Solved

Exchange 2007 -OWA security issues

Posted on 2014-04-19
6
373 Views
Last Modified: 2014-05-08
We have OWA enabled online for our users to access their Email, i am using qualys scanner  and i got a lot of security issues . server is running on win 2008 R2 , all security service packs and roll up applied, not sure what else i can do to secure it ? any help !
0
Comment
Question by:skyjumperdude
6 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
definitely the scan findings should be addressed but not forgetting to rescan to validate the applied patch, also do not be overwhelmed by the vulnerabilities as sometimes it may be false positive. It is always back to review your baseline hardening and below is one for Microsoft Exchange Server 2007 - you probably already has one and good to compare (you should not be worst off)

http://benchmarks.cisecurity.org/tools2/exchange/CIS_Microsoft_Exchange_2007_Benchmark_v1.1.0.pdf

Also worth noting is the recent Heartbleed issue (published in open ard 8 Apr 14) that implicate all applications, network device, and servers using vulnerable version of OpenSSL. You can check online against your owa web portal, it shouldn't have any positive findings though. But if does have please consider prompt regenerate of all the SSL cert, revoke all SSL certs and then ask user(s) to change login password
https://filippo.io/Heartbleed/
https://sslanalyzer.comodoca.com/heartbleed.html

back to hardening, despite those network FW and proxy filtering, OWA does has security that is good to be aware of and leverage further. Below are main one associating with

(a) Authentication - Forms-based authentication (used by default ) is more secure because it stores the username and password in a cookie, which is deleted when the user logs out or after a certain amount of time has passed. However, if the user does not log out or close the browser, another user can access the cached credentials until the session times out. To help address this problem, can set inactivity timeout period to force OWA session to timeout once the cookie has timed out. This is especially critical to lower the timeout value for client computers not owned by the organization (i.e. “public” computers).

(b) Email Attachments - a local copy in their Temporary Internet Files when attachment is viewed. This copy can be viewed by anyone who has access to the computer. For admin, they can control the types of attachments that can be downloaded through OWA (blocked from downloading executable files (.exe)), use the WebReady Document Reading feature (e.g converts documents to HTML) introduced in OWA 2007, turn off the ability to access Windows File Shares and Windows SharePoint Services (whch are enabled by default if not necessary) and use Use Microsoft Active Directory Rights Management Services (introduced in OWA 2010 and enforced rights-protected email natively)

(c) Restrict services (esp when working in open environments) - check out OWA segmentation (via Exchange Management Console) that allows you to block access to specific features of OWA for either some or all users. E.g. if you deployed Outlook 2007 client, and there is now no need to use public folders within your environment, you may choose to block access to public folders from within OWA. Also if you have not deployed Exchange ActiveSync devices or the Unified Messaging server role within your organization, it may be worth considering disabling these features. Note that you can control OWA segmentation for an (only on /owa ) virtual directory  on a Client Access Server or on a per-user basis.

Sidenote, there is web beacons usage which is used by junkie or spammer when they sent out a junk email message contains images that can be downloaded to the local computer and hence valid email address as their candidate inclusion to spam list. OWA can detect the content that can be used for web beacons and this content is blocked by default. Good to keep user aware as when they see some blocked content, they may re-enable and allow such ... inadvertently

Overall, if OWA in public can be avoided go for it if not I do see VPN will be good if it is not operationally detering to business.
0
 
LVL 23

Accepted Solution

by:
Dirk Kotte earned 500 total points
Comment Utility
You can use 2 factor authentication with OWA.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
indeed 2FA is good step for authentication. You may want to check out Phonefactor (acquired by Microsoft) and it is powering Windows Azure Multi-Factor Authentication backend. There is also other alternatives as Two-Factor Authentication for Outlook Web App

PF past mention

You download PhoneFactor and install it on the Exchange server that provides OWA. The PhoneFactor agent watches the submit operations made to OWA, whether you’re using forms-based authentication or integrated Windows authentication. The authentication request is trapped by the agent, which knows the variable names used as part of the submission. The agent passes the authentication request on to Microsoft IIS for action; if the user's credentials aren't valid, IIS authentication fails and the process stops there.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 42

Expert Comment

by:kevinhsieh
Comment Utility
You are behind two major versions of Exchange and two major versions of the OS. You can't mitigate against everything without upgrading. The scan results should give you specific remediation steps. Do everything that you can, but don't expect to be able to achieve a perfect score.
0
 
LVL 9

Expert Comment

by:VirastaR
Comment Utility
Hi,

Try running,

Microsoft Baseline Security Analyzer
It Scan for missing security updates on Exchange Server 5.5 and later.

Hope that helps too :)
0
 
LVL 1

Author Comment

by:skyjumperdude
Comment Utility
I've requested that this question be deleted for the following reason:

Going in to a different direction
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now