
WilburWhateleyAuthor Commented:
Mestha - the other thing that occurs to me, is this REALLY the way Microsoft intends this should work?  This seems like a pretty glaring security hole that most people wouldn't be aware of.

Granted we're a small company, but there are Fortune 500 companies that use Exchange (my wife works in IT for one of them, in fact).  Could it honestly be Microsoft's expectation that companies that large would find it OK to throw all their OWA users offline every time they fire someone and need to insure they don't still have Outlook Anywhere running?

It would seem to me more prudent if you could just kill their individual session, perhaps via the ISA, but I've yet to find a way to do that.
0
MesthaCommented:
Its the only way that I know of.

Termination of an employee with immediate effect is rather a special occurrence and shouldn't be happening that often. In most cases termination is a controlled process and therefore procedures can be used.

As for large companies, you would be surprised what they will do. In many of them the IT departments do not care about the users and will turn things off if they are told to to stop a single user from accessing content. I have seen it happen.

I have nothing else to offer other than what I have already stated.

Simon.
0
WilburWhateleyAuthor Commented:
As a follow-up then: how would you suggest evening determining if someone had an open Outlook Anywhere session, that would necessitate running the IISRESET?  I can certainly see any VPN connections that are active through ISA, but I haven't found a way, nor found any articles, that would allow someone to see that someone had an open Outlook Anywhere session running.

I'd rather not be routinely running IISRESET and killing everyone on OWA every time we have someone leave, if I can avoid it.
0
MesthaCommented:
You cannot tell who is on OWA or Outlook Anywhere because of the way they interface with the server. It is not a constant connection, the connection is being constantly opened and then torn down, because that is how http works. The only exception to that is EAS, which holds a connection open.

The most you can do is run queries against the web logs for connections to /rpc, but at most that will give you an idea who has connected in the last couple of minutes.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.