Exchange Server: Notes From the Field
This case involves attacks at a division of a large Telco with a strong IT team operating more than sixty on-premises servers and mandated 2FA security solution for divisions managing their own Exchange Servers.
And then … several incidents lead one Division’s security team to discover that password guessing was occurring against their Outlook Web and Exchange Admin Center (OWA & ECP) sign-on pages. This was very unexpected with the mandated 2FA solution in place. In fact, three specific issues were occurring:
- Attacking the sign-on page, password guessing was successful and credentials were stolen, and
- Attacking the sign-on page, the Active Directory account lockout threshold was locking out valid users.
- Password reset and account unlock requests were overwhelming the Exchange Server support helpdesk.
The Telco Division initiated a project to enhance their 2FA solution and tighten their security posture, with these three initial goals:
- Stop password guessing and automated brute force attacks;
- Block hostile sources and resolve AD lockouts without impacting individual users;
- Obtain security analytics and reporting data for logons to Exchange Server services.
This led them to Messageware and our Exchange Protocol Guard (EPG) product. On a remote web-demo and resulting pilot project, the product team was impressed with a combination of EPG’s CAPTCHA system to prevent automated guessing, EPG’S Locking system to independently block attacking sessions (TARPIT), and EPG’S Reporting and Alert systems.
And, they also discovered the need to protect ActiveSync, EWS and Autodiscover as these Exchange services are vulnerable vectors left unprotected by 2FA solutions.