Asked by:
Exchange / ISA2006 - Safe / Impacted

Question
-
User1276668065 posted
A search limted to this forum didn't yield results for exchange (Query: exchange AND forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)
We have Exchange 2007 OWA behind ISA 2006.
Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?
Monday, September 20, 2010 10:49 PM
All replies
-
User-2030726170 posted
Unfortunately impacted I believe. Any difference when your server responds to the following:
- https://exchangeserver/owa/auth/WebResource.axd versus
- https://exchangeserver/owa/auth/WebResource.axd?d=1234blah
is potentially enough for a successful attack.
I've adapted some of the steps suggested by the SharePoint team to workaround below.
1. Rename C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
to error.bak.aspx
2. Paste contents of error2.aspx as listed here
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
into a new version of C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
3. Add a new web.config (probably doesn't exist) at your website root. In our case:
C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config
Containing
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <system.web> <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" /> </system.web> </configuration>
This will then be used by other child virtual directories that don't override the customErrors element.
4. Optional: our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.
I commented out this particular element in that web.config file.
C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config Tuesday, September 21, 2010 5:49 AM - https://exchangeserver/owa/auth/WebResource.axd versus
-
User-1958884349 posted
What needs to be done for Exchange 2003? This appears to be for Exchange 2007
Tuesday, September 21, 2010 8:19 AM -
User1019649741 posted
Yes, please provide examples for Exchange 2003. I didn't set up our Exchange install, but I'm being asked to apply the workaround.
We have OWA and OMA installed, and there are a lot of redirections going on, from default web site to /owaasp to /ExchWeb to /Exchange, etc.
How does one figure out where the "root" web.config file should be?
Thanks.
Thursday, September 23, 2010 4:39 PM -
User-2030726170 posted
I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.
Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.
Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this. For a standard installation I expect this will be C:\Inetpub\wwwroot. If you have any ASP.NET developers in your organisation, they may be able to assist with the requisite tweaks.
Hope that helps.
Thursday, September 23, 2010 10:12 PM -
User1019649741 posted
Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\
Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.
Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.
I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?
Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).
Thanks.
Friday, September 24, 2010 6:44 PM -
User-932374973 posted
From the Exchange team : http://msexchangeteam.com/archive/2010/09/23/456399.aspx
No firm (read Official) reply if it is vulnerable if behind ISA......
Saturday, September 25, 2010 5:36 AM -
User-2029884877 posted
The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability. Please find the appropriate version to download and install at the following location:
Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspxThank you.
----------------------------------------------------------------
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Regards,
David Dietz
Microsoft Online Community SupportThursday, September 30, 2010 2:39 PM