Posted by Martin Zinaich on February 6, 2017.
I wrote about this before in a post called “Big Things and Small Things”. I documented how two very large companies failed to support Information Security in a corporate environment with even a basic level of accommodation.
More came to light this week when reviewing Microsoft Exchange 2016. The issue has been around since 2013, yet inflamed in the latest release. For many corporations email is arguably the most used and potentially the most critical application. I once consulted in a disaster recovery exercise where I asked the departments to rank their system and application needs. Email came out on top, as the most have to have application. Suffice it to say that email is still a big deal. It is also a major security concern. It is a prime attack vector with phishing. It is also a major concern for Intellectual Property loss and regulatory compliance.
Onto this stage appears Outlook Anywhere. The typical model for a corporation is to utilize a full client inside the corporate environment, activesync for mobile devices and Outlook WebAccess for remote access. I showed how easily vendors thwart ActiveSync policies in the post “Big Things and Small Things”. Outlook WebAccess is a web based email interface for remote access. In essence users are viewing, sending and working with email in a web portal, the email is still inside the corporate environment.
In Exchange 2016 the full client model has moved to MAPI over HTTP, which in and of itself is fine. However, they didn’t provide an easy method to disable it from the Outlook WebAccess server – thus Full Client connectivity is available from anywhere, and this means a full client can be running on an end-user PC. Does that PC have antivirus, a firewall or any protection at all? Who knows? There is no protocol in place to check and there is no overt setting to prevent such access. It means you either have to totally block remote Outlook WebAccess (preventing anyone from getting remote email without a VPN connection) or you have to live with the huge risk of having user email locally on a PC that may already be infected!
The total lack of forethought as it relates to Cyber Risk is hard to overemphasize. Mathias Thurman wrote an article describing what he ran into with such a configuration. The punch line from his article, “A few weeks ago, the manager of a local hotel called to tell us that the hotel staff had discovered over 1GB of our company email on the computer in the hotel lobby.”
I did discover some obscure command that can be run against the system to disable such access from the outside (Get-Mailbox –OrganizationalUnit “OrganizationUnitName” | Set-CASMailbox ” -MAPIBlockOutlookRPCHttp $True), however the total effectiveness and side-effects I have not fully concluded at this point in time.
What is important to understand is… the default configuration from Microsoft is “put my corporate email on a computer in the hotel lobby”. Any option to disable this configuration is not in the GUI and hidden in obscure notes (if that is even a fix). No warnings about such access are given to email admins. And finally, it is yet another example of a big software company not only empowering weak security, but also seemingly oblivious of such weakness.Submitted in: Expert Views, Martin Zinaich |