Exchange 2007 -OWA security issues

Posted on 2014-04-19
Medium Priority
Last Modified: 2014-05-08
We have OWA enabled online for our users to access their Email, i am using qualys scanner  and i got a lot of security issues . server is running on win 2008 R2 , all security service packs and roll up applied, not sure what else i can do to secure it ? any help !
Question by:skyjumperdude
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 64

Expert Comment

ID: 40011064
definitely the scan findings should be addressed but not forgetting to rescan to validate the applied patch, also do not be overwhelmed by the vulnerabilities as sometimes it may be false positive. It is always back to review your baseline hardening and below is one for Microsoft Exchange Server 2007 - you probably already has one and good to compare (you should not be worst off)


Also worth noting is the recent Heartbleed issue (published in open ard 8 Apr 14) that implicate all applications, network device, and servers using vulnerable version of OpenSSL. You can check online against your owa web portal, it shouldn't have any positive findings though. But if does have please consider prompt regenerate of all the SSL cert, revoke all SSL certs and then ask user(s) to change login password

back to hardening, despite those network FW and proxy filtering, OWA does has security that is good to be aware of and leverage further. Below are main one associating with

(a) Authentication - Forms-based authentication (used by default ) is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, can set inactivity timeout period to force OWA session to timeout once the cookie has timed out. This is especially critical to lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

(b) Email Attachments - a local copy in their Temporary Internet Files when attachment is viewed. This copy can be viewed by anyone who has access to the computer. For admin, they can control the types of attachments that can be downloaded through OWA (blocked from downloading executable files (.exe)), use the WebReady Document Reading feature (e.g converts documents to HTML) introduced in OWA 2007, turn off the ability to access Windows File Shares and Windows SharePoint Services (whch are enabled by default if not necessary) and use Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010 and enforced rights-protected email natively)

(c) Restrict services (esp when working in open environments) - check out OWA segmentation (via Exchange Management Console) that allows you to block access to specific features of OWA for either some or all users. E.g. if you deployed Outlook 2007 client, and there is now no need to use public folders within your environment, you may choose to block access to public folders from within OWA. Also if you have not deployed Exchange ActiveSync devices or the Unified Messaging server role within your organization, it may be worth considering disabling these features. Note that you can control OWA segmentation for an (only on /owa ) virtual directory  on a Client Access Server or on a per-user basis.

Sidenote, there is web beacons usage which is used by junkie or spammer when they sent out a junk email message contains images that can be downloaded to the local computer and hence valid email address as their candidate inclusion to spam list. OWA can detect the content that can be used for web beacons and this content is blocked by default. Good to keep user aware as when they see some blocked content, they may re-enable and allow such ... inadvertently

Overall, if OWA in public can be avoided go for it if not I do see VPN will be good if it is not operationally detering to business.
LVL 24

Accepted Solution

Dirk Kotte earned 2000 total points
ID: 40011219
You can use 2 factor authentication with OWA.
LVL 64

Expert Comment

ID: 40011249
indeed 2FA is good step for authentication. You may want to check out Phonefactor (acquired by Microsoft) and it is powering Windows Azure Multi-Factor Authentication backend. There is also other alternatives as Two-Factor Authentication for Outlook Web App

PF past mention

You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 42

Expert Comment

ID: 40011471
You are behind two major versions of Exchange and two major versions of the OS. You can't mitigate against everything without upgrading. The scan results should give you specific remediation steps. Do everything that you can, but don't expect to be able to achieve a perfect score.

Expert Comment

ID: 40011548

Try running,

Microsoft Baseline Security Analyzer
It Scan for missing security updates on Exchange Server 5.5 and later.

Hope that helps too :)

Author Comment

ID: 40051341
I've requested that this question be deleted for the following reason:

Going in to a different direction

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question