If Microsoft Exchange Server is your enterprise platform for email, you likely have also deployed Microsoft Exchange Outlook Web to enable employees to access email, calendars and contact information via mobile devices and web browsers.
Making Outlook Web (OWA) available reduces IT costs and encourages user productivity, but it also creates additional security risks. Exposing not only your Exchange Server but also your corporate IT infrastructure to hackers attempting to access your systems via the OWA interface.
One common threat against Outlook Web deployments involves password-guessing or brute force attacks. In perpetrating this attack, a hacker runs a list of common passwords against corporate email addresses; both easily found through internet articles, corporate websites, social media, or numerous other more sinister sources. This technique of bombarding email accounts with password guesses can also result in user lockouts, potentially creating a Denial of Service (DoS).
To put the danger into perspective. Experts estimate that by using the top 10,000 passwords list, an estimated 30 per cent of all passwords are broken in a matter of seconds.
So, what are your options for protecting your Exchange Outlook Web?
1. Strong Passwords and a Lockout Mechanism
Implementing a strong password policy, requiring complex passwords, coupled with a well-crafted account lockout prevention strategy is a good start at protecting against a brute-force attack.
But what many people fail to realize is a brute-force attack can quickly turn into a Denial of Service (DoS) attack. Take for example this lockout configuration:
- Account lockout threshold is set to 5 attempts;
- Wait time after triggering account lockout is set to 30 minutes;
- Reset Account lockout counter after 60 minutes;
Hackers may not be able to quickly break into your accounts when they are limited to 5 tries, but triggering the lockout means the user can’t access their email either. In this example, where five attempts per user causes a lockout, it wouldn’t take very long to lock out a large number of users, thereby creating a DoS scenario.
When your organization comes under a DoS attack, your server performance will suffer and legitimate users are locked out of their accounts, bringing email communication to a halt. Hackers often use attacks like this to create a diversion; overloading your server, flooding your help desk, and bringing your IT organization to a standstill, only to strike with a more severe attack while your team struggles to deal with the chaos.
For this reason, account lockouts are not suitable protection against brute force attacks by themselves without additional security measures.
2. Use CAPTCHA to prevent automated attacks
Another way to protect against automated logon break-in attempts is to incorporate CAPTCHA into your Outlook Web deployment. However, CAPTCHA in isolation may negatively impact on your user’s experience (by requiring username, password and CAPTCHA). This is particularly relevant on mobile devices. In this case, you may want to consider a dynamic CAPTCHA solution, where CAPTCHA is enabled only after two or three failed logins.
3. Geo-Blocking or Blocking Users from Specific Locations
Often attacks originate from specific geographic regions. Using a geo-blocker or blocking users from a particular area or country from accessing Outlook Web adds another layer of protection against hacker attacks. For instance, you might allow users on a corporate VPN, to access Outlook Web from anywhere, but limit their access if they are coming in over the Internet. Or you might only permit access to users from geographic locations where your organization normally operates.
4. Multi-Factor Logon Security
Adding a security factor to the standard username-password combination will significantly improve security. The additional factor can be added in many ways. The most common today is to have users register their cell (mobile) phone number, and whenever they log on, an authentication application or an SMS message provides a one-time code that is entered by the user during logon. As with CAPTCHA, this brings along the annoyance factor for the user, but it is effective.
By combining several of these techniques, you can significantly limit brute-force and Denial of Service attacks.
5. Exchange Guard Logon Security
You may also consider Messageware’s Exchange Protocol Guard (EPG) solution, which incorporates protection from a variety of logon and password attacks with advanced logon monitoring, real-time security analytics and alerts of suspicious logon activity. Arm your organization with a sophisticated set of access controls and real-time monitoring tools for Exchange Outlook Web.