Create Exchange Server reCAPTCHA

-

 https://www.alitajran.com/protect-exchange-owa-ecp-brute-force-attacks/


 

Protect Exchange Server OWA/ECP from brute force attacks

A lot of bots attack the Exchange Server OWA and ECP page constantly. It’s the (security) engineers task to secure and protect the Exchange Server OWA/ECP URLs from attacks. Measures such as Multi-Factor Authentication (MFA) or only making the OWA/ECP accessible through VPN are excellent ideas. Another method to stop Exchange Server brute force attacks is integrating Google reCAPTCHA to the OWA/ECP page. It’s FREE and works excellently.

Table of contents

Protect Exchange Server OWA/ECP from attacks

There are a lot of methods to protect Exchange Server OWA/ECP from attacks. Here are the best ones to protect Exchange Server OWA/ECP from brute force attacks:

  1. Configure a third-party MFA solution
  2. Configure VPN so only users connected to the internal network can access Exchange OWA/ECP
  3. Enable selected countries only in the firewall that can access Exchange OWA/ECP
  4. Configure Azure app proxy (Azure AD Premium P1 or P2 license)

If you don’t want to spend money on an MFA solution or you don’t want to pay Azure AD Premium P1 or P2 license, you can protect Exchange OWA/ECP from brute force attacks by adding a reCAPTCHA in the sign-in page.

Exchange Server Google reCAPTCHA integration

To create a Google reCAPTCHA site and integrate it into Exchange Server OWA/ECP, go through the below steps:

Create Google reCAPTCHA site

The first step is to create a new Google reCAPTCHA site. Once we have the reCAPTCHA keys, we can integrate them into Exchange Server.

Sign in to Google reCAPTCHA and fill in the below details:

  • Label: Exchange Server
  • reCAPTCHA type: reCAPTCHA v2 – “I’m not a robot” tickbox
  • Domains: mail.exoip.com (your Exchange URL) and localhost

Check both the checkboxes:

  • Accept the reCAPTCHA Terms of Service
  • Send alerts to owners

Click on Submit.

Protect Exchange OWA ECP from brute force attacks register reCAPTCHA

The site key and secret key will appear. Copy both keys and save them because you need them in the next step.

Protect Exchange OWA ECP from brute force attacks add reCAPTCHA

Create Exchange Server reCAPTCHA page

Let’s integrate the site key into Exchange Server.

Note: Do the below steps on every Exchange Server (CAS).

Sign in to the Exchange Server and go to the below path. Suppose you have an older Exchange Server version, change V15 to another version. For example, V14.

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth

Create a new file with Notepad with the name recaptcha.aspx in that folder.

Protect Exchange OWA ECP from brute force attacks recaptcha file

Copy/paste the below information into it.

<% @ Page AspCompat=True Language = "VB" %>
<%
Dim strPrivateKey As String = "SECRET_KEY"
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "https://www.google.com/recaptcha/api/siteverify", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "secret=" & strPrivateKey & "&response=" & strResponse
objWinHTTP.Send(strData)
Dim strResponseText = objWinHTTP.ResponseText
Response.Write(strResponseText)
%>

Paste the Google reCAPTCHA secret key you copied in the previous step and paste it in the field SECRET_KEY.

Protect Exchange OWA ECP from brute force attacks secret key

Configure Exchange Server OWA/ECP logon page

Let’s integrate the secret key into Exchange Server.

Make a backup of the logon.aspx file, just in case you have to revert the changes. Copy logon.aspx and rename it to logon.aspx.bak.

Note: The file logon.aspx will be rewritten to its original state when you install Exchange Server CU. So write down in your manual to replace the file after the CU and test that the Google reCAPTCHA works.

Protect Exchange OWA ECP from brute force attacks logon.aspx backup

Open the logon.aspx file with Notepad and modify the below:

Find:

<form action="/owa/auth.owa"
Protect Exchange OWA ECP from brute force attacks form action before

Change to:

<form action=""
Protect Exchange OWA ECP from brute force attacks form action after

Find:

<div onclick="clkLgn()"
Protect Exchange OWA ECP from brute force attacks div onclick before

Change to:

<div onclick="myClkLgn()"
Protect Exchange OWA ECP from brute force attacks div onclick after

Find:

<div><input id="passwordText"

Next, press the Enter button and create a couple of empty lines.

Protect Exchange OWA ECP from brute force attacks div input id passwordtext before

Copy/paste the below information into the empty lines.

<script type="text/javascript">
function myClkLgn()
{
var oReq = new XMLHttpRequest();
var sResponse = document.getElementById("g-recaptcha-response").value;
var sData = "response=" + sResponse;
oReq.open("GET", "/owa/auth/recaptcha.aspx?" + sData, false);
oReq.send(sData);
if (oReq.responseText.indexOf("true") != -1)
{
document.forms[0].action = "/owa/auth.owa";
clkLgn();
}
else
{
alert("Invalid CAPTCHA response");
}
}
</script>
<script src="https://www.google.com/recaptcha/api.js" async defer></script>
<div class="g-recaptcha" data-sitekey="SITE_KEY"></div>

Paste the Google reCAPTCHA site key you copied in the previous step and paste it in the field SITE_KEY.

