Go Premium for a chance to win a PS4. Enter to Win


Exchange 2007 -OWA security issues

Posted on 2014-04-19
Medium Priority
Last Modified: 2014-05-08
We have OWA enabled online for our users to access their Email, i am using qualys scanner  and i got a lot of security issues . server is running on win 2008 R2 , all security service packs and roll up applied, not sure what else i can do to secure it ? any help !
Question by:skyjumperdude
LVL 65

Expert Comment

ID: 40011064
definitely the scan findings should be addressed but not forgetting to rescan to validate the applied patch, also do not be overwhelmed by the vulnerabilities as sometimes it may be false positive. It is always back to review your baseline hardening and below is one for Microsoft Exchange Server 2007 - you probably already has one and good to compare (you should not be worst off)


Also worth noting is the recent Heartbleed issue (published in open ard 8 Apr 14) that implicate all applications, network device, and servers using vulnerable version of OpenSSL. You can check online against your owa web portal, it shouldn't have any positive findings though. But if does have please consider prompt regenerate of all the SSL cert, revoke all SSL certs and then ask user(s) to change login password

back to hardening, despite those network FW and proxy filtering, OWA does has security that is good to be aware of and leverage further. Below are main one associating with

(a) Authentication - Forms-based authentication (used by default ) is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, can set inactivity timeout period to force OWA session to timeout once the cookie has timed out. This is especially critical to lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

(b) Email Attachments - a local copy in their Temporary Internet Files when attachment is viewed. This copy can be viewed by anyone who has access to the computer. For admin, they can control the types of attachments that can be downloaded through OWA (blocked from downloading executable files (.exe)), use the WebReady Document Reading feature (e.g converts documents to HTML) introduced in OWA 2007, turn off the ability to access Windows File Shares and Windows SharePoint Services (whch are enabled by default if not necessary) and use Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010 and enforced rights-protected email natively)

(c) Restrict services (esp when working in open environments) - check out OWA segmentation (via Exchange Management Console) that allows you to block access to specific features of OWA for either some or all users. E.g. if you deployed Outlook 2007 client, and there is now no need to use public folders within your environment, you may choose to block access to public folders from within OWA. Also if you have not deployed Exchange ActiveSync devices or the Unified Messaging server role within your organization, it may be worth considering disabling these features. Note that you can control OWA segmentation for an (only on /owa ) virtual directory  on a Client Access Server or on a per-user basis.

Sidenote, there is web beacons usage which is used by junkie or spammer when they sent out a junk email message contains images that can be downloaded to the local computer and hence valid email address as their candidate inclusion to spam list. OWA can detect the content that can be used for web beacons and this content is blocked by default. Good to keep user aware as when they see some blocked content, they may re-enable and allow such ... inadvertently

Overall, if OWA in public can be avoided go for it if not I do see VPN will be good if it is not operationally detering to business.
LVL 24

Accepted Solution

Dirk Kotte earned 2000 total points
ID: 40011219
You can use 2 factor authentication with OWA.
LVL 65

Expert Comment

ID: 40011249
indeed 2FA is good step for authentication. You may want to check out Phonefactor (acquired by Microsoft) and it is powering Windows Azure Multi-Factor Authentication backend. There is also other alternatives as Two-Factor Authentication for Outlook Web App

PF past mention

You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

LVL 42

Expert Comment

ID: 40011471
You are behind two major versions of Exchange and two major versions of the OS. You can't mitigate against everything without upgrading. The scan results should give you specific remediation steps. Do everything that you can, but don't expect to be able to achieve a perfect score.

Expert Comment

ID: 40011548

Try running,

Microsoft Baseline Security Analyzer
It Scan for missing security updates on Exchange Server 5.5 and later.

Hope that helps too :)

Author Comment

ID: 40051341
I've requested that this question be deleted for the following reason:

Going in to a different direction

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question