This article covers how to secure Outlook Web Access (OWA). It discusses the risks of leaving OWA sessions open and how to test for vulnerabilities. We’ll cover risks users should be aware of and steps to mitigate them.
Nowadays employees are mobile and constantly connected; the traditional work environment has expanded beyond the physical office walls to include coffee shops, airports, and home. Unfortunately, all this increased mobility and flexibility has exposed new security risks for businesses and IT, risks that sophisticated hackers are quick to exploit.
One of these risks relates to the exposure of sensitive corporate information through email and email attachments. Often employees put the company at risk by inadvertently exposing an active Outlook Web session, allowing would be hackers to gain access without authentication.
To help you discover if your Outlook Web implementation is secure, we’ve created a 3-post series that will help you test a number of the more common Outlook Web scenarios that result in publically exposing your organization’s confidential files and documents, as well as active OWA sessions.
Simply follow the instructions described in the following usage cases and learn how secure your OWA implementation really is.
Test Case 1: Gaining Access to Outlook Web App without Authentication
When a user accesses a new web page without first closing their active OWA session, the next user on that computer can gain unauthorized access to the original user’s account, often with a single click, and without id and password authentication.
This scenario can easily occur to even the most conscientious user who was distracted or wasn’t aware how their actions would leave their OWA session exposed.
Step 1: Log into OWA.
Step 2: Navigate to another web page by entering the URL of the page in the address bar of the browser. (Try “weather.com”)
Step 3: Press the back button.
Were you able to return to the active OWA session without reauthenticating?
Can you see how easy it would be to forget that you have an active OWA session in the background, especially after you have covered or minimized the window by checking the weather, checking for a flight delay or spent some time checking out YouTube or LinkedIn.
Step 4: Navigate to another web page (try “cnn.com”).
Step 5: From the address bar, view the browser history and select the OWA session.
Were you able to return to the active OWA session without reauthenticating?
Step 6: Open up a new web browser window (the browser will display your home page).
Step 7: Log into OWA.
Step 8: Press the back button of the browser.
Step 9: Press the forward button
Were you able to return to the active OWA session without reauthenticating?
If you were able to return to an active OWA session during any of these test cases, consider how easily the security of your email could be compromised by a distracted user. An unauthorized third party with access to an active OWA session represents a significant security exposure. They could view and forward confidential emails and documents … and other even more malicious actions.
(Note to RSA and other two factor authentication (2FA) users. Your 2FA does not protect your OWA session from this attack.)
Read More About: Exchange Server authentication security to protect Outlook Web App
Active Sessions
Test Case 2: Authentication Gaining Access to OWA without Authentication
Another exposure occurs when a user closes the OWA browser session, but leaves a calendar or contact window open in the background. This moment of forgetfulness allows the next user on the computer to gain access to that previous user’s OWA mail account without authentication.
Try the next test and see how your mail could be compromised in this way.
Step 1: Log into OWA. (If you are using RSA or another 2FA make sure it is enabled for this test,)
Step 2: Navigate to Calendar or Contacts and open a calendar appointment, meeting request or contact page in a new window. This could also happen by clicking on a New Mail or Reminder notice!
Step 3: To make the scenario more realistic, you can minimize the window you just opened or open another browser page in front to hide it from view.
Step 4: Return to the main OWA page leaving the calendar item or contact open in the background.
Step 5: Close the browser window by clicking the red X in the top right hand corner of the browser.
Step 6: Copy the following part of the URL (starting with “https://” and ending with “/owa”) from the address bar at the top of the calendar or contact window.
Step 7: Paste the URL into a new browser window.
Step 8: Press enter.
Were you able to return to the active OWA session without re-authenticating? Can you see how easily it could happen that a user thinks they have logged off by clicking on the red “X” … but have in fact left the OWA session active.
Test Case 3: Accessing OWA without Authentication
Another exposure occurs when a user opens a browser window to access an internet site, then opens a second window to log into OWA and subsequently closes the OWA window without logging off. Although the user may think they have signed out of OWA, they have actually left it active and they have enabled the next user on that computer to access their OWA account without authentication.
Try the next test and see how your mail could be compromised in this way.
Step 1: Open a browser window, leave open in background.
Step 2: Open a second browser window; log into OWA.
Step 3: Close the second browser window without logging off by clicking the red X.
Step 4: Start typing the OWA URL into the first browser window.
Step 5: Select the OWA address from the drop down history list.
Were you able to return to the active OWA session without reauthenticating?
Note: While this exposure exists between any OWA users on the same machine, this test is particularly relevant to the situation where multiple users from the same company use the same computer to look at their email. This scenario plays out at trade shows or airline lounges. User 1 enters the address of their OWA mail, continues to use the browser to do other things and then relinquishes control to their colleague who is surprised to see that autocomplete gives them access the User 1’s mail by typing in a few characters of the address of their company email. A malicious user could create a rule to forward every piece of mail the User ! gets and then hide their tracks.
The preceding tests have demonstrated a variety of ways in which an OWA session can be compromised, even though the user may have been doing their best to follow company security policies. Numerous studies have shown that education and training are not sufficient to secure a mail system.
In the next article we ask: Are Your Microsoft Outlook Web Attachments Secure?
Stay with us as we continue to test the integrity of your OWA implementation and find out where vulnerabilities exist in your current configuration.