Announcement

Collapse
No announcement yet.

securing OWA account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • securing OWA account

    Hi!

    I want to lock OWA accounts after serveral wrong login attempts.
    For this reason, I defined a default domain policy, to lock an account after 5 wrong logins for 30 mins.

    But this policy seems not to work. I can try many wrong logins, my OWA account is still accessible.

    Even I lock the account under active directory-users and computers, an OWA-login is still possible.

    Whats going wrong?

  • #2
    Re: securing OWA account

    OWA is not an account. OWA is a web based application to access the contents of a mailbox.
    A mailbox is not an account. It is a data store for storing personal information management data.
    A user logs into their mailbox, whether by OWA or by Outlook, using their Active Directory Account.

    There is NO FACILITY using Active Directory Users and Computers to lock out an account.

    So - can we start with using the correct terminology, so that we can all understand what it is your actual problem is? I have understood the following, please correct me if I'm wrong:
    • You have created a Default Domain Policy for account Lockouts which states that accounts should lock for 30 minutes after 5 bad password attempts
    • When you log into your AD account via OWA, even if you use incorrect passwords, the account does not lock.


    So - a little more information is required:
    1. When you try to log in to OWA, if you use the correct credentials, are you successful?
    2. When you log into OWA, are you using "username" or "DOMAIN\username"?
    3. Does the account lock out if you attempt 5 logins to a workstation with the wrong password?


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: securing OWA account

      Logon restrictions applied to user logon to workstations don't apply to OWA. And Tom beat me to it, this time
      Gareth Howells

      BSc (Hons), MBCS, MCP, MCDST, ICCE

      Any advice is given in good faith and without warranty.

      Please give reputation points if somebody has helped you.

      "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

      "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

      Comment


      • #4
        Re: securing OWA account

        Oh, and finally, can you please take us step by step through the process you used to create the policy?

        Thanks


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: securing OWA account

          Originally posted by gforceindustries View Post
          Logon restrictions applied to user logon to workstations don't apply to OWA.
          I can't believe that logons to AD accounts are excluded from domain policies by an application... can you post a reference for this?


          Tom
          For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

          Anything you say will be misquoted and used against you

          Comment


          • #6
            Re: securing OWA account

            No reference, but practical experience has shown me that a locked out user account can be used to access OWA while the lockout is in effect.
            Gareth Howells

            BSc (Hons), MBCS, MCP, MCDST, ICCE

            Any advice is given in good faith and without warranty.

            Please give reputation points if somebody has helped you.

            "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

            "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

            Comment


            • #7
              Re: securing OWA account

              Originally posted by gforceindustries View Post
              No reference, but practical experience has shown me that a locked out user account can be used to access OWA while the lockout is in effect.
              That's an appalling security hole... Sembee can you throw any light on this?


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: securing OWA account

                I can't be. OWA should be authenticate the user against the Domain.
                However, It might be that it uses cached session when you didn't close the browser first.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: securing OWA account

                  Right then.
                  I have just tested this.

                  An account lock out policy was set in the Default Domain policy of 2.
                  I entered the wrong password in three times. The account is locked out.

                  Therefore incorrect logins to OWA will lock out an account, which is what I suspected. Otherwise, as already pointed out, it is a security hole.
                  Furthermore, when I tested an account by logging in correctly, then jumping on to another session and locking the account out again, when I tried to do something new in OWA in the active session, I was kicked back to the authentication setting.

                  This has to be cached credentials, which forms based authentication would ensure cannot be used.

                  The security hole with cached credentials on the regular authentication, not forms based authentication is well known, and isn't a fault, but the way that IIS is designed to work. That is why Microsoft introduced FBA which uses a cookie to control access.

                  Therefore to the original poster...
                  Are you using forms based authentication? If not, why not.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: securing OWA account

                    Even with FBA you still can have cached sessions if you don't close the browser.
                    Well at least if I logon to my OWA account and I close the tab (but don't close the browser) and I reopen the site again my authentication is passed through and I straight back into my mailbox.
                    Therefore it might be (but untested) that he simply don't close the browser

                    I'm not going to test it to lock my account because it will costs some great time to let it unlock.

                    Hmm after partial reading this article it sounds like it describes what I've seen
                    http://windowsitpro.com/article/arti...verlooked.html

                    The other vulnerability is a navigation-related threat. If an OWA user walks away from his or her computer without closing the Web browser, the user's OWA session is left exposed; the next person to use the computer can simply hit the back button or check the history to get back to the user's OWA session without entering any credentials.
                    Last edited by Dumber; 11th January 2009, 01:19.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment

                    Working...
                    X