A client I look after has just had a penetration test carried out on their network as part of an audit insisted on by one of their clients. They have a single 2011 SBS Server running everything. The audit has thrown up 2 medium risks (both of which I have dealt with) and a load of low risks but my client is anxious to get rid of all of the low risks as well. I'm probably going to raise a new question for each of the loaw risks I can't resolve myself but the first flaw they picked up on the report was as follows:
4.3.7 Websites Vulnerable to Click Jacking Risk: Low
The websites at the following URLs render correctly when embedded in an IFRAME element:
As a result, an attacker could socially engineer a situation where a victim is directed to a website under an attacker's control and manipulated into unknowingly performing actions on the target website. This is possible even with cross-site request forgery protection in place.
This vulnerability is becoming increasingly well known, and there have been several recent high profile exploits publicised. However, an attacker would need a high level of technical knowledge, and would need to devote a great deal of time and resource to targeting the website. Additionally, a victim would need to be logged into the website, and some social engineering would be required to successfully exploit this vulnerability.
My question is, bearing in mind I'm not an advanced user and IIS is a mystery, are there any step by step instructions on what to do to protect OWA and RWW from the threat of click jacking? And is this something you have done as a matter of course?