[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1722
  • Last Modified:

How can I protect against clickjacking OWA and RWW in Server 2011 SBS?

Hi all,

A client I look after has just had a penetration test carried out on their network as part of an audit insisted on by one of their clients.  They have a single 2011 SBS Server running everything.  The audit has thrown up 2 medium risks (both of which I have dealt with) and a load of low risks but my client is anxious to get rid of all of the low risks as well.  I'm probably going to raise a new question for each of the loaw risks I can't resolve myself but the first flaw they picked up on the report was as follows:

4.3.7 Websites Vulnerable to Click Jacking Risk: Low

The websites at the following URLs render correctly when embedded in an IFRAME element:

As a result, an attacker could socially engineer a situation where a victim is directed to a website under an attacker's control and manipulated into unknowingly performing actions on the target website. This is possible even with cross-site request forgery protection in place.
This vulnerability is becoming increasingly well known, and there have been several recent high profile exploits publicised. However, an attacker would need a high level of technical knowledge, and would need to devote a great deal of time and resource to targeting the website. Additionally, a victim would need to be logged into the website, and some social engineering would be required to successfully exploit this vulnerability.

My question is, bearing in mind I'm not an advanced user and IIS is a mystery, are there any step by step instructions on what to do to protect OWA and RWW from the threat of click jacking?  And is this something you have done as a matter of course?

Many thanks

  • 2
2 Solutions
David Johnson, CD, MVPOwnerCommented:
You can't stop everything without turning off the computers involved, that is the only truly effective way to safeguard a computer, never turn it on.

Add the following javascript to your page

try {
    if (top.location.href != window.location.href) {
        var mode = "frame";
} catch (e) {    
    // if you're in an iframe in a different domain, the top.location check
    // results in a security exception
    mode = "frame";

Open in new window

amlydiateAuthor Commented:
Hi many thanks for that, can you please give me a little more guidance on how to add the script and to which page, I'm pretty much a complete novice at this.


Rob WilliamsCommented:
I assume you are not using http:  for with OWA or RWA but rather https.  The reason those are the default sites and that you need to have a certificate is much like your bank, if there is a redirect to an illegitimate site there will be a certificate error. The SSL certificate indicates your site is legitimate.
amlydiateAuthor Commented:
That's a very good point. I've blocked port 80 incoming to the server and therefore everything is on 443 and has a signed certificate, therefore I guess that goes some way to protecting against click-jacking as long as the user notices.  I'll take that as a joint win with ve3ofa many thanks to both of you.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now