January 10, 2019

Exchange Security Tip – WST

10-D performs hundreds of penetration tests each year, so we see trends for weaknesses into customer networks.  One of the more common weaknesses we currently see is a weakness with public facing Exchange servers. It is commonly perceived that if you lock down the Exchange Outlook Web App (OWA) login portal by denying most users access and enabling two-factor authentication for the others you will secure your Exchange server from attackers. Unfortunately, a service commonly enabled on many Exchange instances called Exchange Web Services (EWS) bypasses both of those controls.  Simply put, EWS is a service that allows client devices to connect to the server to get email and other data.  The vulnerability associated with this service is that an attacker can brute force logins and if successful, will be able to login to users email without two-factor authentication. This service can be disabled; however, that may cause a mutiny within your organization if users lose access to some of their data. 10-D Security doesn’t recommend a specific solution for this vulnerability as Exchange implementations vary greatly, but some options to consider for locking down this service would be as follows:
  • Limit which users have access to the EWS service
  • Limit which applications are allowed to access the EWS service
  • Application Firewall/Reverse Proxy that can whitelist only valid EWS attempts
  • VPN only access for email

Past Weekly Security Tips – WST