Exchange 2007 -OWA security issues

We have OWA enabled online for our users to access their Email, i am using qualys scanner  and i got a lot of security issues . server is running on win 2008 R2 , all security service packs and roll up applied, not sure what else i can do to secure it ? any help !
Who is Participating?
Dirk KotteConnect With a Mentor SECommented:
You can use 2 factor authentication with OWA.
btanExec ConsultantCommented:
definitely the scan findings should be addressed but not forgetting to rescan to validate the applied patch, also do not be overwhelmed by the vulnerabilities as sometimes it may be false positive. It is always back to review your baseline hardening and below is one for Microsoft Exchange Server 2007 - you probably already has one and good to compare (you should not be worst off)

Also worth noting is the recent Heartbleed issue (published in open ard 8 Apr 14) that implicate all applications, network device, and servers using vulnerable version of OpenSSL. You can check online against your owa web portal, it shouldn't have any positive findings though. But if does have please consider prompt regenerate of all the SSL cert, revoke all SSL certs and then ask user(s) to change login password

back to hardening, despite those network FW and proxy filtering, OWA does has security that is good to be aware of and leverage further. Below are main one associating with

(a) Authentication - Forms-based authentication (used by default ) is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, can set inactivity timeout period to force OWA session to timeout once the cookie has timed out. This is especially critical to lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

(b) Email Attachments - a local copy in their Temporary Internet Files when attachment is viewed. This copy can be viewed by anyone who has access to the computer. For admin, they can control the types of attachments that can be downloaded through OWA (blocked from downloading executable files (.exe)), use the WebReady Document Reading feature (e.g converts documents to HTML) introduced in OWA 2007, turn off the ability to access Windows File Shares and Windows SharePoint Services (whch are enabled by default if not necessary) and use Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010 and enforced rights-protected email natively)

(c) Restrict services (esp when working in open environments) - check out OWA segmentation (via Exchange Management Console) that allows you to block access to specific features of OWA for either some or all users. E.g. if you deployed Outlook 2007 client, and there is now no need to use public folders within your environment, you may choose to block access to public folders from within OWA. Also if you have not deployed Exchange ActiveSync devices or the Unified Messaging server role within your organization, it may be worth considering disabling these features. Note that you can control OWA segmentation for an (only on /owa ) virtual directory  on a Client Access Server or on a per-user basis.

Sidenote, there is web beacons usage which is used by junkie or spammer when they sent out a junk email message contains images that can be downloaded to the local computer and hence valid email address as their candidate inclusion to spam list. OWA can detect the content that can be used for web beacons and this content is blocked by default. Good to keep user aware as when they see some blocked content, they may re-enable and allow such ... inadvertently

Overall, if OWA in public can be avoided go for it if not I do see VPN will be good if it is not operationally detering to business.
btanExec ConsultantCommented:
indeed 2FA is good step for authentication. You may want to check out Phonefactor (acquired by Microsoft) and it is powering Windows Azure Multi-Factor Authentication backend. There is also other alternatives as Two-Factor Authentication for Outlook Web App

PF past mention

You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

You are behind two major versions of Exchange and two major versions of the OS. You can't mitigate against everything without upgrading. The scan results should give you specific remediation steps. Do everything that you can, but don't expect to be able to achieve a perfect score.
VirastaRUC Tech Consultant Commented:

Try running,

Microsoft Baseline Security Analyzer
It Scan for missing security updates on Exchange Server 5.5 and later.

Hope that helps too :)
skyjumperdudeAuthor Commented:
I've requested that this question be deleted for the following reason:

Going in to a different direction
All Courses

From novice to tech pro — start learning today.