Protect Exchange OWA ECP from brute force attacks div input id passwordtext after

Restart IIS on Exchange Server

You don’t need to restart IIS on the Exchange Server, and the Google reCAPTCHA will immediately appear on the Exchange Server OWA/ECP page.

Suppose it doesn’t, start Command Prompt as administrator and restart Internet Information Services (IIS) on the Exchange Server.

iisreset

Verify Exchange Server OWA/ECP with Google reCAPTCHA

Start your favorite web browser and go to the Exchange Server OWA address.

The Google reCAPTCHA is visible.

Protect Exchange OWA ECP from brute force attacks reCAPTCHA visible

Fill in the user credentials and check the Google reCAPTCHA checkbox. Next, click on Sign in.

Protect Exchange OWA ECP from brute force attacks reCAPTCHA valid

The user will successfully sign in.

Protect Exchange OWA ECP from brute force attacks signed in

If the user fills in the wrong credentials, it will show the standard message: The user name or password you entered isn’t correct. Try entering it again.

Protect Exchange OWA ECP from brute force attacks wrong password

Suppose the user doesn’t accept the Google reCAPTCHA box and clicks on sign in. A message will appear with text: Invalid CAPTCHA response.

Protect Exchange OWA ECP from brute force attacks reCAPTCHA invalid

The same applies to the Exchange Admin Center (ECP) page.

Protect Exchange OWA ECP from brute force attacks ECP reCAPTCHA

It will also work when browsing to https://localhost/owa or https://localhost/ecp. That’s because you did add localhost in the first step when creating the site in Google reCAPTCHA.

Protect Exchange OWA ECP from brute force attacks localhost reCAPTCHA

That’s it!

Read more: Secure Active Directory passwords from breaches »

Conclusion

You learned how to protect Exchange Server OWA/ECP from brute force attacks. First, create a free Google reCAPTCHA. After that, adjust the Exchange Server file so it will display and use the Google reCAPTCHA box on the OWA/ECP page. Combine this with an MFA solution, and you are good to go.

Did you enjoy this article? You may also like Disable external access to ECP in Exchange Server. Don’t forget to follow us and share this article.

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

У вас нет прав для отправки сообщения вместо указанного пользователя. Ошибка: [0x80070005-0x0004dc-0x000524]

-
Изображение
Включить выключить кеширование Закрыть outlook Удалить C:\Users\%username%\AppData\Local\Microsoft\Outlook\Offline Address Books Выключить кэширование почтового ящика http://arozhk.ru/soft/outlook-oshibka-0x80070005-00000000-00000000 Соответственно права все проставлены, проверены и внешне всё нормально. Как я решил эту проблему? Первое, поискал в интернете описание подобных проблем, оказывается я не первый у кого Exchange 2016 выдает ошибку при отправки сообщения из другого почтового ящика. Вариантов получилось несколько, очистить кэш клиента, перезагрузить адресную книгу, перебить права чуть ли не лезя ручками в AD. Много чего. Но в одном мало заметном посте прочитал, что всё банально, такая ошибка, при всех правильно проставленных правах, возникает если адресат от имени которого отправляем письмо, скрыт в глобальной адресной книге … Нонсенс, но факт. Вернул аккаунт в адресную книгу — ошибки не стало. Так что, если и у Вас возникает такая ошибка в Exchange 2016, когда В...
Далее...

Пустое значение виртуального каталога Autodiscover - Object reference not set to an instance of an object (Get-AutodiscoverVirtualDirectory)

-
 https://support.microsoft.com/en-au/topic/autodiscover-event-id-1-after-installing-exchange-server-2019-cu3-or-exchange-server-2016-cu14-93850e62-4cf4-8a76-5fd4-c8ce6f032015 Autodiscover Event ID 1 after installing Exchange Server 2019 CU3 or Exchange Server 2016 CU14 Symptoms After you upgrade to  Cumulative Update 3 for Microsoft Exchange Server 2019  or  Cumulative Update 14 for Exchange Server 2016 , you receive the following error message: Log Name:      Application Source:        MSExchange Autodiscover Date:           DateTime Event ID:      1 Task Category: Web Level:         Error Keywords:      Classic User:          N/A Computer:       ComputerName Description: Unhandled Exception "Object reference not set to an instance of an object." Stack trace:    at Microsoft.Exchange.AutoDiscoverV2.FlightSett...
Далее...

KSMG Подготовка конфигурационных файлов для подключения к LDAP

-
  Подготовка конфигурационных файлов для подключения к LDAP Перед тем, как настроить верификацию получателей через LDAP на встроенном MTA, необходимо подготовить конфигурационный файл, содержащий параметры подключения к LDAP-серверу. Если у вас несколько доменов (лесов) Active Directory, для каждого из них необходимо подготовить отдельный конфигурационный файл. Каждый файл с параметрами подключения к LDAP представляет собой обычный текстовый файл в формате Unix (LF переводы строк). Имена файлов должны быть такими:  ldap_map1.cf ,  ldap_map2.cf  и т.д. Процедура подготовки конфигурационного файла состоит из следующих шагов: 1) Создайте на контроллере домена сервисную учетную запись со сложным паролем, которая будет использоваться для подключения к LDAP-серверам данного домена (леса доменов). Для примера будем использовать учетную запись с именем ksmg-relay. 2) Определите DN (Distinguished Name) сервисной учетной записи. Это можно сделать, например, при ...
Далее...