Exchange 2007 -OWA security issues

Posted on 2014-04-19
Medium Priority
Last Modified: 2014-05-08
We have OWA enabled online for our users to access their Email, i am using qualys scanner  and i got a lot of security issues . server is running on win 2008 R2 , all security service packs and roll up applied, not sure what else i can do to secure it ? any help !
Question by:skyjumperdude
LVL 66

Expert Comment

ID: 40011064
definitely the scan findings should be addressed but not forgetting to rescan to validate the applied patch, also do not be overwhelmed by the vulnerabilities as sometimes it may be false positive. It is always back to review your baseline hardening and below is one for Microsoft Exchange Server 2007 - you probably already has one and good to compare (you should not be worst off)


Also worth noting is the recent Heartbleed issue (published in open ard 8 Apr 14) that implicate all applications, network device, and servers using vulnerable version of OpenSSL. You can check online against your owa web portal, it shouldn't have any positive findings though. But if does have please consider prompt regenerate of all the SSL cert, revoke all SSL certs and then ask user(s) to change login password

back to hardening, despite those network FW and proxy filtering, OWA does has security that is good to be aware of and leverage further. Below are main one associating with

(a) Authentication - Forms-based authentication (used by default ) is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, can set inactivity timeout period to force OWA session to timeout once the cookie has timed out. This is especially critical to lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

(b) Email Attachments - a local copy in their Temporary Internet Files when attachment is viewed. This copy can be viewed by anyone who has access to the computer. For admin, they can control the types of attachments that can be downloaded through OWA (blocked from downloading executable files (.exe)), use the WebReady Document Reading feature (e.g converts documents to HTML) introduced in OWA 2007, turn off the ability to access Windows File Shares and Windows SharePoint Services (whch are enabled by default if not necessary) and use Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010 and enforced rights-protected email natively)

(c) Restrict services (esp when working in open environments) - check out OWA segmentation (via Exchange Management Console) that allows you to block access to specific features of OWA for either some or all users. E.g. if you deployed Outlook 2007 client, and there is now no need to use public folders within your environment, you may choose to block access to public folders from within OWA. Also if you have not deployed Exchange ActiveSync devices or the Unified Messaging server role within your organization, it may be worth considering disabling these features. Note that you can control OWA segmentation for an (only on /owa ) virtual directory  on a Client Access Server or on a per-user basis.

Sidenote, there is web beacons usage which is used by junkie or spammer when they sent out a junk email message contains images that can be downloaded to the local computer and hence valid email address as their candidate inclusion to spam list. OWA can detect the content that can be used for web beacons and this content is blocked by default. Good to keep user aware as when they see some blocked content, they may re-enable and allow such ... inadvertently

Overall, if OWA in public can be avoided go for it if not I do see VPN will be good if it is not operationally detering to business.
LVL 25

Accepted Solution

Dirk Kotte earned 2000 total points
ID: 40011219
You can use 2 factor authentication with OWA.
LVL 66

Expert Comment

ID: 40011249
indeed 2FA is good step for authentication. You may want to check out Phonefactor (acquired by Microsoft) and it is powering Windows Azure Multi-Factor Authentication backend. There is also other alternatives as Two-Factor Authentication for Outlook Web App

PF past mention

You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

LVL 43

Expert Comment

ID: 40011471
You are behind two major versions of Exchange and two major versions of the OS. You can't mitigate against everything without upgrading. The scan results should give you specific remediation steps. Do everything that you can, but don't expect to be able to achieve a perfect score.

Expert Comment

ID: 40011548

Try running,

Microsoft Baseline Security Analyzer
It Scan for missing security updates on Exchange Server 5.5 and later.

Hope that helps too :)

Author Comment

ID: 40051341
I've requested that this question be deleted for the following reason:

Going in to a different direction

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use …
The article is for all the Exchange users seeking smooth and effective EDB to PST conversion. Exchange Server is the most widely used platform for messaging with collaborative sharing, Exchange online, secure working environment, etc.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question