locked
Exchange / ISA2006 - Safe / Impacted RRS feed

  • Question

  • User1276668065 posted

    A search limted to this forum didn't yield results for exchange (Query: exchange AND  forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)

    We have Exchange 2007 OWA behind ISA 2006.

    Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?

     

    Monday, September 20, 2010 10:49 PM

All replies

  • User-2030726170 posted

    Unfortunately impacted I believe.  Any difference when your server responds to the following:

    • https://exchangeserver/owa/auth/WebResource.axd  versus
    • https://exchangeserver/owa/auth/WebResource.axd?d=1234blah

    is potentially enough for a successful attack.


    I've adapted some of the steps suggested by the SharePoint team to workaround below.

    1. Rename C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx

    to   error.bak.aspx


    2. Paste contents of error2.aspx as listed here

    http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx

    into a new version of C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx


    3. Add a new web.config (probably doesn't exist) at your website root.  In our case:

    C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config

    Containing

    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <configuration>
      <system.web>
        <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" />
      </system.web>
    </configuration>

    This will then be used by other child virtual directories that don't override the customErrors element.


    4. Optional:  our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.

    I commented out this particular element in that web.config file.

    C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config
    Tuesday, September 21, 2010 5:49 AM
  • User-1958884349 posted

    What needs to be done for Exchange 2003?  This appears to be for Exchange 2007

    Tuesday, September 21, 2010 8:19 AM
  • User1019649741 posted

    Yes, please provide examples for Exchange 2003. I didn't set up our Exchange install, but I'm being asked to apply the workaround.

    We have OWA and OMA installed, and there are a lot of redirections going on, from default web site to /owaasp to /ExchWeb to /Exchange, etc.

    How does one figure out where the "root" web.config file should be?

    Thanks.

    Thursday, September 23, 2010 4:39 PM
  • User-2030726170 posted

    I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.

    Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.

    Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this.  For a standard installation I expect this will be C:\Inetpub\wwwroot.  If you have any ASP.NET developers in your organisation, they may be able to assist with the requisite tweaks.

    Hope that helps.


    Thursday, September 23, 2010 10:12 PM
  • User1019649741 posted

    Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\

    Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.

    Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.

    I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?

    Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).

    Thanks.

    Friday, September 24, 2010 6:44 PM
  • User-932374973 posted

    From the Exchange team : http://msexchangeteam.com/archive/2010/09/23/456399.aspx

    No firm (read Official) reply if it is vulnerable if behind ISA......

     

    Saturday, September 25, 2010 5:36 AM
  • User-2029884877 posted

    The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability.  Please find the appropriate version to download and install at the following location:

    Microsoft Security Bulletin MS10-070 - Important
    Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
    http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx

     

    Thank you.

    ----------------------------------------------------------------

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,

    David Dietz
    Microsoft Online Community Support

     

     

    Thursday, September 30, 2010 2:39 PM