A search limted to this forum didn't yield results for exchange (Query: exchange AND forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)
We have Exchange 2007 OWA behind ISA 2006.
Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?
I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.
Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.
Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this. For a standard installation I expect this will be C:\Inetpub\wwwroot. If you have any ASP.NET developers in your organisation, they may be
able to assist with the requisite tweaks.
Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\
Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.
Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.
I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's
progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?
Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).
The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability. Please find the appropriate version to download and install at the following location:
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
BJReplay
0 Points
1 Post
Exchange / ISA2006 - Safe / Impacted
Sep 21, 2010 02:49 AM|LINK
A search limted to this forum didn't yield results for exchange (Query: exchange AND forumid:(1233)). Similarly, there was only a single question, no answer for ISA (http://forums.asp.net/p/1604378/4088957.aspx)
We have Exchange 2007 OWA behind ISA 2006.
Do I need to start editing the web config for OWA (something I'm not in a hurry to do), or does ISA protect me by putting a layer in between?
Dave A-W
Member
16 Points
3 Posts
Re: Exchange / ISA2006 - Safe / Impacted
Sep 21, 2010 09:49 AM|LINK
Unfortunately impacted I believe. Any difference when your server responds to the following:
is potentially enough for a successful attack.
I've adapted some of the steps suggested by the SharePoint team to workaround below.
1. Rename C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
to error.bak.aspx
2. Paste contents of error2.aspx as listed here
http://blogs.msdn.com/b/sharepoint/archive/2010/09/21/security-advisory-2416728-vulnerability-in-asp-net-and-sharepoint.aspx
into a new version of C:\Program Files\Microsoft\Exchange Server\ClientAccess\owa\auth\error.aspx
3. Add a new web.config (probably doesn't exist) at your website root. In our case:
C:\Program Files\Microsoft\Exchange Server\ClientAccess\web.config
Containing
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <configuration> <system.web> <customErrors mode="On" defaultRedirect="/owa/auth/error.aspx" /> </system.web> </configuration>This will then be used by other child virtual directories that don't override the customErrors element.
4. Optional: our /ews/web.config had an overriding customErrors that redirected to a (non-existent) GenericErrorPage.htm.
I commented out this particular element in that web.config file.
<div style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;" id="_mcePaste">makerofthing...
Member
2 Points
1 Post
Re: Exchange / ISA2006 - Safe / Impacted
Sep 21, 2010 12:19 PM|LINK
What needs to be done for Exchange 2003? This appears to be for Exchange 2007
saunan
Member
14 Points
4 Posts
Re: Exchange / ISA2006 - Safe / Impacted
Sep 23, 2010 08:39 PM|LINK
Yes, please provide examples for Exchange 2003. I didn't set up our Exchange install, but I'm being asked to apply the workaround.
We have OWA and OMA installed, and there are a lot of redirections going on, from default web site to /owaasp to /ExchWeb to /Exchange, etc.
How does one figure out where the "root" web.config file should be?
Thanks.
Dave A-W
Member
16 Points
3 Posts
Exchange 2003 Outlook Web Access
Sep 24, 2010 02:12 AM|LINK
I'm sorry - I don't have access to an Exchange 2003 install, so am unable to advise on specifics.
Under IIS Administration tools for your OWA server, you will see a "Default Web Site" node in the Web Sites folder - this is the root.
Right-click this, select Properties, and then the Home Directory tab to determine the local folder path for this. For a standard installation I expect this will be C:\Inetpub\wwwroot. If you have any ASP.NET developers in your organisation, they may be able to assist with the requisite tweaks.
Hope that helps.
saunan
Member
14 Points
4 Posts
Re: Exchange 2003 Outlook Web Access
Sep 24, 2010 10:44 PM|LINK
Thanks for the note. In our case, the Home Directory is being redirected to URL "/Exchange". This URL is "a Directory on this computer" called \\.\BackOfficeStorage\blah\blah\
Not being an Exchange admin, this looks like the back-end Exchange server. Can't put anything there.
Putting web.config and error.html into the root directory accomplishes nothing. When trying to load a page that doesn't exist, all I get is the IIS 404 error.
I also tried the directory "C:\Program Files\Exchsrvr\exchweb\bin\auth" which is the location of the OWA logon page. After this, I get a typical ASP.NET Application error -- you know, the big yellow box with the directives about CustomErrors. I suppose that's progress, since ASP.NET is now trying to respond to the error. But the "error.html" file is still not being displayed -- which is the result I want, right?
Any help from anyone would be greatly appreciated. I'm an Exchange noob (in case that wasn't clear enough already).
Thanks.
TobieFysh
Member
2 Points
1 Post
Re: Exchange / ISA2006 - Safe / Impacted
Sep 25, 2010 09:36 AM|LINK
From the Exchange team : http://msexchangeteam.com/archive/2010/09/23/456399.aspx
No firm (read Official) reply if it is vulnerable if behind ISA......
David Di - M...
Member
40 Points
10 Posts
Microsoft
Re: Exchange / ISA2006 - Safe / Impacted
Sep 30, 2010 06:39 PM|LINK
The whole question here is likely academic at this point - there has been an official fix released for the ASP.Net Cryptographic vulnerability. Please find the appropriate version to download and install at the following location:
Microsoft Security Bulletin MS10-070 - Important
Vulnerability in ASP.NET Could Allow Information Disclosure (2418042)
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
Thank you.
----------------------------------------------------------------
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Regards,
David Dietz
Microsoft Online Community Support