In one of my recent blog posts, we covered brute forcing of the OWA page in Exchange 2019, this also applies to Exchange 2016 and Exchange 2013. If an attacker successfully gains access, they might access an account that has elevated privileges or given enough time, escalate privileges. The default Exchange Admin Center (EAC) page shown below without any customisation or Google Captcha:
Here is the default OWA page without any customisation:
There are ways in which you can protect this, just take note that with each new Exchange 2019 or the version you are running, Cumulative (CU) or Security Update (SU), the changes will need to be put back.
In this blog, we will look at using Google reCaptcha to add that extra layer of security to the pages. Navigate to the link below:
https://www.google.com/recaptcha/admin/create
We need to perform the following as a first step:
- Register a new site with Google and select the reCaptcha Type
- Add the domains we want to protect
To access the above link above, ensure you are logged in with a Google Account. The page as shown below opens and you need to fill in all the information and then click Submit to obtain the keys required:
When you click the Submit button, the page will update and you will see the following information:
Exchange integration/update:
On our Exchange Server, we need to head over to the following location:
- C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth
In this folder we need to create a new file called “reCaptcha.aspx” and the following lines of code need to be added to it. Open up Notepad elevated because you won’t be able to save the file to the location above if its not elevated.
The value that needs to be updated is the following, remove the two brackets <> when you past the information in from Google:
- <SECRETKey Entered Here>
Script Below:
<% @ Page AspCompat=True Language = "VB" %>
<%
Dim strPrivateKey As String = "<SECRETKEY Entered Here>"
Dim strResponse = Request("response")
Dim objWinHTTP As Object
objWinHTTP = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objWinHTTP.Open("POST", "https://www.google.com/recaptcha/api/siteverify", False)
objWinHTTP.SetRequestHeader("Content-type", "application/x-www-form-urlencoded")
Dim strData As String = "secret=" & strPrivateKey & "&response=" & strResponse
objWinHTTP.Send(strData)
Dim strResponseText = objWinHTTP.ResponseText
Response.Write(strResponseText)
%>Once you have saved the file called “reCaptcha.aspx”, we need to perform step 2 which is modifying the “logon.aspx” page in the same directory. Firstly make a backup of the file so you can also put it back if the page breaks.
The following lines will need to be updated in “logon.aspx”:
- <form action=”/owa/auth.owa” ….
- <div onclick=”clKLgn()” ….
- <div><input id=”passwordText” ….
The first line needs to have everything removed so it only has the following set:
- <form action=””>
The second line needs to be renamed as follows but everything else stays the same:
- <div onclick=”oldclKLgn()”
The third line we not changing at all but adding a script below it as follows, ensure you have a blank line before pasting the code:
<script type="text/javascript">
function myClkLgn()
{
var oReq = new XMLHttpRequest();
var sResponse = document.getElementById("g-recaptcha-response").value;
var sData = "response=" + sResponse;
oReq.open("GET", "/owa/auth/recaptcha.aspx?" + sData, false);
oReq.send(sData);
if (oReq.responseText.indexOf("true") != -1)
{
document.forms[0].action = "/owa/auth.owa";
clkLgn();
}
else
{
alert("Invalid CAPTCHA response");
}
}
</script>
https://www.google.com/recaptcha/api.js
<div class="g-recaptcha" data-sitekey="SITEKEY"></div>We need to update the field “SITEKEY” to the value provided by Google Captcha.
After this, save the file and then you can perform an IISRESET. I found it worked without it as well. Here is what the modified Exchange Admin Center page looks like:
Here is the modified OWA page:
I made a copy of the logon.aspx so if it does get reverted by an update, it can be put back again.
Hope it helps.
