Last post Sep 30, 2010 06:39 PM by david di - msft
Sep 21, 2010 02:49 AM|BJReplay|LINK
A search limted to this forum didn't yield results for exchange (Query: exchange AND forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)
We have Exchange 2007 OWA behind ISA 2006.
Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?
Sep 21, 2010 09:49 AM|Dave A-W|LINK
Unfortunately impacted I believe. Any difference when your server responds to the following:
is potentially enough for a successful attack.
I've adapted some of the steps suggested by the SharePoint team to workaround below.
1. Rename C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
2. Paste contents of error2.aspx as listed here
into a new version of C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
3. Add a new web.config (probably doesn't exist) at your website root. In our case:
C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" />
4. Optional: our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.
I commented out this particular element in that web.config file.
Sep 21, 2010 12:19 PM|makerofthings|LINK
What needs to be done for Exchange 2003? This appears to be for Exchange 2007
Sep 23, 2010 08:39 PM|saunan|LINK
Yes, please provide examples for Exchange 2003. I didn't set up our Exchange install, but I'm being asked to apply the workaround.
We have OWA and OMA installed, and there are a lot of redirections going on, from default web site to /owaasp to /ExchWeb to /Exchange, etc.
How does one figure out where the "root" web.config file should be?
Sep 24, 2010 02:12 AM|Dave A-W|LINK
I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.
Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.
Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this. For a standard installation I expect this will be C:\Inetpub\wwwroot. If you have any ASP.NET developers in your organisation, they may be
able to assist with the requisite tweaks.
Hope that helps.
Sep 24, 2010 10:44 PM|saunan|LINK
Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\
Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.
Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.
I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's
progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?
Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).
Sep 25, 2010 09:36 AM|TobieFysh|LINK
From the Exchange team :
No firm (read Official) reply if it is vulnerable if behind ISA......
Sep 30, 2010 06:39 PM|david di - msft|LINK
The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability. Please find the appropriate version to download and install at the following location:
Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Microsoft Online Community Support