Tuesday, 10 June 2008

HTTP Filter Settings for Microsoft Exchange Server 2007

One of the key benefits of ISA Server web publishing is the ability to use the HTTP filter to provide advanced security for web-based applications by defining very specific allow lists (whitelists) or deny lists (blacklists) for key HTTP elements like methods (verbs), extensions and signatures. This filter is very similar to the URLscan tool which was recommended for IIS, but it can be applied on a per-rule basis as opposed to per-system. The use of the HTTP filter in this example introduces the concept of 'least privilige' to ensure that only the necessary HTTP methods that are required by Exchnage 2007 are permitted.

With Exchange 2003, Microsoft released a
whitepaper which provided specific details of how to use the HTTP filter for securing Exchange 2003 services like Outlook Web Access, RPC/HTTP, ActiveSync etc. However, since the release of Exchange 2007 this whitepaper does not appear to have been updated or a replacement published. As Microsoft has not provided this information in an official document, I have been wary to utilise the existing HTTP filter parameters for customer deployments, just in case they have an adverse effect on functionality.

However, by looking at the the policies defined within the default application optimisers of Microsoft Intelligent Application Gateway 2007 (which are supported) it is possible to determine that the following HTTP methods allow list should be sufficient for correct Exchange 2007 operation:


Outlook Web Access (OWA) - HTTP Methods Allow List

  • BCOPY
  • BDELETE
  • BMOVE
  • BPROPPATCH
  • COPY
  • DELETE
  • GET
  • HEAD
  • LOCK
  • MKCOL
  • MOVE
  • OPTIONS
  • POLL
  • POST
  • PROPFIND
  • PROPPATCH
  • PUT
  • SEARCH
  • SUBSCRIBE
Exchange ActiveSync (EAS) - HTTP Methods Allow List

  • OPTIONS
  • POST
  • GET

HTTPFilterConfig.vbs is a free script provided by Microsoft on the ISA Server CD, located in the \sdk\samples\admin folder. This script can be used to import HTTP filter settings from custom XML files and assign them to individual firewall policy rules. Once a HTTP filter settings XML file has been created, it can then be imported using the following syntax:

HTTPFilterConfig.vbs import RuleName HTTPPolicyXmlFileName.xml

Based upon the parameters defined in the above allow lists, it is therefore possible to define HTTPFilterConfig XML policies as follows:

OWA HTTP Filter XML Policy

<Configuration BlockExecutables="false" ViaHeaderAction="0" NewViaHeaderValue="" ServerHeaderAction="0" NewServerHeaderValue="" MaxRequestBodyLen="-1"><UrlValidation NormalizeBeforeScan="true" VerifyNormalization="false" AllowHighBitCharacters="true" BlockDotInPath="false" MaxLength="10240" MaxQueryLength="10240"><Extensions AllowCondition="0"></Extensions></UrlValidation><Verbs AllowCondition="1"><Verb Value="BCOPY" Description=""/><Verb Value="BDELETE" Description=""/><Verb Value="BMOVE" Description=""/><Verb Value="BPROPPATCH" Description=""/><Verb Value="COPY" Description=""/><Verb Value="DELETE" Description=""/><Verb Value="GET" Description=""/><Verb Value="HEAD" Description=""/><Verb Value="LOCK" Description=""/><Verb Value="MKCOL" Description=""/><Verb Value="MOVE" Description=""/><Verb Value="OPTIONS" Description=""/><Verb Value="POLL" Description=""/><Verb Value="POST" Description=""/><Verb Value="PROPFIND" Description=""/><Verb Value="PROPPATCH" Description=""/><Verb Value="PUT" Description=""/><Verb Value="SEARCH" Description=""/><Verb Value="SUBSCRIBE" Description=""/></Verbs><RequestHeaders/><ResponseHeaders/><DeniedSignatures></DeniedSignatures></Configuration>

You simply need to copy and paste the above text into notepad and save the file as Exchange2007OWAPolicy.xml or something similarly descriptive.

EAS HTTP Filter XML Policy

<Configuration BlockExecutables="false" ViaHeaderAction="0" NewViaHeaderValue="" ServerHeaderAction="0" NewServerHeaderValue="" MaxRequestBodyLen="-1"><UrlValidation NormalizeBeforeScan="true" VerifyNormalization="false" AllowHighBitCharacters="true" BlockDotInPath="false" MaxLength="10240" MaxQueryLength="10240"><Extensions AllowCondition="0"></Extensions></UrlValidation><Verbs AllowCondition="1"><Verb Value="OPTIONS" Description=""/><Verb Value="POST" Description=""/><Verb Value="GET" Description=""/></Verbs><RequestHeaders/><ResponseHeaders/><DeniedSignatures></DeniedSignatures></Configuration>

You simply need to copy and paste the above text into notepad and save the file as Exchange2007EASPolicy.xml or something similarly descriptive.

Once applied, the HTTP filter configuration can be viewed by right-clicking on the respective firewall policy rule defined during the HTTPFilterConfig import and selecting the Configure HTTP option. If imported correctly, you should see the following:

HTTP Methods for OWA


HTTP Methods for EAS


Additional information on HTTP filtering which applies to both ISA Server 2004 and 2006 can be found here.

Keep posted for further articles on using the HTTP Filter for other applications like Microsoft Office SharePoint Server (MOSS) 2007 amongst others...

No comments:

Post a Comment