Exchange / ISA2006 - Safe / Impacted RRS feed

  • Question

  • User1276668065 posted

    A search limted to this forum didn't yield results for exchange (Query: exchange AND  forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)

    We have Exchange 2007 OWA behind ISA 2006.

    Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?


    Monday, September 20, 2010 10:49 PM

All replies

  • User-2030726170 posted

    Unfortunately impacted I believe.  Any difference when your server responds to the following:

    • https://exchangeserver/owa/auth/WebResource.axd  versus
    • https://exchangeserver/owa/auth/WebResource.axd?d=1234blah

    is potentially enough for a successful attack.

    I've adapted some of the steps suggested by the SharePoint team to workaround below.

    1. Rename C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx

    to   error.bak.aspx

    2. Paste contents of error2.aspx as listed here


    into a new version of C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx

    3. Add a new web.config (probably doesn't exist) at your website root.  In our case:

    C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config


    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
        <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" />

    This will then be used by other child virtual directories that don't override the customErrors element.

    4. Optional:  our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.

    I commented out this particular element in that web.config file.

    C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config
    Tuesday, September 21, 2010 5:49 AM
  • User-1958884349 posted

    What needs to be done for Exchange 2003?  This appears to be for Exchange 2007

    Tuesday, September 21, 2010 8:19 AM
  • User1019649741 posted

    Yes, please provide examples for Exchange 2003. I didn't set up our Exchange install, but I'm being asked to apply the workaround.

    We have OWA and OMA installed, and there are a lot of redirections going on, from default web site to /owaasp to /ExchWeb to /Exchange, etc.

    How does one figure out where the "root" web.config file should be?


    Thursday, September 23, 2010 4:39 PM
  • User-2030726170 posted

    I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.

    Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.

    Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this.  For a standard installation I expect this will be C:\Inetpub\wwwroot.  If you have any ASP.NET developers in your organisation, they may be able to assist with the requisite tweaks.

    Hope that helps.

    Thursday, September 23, 2010 10:12 PM
  • User1019649741 posted

    Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\

    Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.

    Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.

    I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?

    Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).


    Friday, September 24, 2010 6:44 PM
  • User-932374973 posted

    From the Exchange team : http://msexchangeteam.com/archive/2010/09/23/456399.aspx

    No firm (read Official) reply if it is vulnerable if behind ISA......


    Saturday, September 25, 2010 5:36 AM
  • User-2029884877 posted

    The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability.  Please find the appropriate version to download and install at the following location:

    Microsoft Security Bulletin MS10-070 - Important
    Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)


    Thank you.


    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    David Dietz
    Microsoft Online Community Support



    Thursday, September 30, 2010 2:39 PM