How to disable the Options panel in Outlook Web Access in Exchange Server 2007

Article translations Article translations
Article ID: 2299129 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

This article describes how to disable the Options panel in Outlook Web Access (OWA) in Exchange Server 2007. The intention is to provide a work around for the publicly disclosed Exchange vulnerability.

The vulnerability is with a Cross-Site Request Forgery attack in which a user is tricked into visiting a malicious webpage that is crafted specifically for the target Exchange organization. This could allow the attacker to perform actions on behalf of the user, such as adding new inbox rules and to change other OWA user options. 

To reduce the risk for this attack, you can disable the Options panel by using UrlScan. You can use UrlScan to block known parts of URLs that are used to access the Options pages in OWA.

Note The Options pages is where most of the user level settings and rules in OWA reside.

More information

UrlScan


UrlScan is an IIS feature which uses an ISAPI filter to process http requests sent to the OWA website. Every request first passes through this filter before the request is processed by Exchange Server. There are predictable patterns within the query string portion and the body of every request transmitted to the Options panel. The predictable patterns can be used to selectively deny the requests.  

Note UrlScan will deny every request for accessing or to update Options items or the rules in OWA. These include requests from legitimate users within the organization.  

To download UrlScan 32bit, visit the following Microsoft website:
Download UrlScan 32bit
To download UrlScan 64bit, visit the following Microsoft website:
Download UrlScan 64bit
For more information about UrlScan, visit the following Microsoft website:
General information about UrlScan

How to disable the Options panel in Exchange Server 2007


Installation


You have to set up UrlScan as a filter for the OWA website. For more information about how to set up UrlScan, visit the following website: 
How to set up UrlScan

After you install UrlScan, the ISAPI filter on your computer resembles the following:
Collapse this imageExpand this image
The screen shot for the ISAPI filter.


The UrlScan.ini File Setting


Set the UrlScan.ini file with the settings shown underneath. All the strings specified in “DenyOWAOptions” are searched in the URL and query string. If they occur, the request is denied by IIS.
[Options]

UseAllowVerbs=0

AllowDotInPath=1 

RuleList=BlockOptionsInOWA



[BlockOptionsInOWA]

ScanURL=1

ScanQueryString=1

DenyDataSection=DenyOWAOptions



[DenyOWAOptions]

ae=Options

ns=Options

ns=RulesOptions

ns=JunkEmail

ns=DumpsterListView

End-user Experience


After you install UrlScan and configure the settings, users can log on to OWA as the following picture shows: 
Collapse this imageExpand this image
The screen shot for OWA.




However, when a user clicks on the Options button on the upper-right corner, the user receives the following 403 error message:
Collapse this imageExpand this image
The screen shot for the 403 error.




Administrative Tasks


The UrlScan install directory also has a log file that contains the details of which requests were blocked and the reason for blocking. For example, you may see some information resembles the following information in the log file:
2010-07-16 23:50:23 157.56.147.48 1 GET /owa/?ae=Options&opturl=Messaging Rejected rule+'BlockOptionsInOWA'+triggered query+string - ae=options

The administrator can use standard IIS log parsing tools, such as LogParser, to obtain more information and statistics about the logs. For more information about how to query these logs, visit the following website:
How to query logs

How to disable the Options panel in Exchange Server 2003

UrlScan cannot be used in Exchange Server 2003 to disable the Options panel or the Rules panel. 

Properties

Article ID: 2299129 - Last Review: September 3, 2013 - Revision: 3.0
Applies to
  • Microsoft Exchange Server 2003 Standard Edition
  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Service Pack 1
  • Microsoft Exchange Server 2003 Service Pack 2
  • Microsoft Exchange Server 2007 Enterprise Edition
  • Microsoft Exchange Server 2007 Service Pack 1
  • Microsoft Exchange Server 2007 Service Pack 2
  • Microsoft Exchange Server 2007 Service Pack 3
  • Microsoft Exchange Server 2007 Standard Edition
Keywords: 
kbsurveynew kbfix kbexpertiseinter KB2299129

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com