Welcome to In Depth Defense. In Depth Defense LLC is a privately owned Information Security Consulting company owned and operated by Mark Baggett. In Depth Defense specializes in Penetration Testing and Incident Response. At this time In Depth Defense is not accepting any new client work, but we are happy to speak to you and point you to other resources in the community.

Mark Baggett has been active in Information Security for 18+ years. I've served in a variety of roles from software developer to CISO. You can find archives of older blog entries below and read my newer posts on http://www.pauldotcom.com, http://isc.sans.edu and http://pen-testing.sans.org








Tuesday, April 22, 2008

OWA - A GAPING HOLE IN YOUR FIREWALL

Blocking Personal Blackberrys storing corporate emails

O
ne of the many reason to have a BES (Blackberry Enterprise Server) to protect your corporate email is so you can wipe any blackberry device in the event that it is lost.    These devices often contain sensitive email so password protection, encryption, policy enforcement and remote wipe is well worth the investment in BES.      BES installed, problem solved!   Right?    Check the IIS logs on your Outlook Web Access server.  You may find unauthorized Blackberry and other smart phones are synchronizing email using WEBDAV.    Using OWA they can store corporate emails and you have no way to wipe the data when the devices lost.   This DOES NOT require RPC over HTTP be enabled on your OWA server and its not just blackberrys and smart phones.   Desktop clients such as Entourage can also use WEBDAV to sync email to a home computer.  
No firewall, No antivirus and all those sensitive email on their home machines.   Scared yet?   If this is a problem for you, the only REAL fix is to turn off OWA.  But, that is a tough pill to swallow. Here is a possible alternative.   

Check your IIS logs and you'll see entries like this..

008-04-22 16:48:25 W3SVC1 127.0.0.1 POST /exchange/username/##emailname##/ - 443 username 127.0.0.1 BWC/Worker/1.0 200 0 0

2008-04-21 13:35:22 W3SVC1 127.0.0.1 BMOVE /exchange/firstname.lastname/Inbox/ - 443 firstname.lastname 127.0.0.1 BWC+Engine+/2.0 207 0 0

Here you can see an unauthorized blackberry copying emails to the handhelds through the Outlook Interface.   The BWC+Engine is the User-Agent used by the Blackberry email client.  You may also have some of these...

2008-04-20 23:06:40 W3SVC1 127.0.0.1 POST /Microsoft-Server-ActiveSync Cmd=Get
ItemEstimate&User=jusername&DeviceId=PLMOx8xxxx0&DeviceType=PalmOneTreoAce&
Log=V4XXX:0AXXXX:0XXXXD0SP:1XXXXXXXH0P 443 username 127.0.0.1 PalmOne-TreoAce/2.01m01 200 0 0

2008-04-20 23:42:13 W3SVC1 127.0.0.1 OPTIONS /Microsoft-Server-ActiveSync User
=username&DeviceId=2F8xxxxxxxxxxx&DeviceType=SmartPhone&
Log=VNAXXX:0XXXXX:0A0XXXXX:0C0XXXXXXXH 443 username 127.0.0.1 MSFT-SPhone/5.2.203 200 0 0

If your goal is to keep personal device from synchronizing over Outlook Web Access you will want to block those also.

So how to you block specific User-Agent strings on IIS?  Pretty simple in Apache right?  Not so much on IIS.  You may think (as I did) that you can use URLSCAN.  It has this [DenyHeaders] section which allows you to specify a User-Agent.  That doesnt' work.   It will allow you to block any web request that has a User-Agent (Yeah.. All of them), but not a specific User-Agent.  Thank for nothing Microsoft!   So how then?  You can use a third party ISAPI filter that implements Apache Mod Rewrite functionality on IIS.   You can download ISAPI REWRITE from http://www.isapirewrite.com   There is a LITE and a FULL version available for download at the site.   The LITE version is free and it will work for many of the OWA implementations.  Here is the configuration file to use to block User-Agents for Blackberry, PalmTrio, Microsoft Smart Phones, and Avant Go.

RewriteEngine  on
#Block Blackberry and other smartphones
RewriteCond %{
HTTP:User-Agent}  (?:BWC.Worker.*|BWC.Engine.*|MSFT-SPhone.*|PalmOne-TreoAce.*|AvantGO.*) [NC]  
RewriteRule .? -  [F,L]
  


This takes care of all of the Microsoft Smart Phones, Palm Treo's and AvantGo users.   In my testing it also breaks the functionality on the Blackberries.  However, Blackberries which use BIS still make requests with IE user agents strings which are not blocked.   The BIS service uses multiple user agents including IE and the BWC agents.  You can block the BIS address ranges from reaching OWA at your firewall.  Those ranges are: 

  • 206.53.144.0 - 206.53.159.255
  • 216.9.240.0 - 216.9.255.255
  • 67.233.64.0 - 67.223.95.255

  • I found these on Bill Warnke's blog.   Here
    Blackberry posts their ranges in this article.

    Continue to review your IIS logs to watch for other User-Agents.   The following unix commands will show you all the User-Agents accessing your system.

    cat \windows\system32\logfiles\w3svc1\* | awk '{print $11}' | sort | uniq

    Subscribe