Blocking the Outlook App for iOS or Android from Exchange Using IIS or TMG

We’ve recently seen the arrival of Microsoft Outlook for iOS and Android. The software was created by Acompli and then acquired by Microsoft, and I suppose rebranded. As it happens it’s a pretty good mail client, but, unfortunately it has a nasty trick up its sleeve that happens to violate my employer’s acceptable use policy – and many other company’s security policies too. It turns out that when you sign-in to the app and add an account, it automatically stores the Exchange user credentials and server name in a service running on Azure. They are then used to poll the exchange CAS servers for mail updates on behalf of the user, and to perform a sync when requested. The issue here is that the data is retrieved for the user by a service and not by the app on their mobile device, whether or not the device is on. This was first reported here and later again here.

To see this in action all you have to do is look at the IIS logs on the CAS servers and look for the User-Agent in the traffic, looking specifically for “Outlook-iOS-Android/1.0” – you’ll see usernames in the query strings and a bunch of unusual IP addresses – which it turns out are Azure datacentre IPs. So there we see traffic coming from Azure using credentials that users have provided and retrieving mail data. So the credentials are being stored at rest somewhere completely unexpectedly. Apparently they are encrypted, doubley-so, but just storing those credentials is the worst thing possible!

OK what to do about all this. Answer: tell your users to remove their accounts from the app and then stop using the app for Exchange related usage. That would be easy if everyone did as they are told but that’s not always the case. We can do this with IIS Request Filtering (explained at the end) but what I did as well was make use of signature blocking in TMG to prevent all traffic with the specific user-agent provided by the app.

Block Using TMG

1. Open your TMG server configuration MMC (or ISA if you’re still using that for some crazy reason) and find the rule that covers the path for the ActiveSync folder in OWA, and right-click it.
2. Select “Configure HTTP”, open that and switch to the “Signatures” tab.
3. Click Add… and create a new signature as shown below.
Name: Outlook for iOS/Android 1.0
Description: Block Outlook for iOS/Android 1.0
Search in: Request headers
HTTP header: User-Agent:
Signature: Outlook-iOS-Android/1.0

4. Then click ok and Apply the change.

You can then monitor your traffic going through TMG and should start to see ActiveSync traffic being blocked where the Outlook-iOS-Android/1.0 user-agent is involved. You can actually detect exactly who is using the app in your environment by monitoring looking at the logs again for the same user-agent. Looking at the query string you should be able to see the usernames in the ?User= part of the string. You can then use these to communicate with the relevant people in your organisation to hopefully prevent help desk calls.

If you want to prevent ‘new’ sign-ups using this client without worrying about existing users so as to not interrupt your users and again cause more unnecessary work for your help desk you can be more selective with your blocking and a probably create a new rule that exclusively filters based on the &Cmd=Provision component of the path as well as the signature:

/Microsoft-Server-ActiveSync?User=*&Cmd=Provision

The rule would need to be an allow rule and simply specify the path as above, along with the http signature to block, but prevent authentication. This should stop new users from being able to connect. I haven’t tried it but I think the theory is sound. You might be better of doing it with IIS Request Filtering though as that’s a lot more powerful…

Block using IIS Request Filtering

If you wanted to use IIS Request Filtering instead this would be both easier and harder, as of course you need to implement it on all of your CAS servers, but of course it doesn’t rely on you having TMG, and you’ll always have IIS.

1. Find the IIS applets for the “Microsoft-Server-ActiveSync” virtual folder and double-click the “Request Filtering” applet on the right.

2. In the Request Filtering options choose the Rules tab and click “Add Filtering Rule…” from the actions pane.

3. Add new rule using the following options:

  • Name: Agent Rule
  • Scan url: unchecked
  • Scan query string: checked
  • Header: User-Agent
  • Deny Strings: Outlook-iOS-Android/1.0

Then just repeat that for each CAS server.

If you’d like more details here’s a useful blog post discussing uses for Request Filtering in IIS: http://www.peterviola.com/blocking-sql-injection-with-iis-request-filtering/

OutlookTools (free)

Recently I’ve been having serious problems with my install of Outlook 2007. I’m on Vista x64 SP1 and after running perfectly for about two weeks Outlook started crashing shortly after opening it. After a complete reinstall of Office the problem got worse and now Outlook will not open at all….but I digress…I’m posting to mention that I’ve found a really handy tool…

Called “OutlookTools” it’s a simple app that will let you cleanup and clearout some of the harder to reach depths of Outlook. If you ever have problems with Outlook (ok I’ve caught 99% of people here) all I can say it download it and give it a go! It is free after all 🙂

Download
Also why not check-out the origin site HowTo-Outlook.com – it seems to be quite good.

Add Outlook 2007 Icon to the Desktop

Back in the old days of Office 2000 and XP microsoft used to automatically put the Outlook icon on the desktop, and you could right-click it to get to profile and account settings. A very handy feature. Now with Office 2003, 2007 they’ve given up doing that following their ‘clean desktop’ trend. I understand that, but sometimes I need users to be able to get to Outlook easily and to manage their profiles without having to go to control panel – if I even allow them to go there!

I had to search hard to find this one but I found it in the end. Here’s the key needed to add Outlook 2007 back to the desktop:

Open regedit and browse to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
Then add a new key (not a new value) with the following name:
{00020D75-0000-0000-C000-000000000046}

Then refresh your desktop and your Outlook icon will appear (or disappear if you deleted the key).
Here’s the code if you want to put it in a .reg file:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{00020D75-0000-0000-C000-000000000046}]

I can confirm this works on Windows 7 Pro x86. It does not seem to work on Enterprise edition.

Using Outlook to send email from a different domain than the default

Q: What if you want to send email using Outlook connected to an Exchange server, but you want to send it ‘from’ an address which is different to the one you normally receive?! For example you have your exchange server ‘receiving’ email to user@domain1.com and user@domain2.com but you can only send email with messages coming from user@domain1.com … what do you do when you want to send from user@domain2.com?!

A: All you have to do is add a new POP3 account to your email accounts and set the SMTP server to the exchange server’s name, the pop3 server to anything, e.g. localhost. Make sure you set your email address to the new one you want email to appear to come from. Finally you need to set the send/receive settings so that the new account only sends email, and doesn’t try to receive it. That’s because if it tries to receive it’ll fail because we’re actually faking this account and there is no need to receive messages.

Once the account is made and the settings are changed you’ll be able to create a new email and see a new button in the new message toolbar allowing you to change the account. That email will then appear to come from the other address!

Easy really…but so many people don’t seem to think of this!
It all relies on the fact that exchange servers can act as smtp relays so long as the machine you’re using to connect to it can authenticate, if that works then exchange automatically lets you send any email you want. If you can’t authenticate then usually it’ll stop you, unless the settings have been relaxed of course.