How can I protect against clickjacking OWA and RWW in Server 2011 SBS?

Posted on 2012-08-29
Last Modified: 2013-12-02
Hi all,

A client I look after has just had a penetration test carried out on their network as part of an audit insisted on by one of their clients.  They have a single 2011 SBS Server running everything.  The audit has thrown up 2 medium risks (both of which I have dealt with) and a load of low risks but my client is anxious to get rid of all of the low risks as well.  I'm probably going to raise a new question for each of the loaw risks I can't resolve myself but the first flaw they picked up on the report was as follows:

4.3.7 Websites Vulnerable to Click Jacking Risk: Low

The websites at the following URLs render correctly when embedded in an IFRAME element:

As a result, an attacker could socially engineer a situation where a victim is directed to a website under an attacker's control and manipulated into unknowingly performing actions on the target website. This is possible even with cross-site request forgery protection in place.
This vulnerability is becoming increasingly well known, and there have been several recent high profile exploits publicised. However, an attacker would need a high level of technical knowledge, and would need to devote a great deal of time and resource to targeting the website. Additionally, a victim would need to be logged into the website, and some social engineering would be required to successfully exploit this vulnerability.

My question is, bearing in mind I'm not an advanced user and IIS is a mystery, are there any step by step instructions on what to do to protect OWA and RWW from the threat of click jacking?  And is this something you have done as a matter of course?

Many thanks

Question by:amlydiate
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    You can't stop everything without turning off the computers involved, that is the only truly effective way to safeguard a computer, never turn it on.

    Add the following javascript to your page

    try {
        if (top.location.href != window.location.href) {
            var mode = "frame";
    } catch (e) {    
        // if you're in an iframe in a different domain, the top.location check
        // results in a security exception
        mode = "frame";

    Open in new window


    Author Comment

    Hi many thanks for that, can you please give me a little more guidance on how to add the script and to which page, I'm pretty much a complete novice at this.


    LVL 77

    Accepted Solution

    I assume you are not using http:  for with OWA or RWA but rather https.  The reason those are the default sites and that you need to have a certificate is much like your bank, if there is a redirect to an illegitimate site there will be a certificate error. The SSL certificate indicates your site is legitimate.

    Author Closing Comment

    That's a very good point. I've blocked port 80 incoming to the server and therefore everything is on 443 and has a signed certificate, therefore I guess that goes some way to protecting against click-jacking as long as the user notices.  I'll take that as a joint win with ve3ofa many thanks to both of you.

    Featured Post

    Too many email signature changes to deal with?

    Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

    Join & Write a Comment

    When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
    Know what services you can and cannot, should and should not combine on your server.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now