OWA/ActiveSync

Rapid7's monitoring of OWA/ActiveSync activity understands that these act just like IIS components. Therefore, you can configure a directory watcher on the collector to monitor the IIS logs of the computer running the Exchange software, and look for web requests that match OWA/ActiveSync signatures.

If you have a load balancer, such as Netscaler, in front of your OWA/Exchange servers, you may experience that the source IP for all users is the load balancer instead of the true IP address.

To fix this, you must add an x-forwarded header to the IIS logs. You can learn more about how to do this here: http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/.

This event source provides mobile device user attribution and ingress monitoring.

Before You Begin

You must prepare OWA/ActiveSync for collectors.

In order to have the Collector ingest logs from Microsoft Outlook Web Access (OWA) and ActiveSync services, perform the following steps on the server side:

  1. Determine the destination folder for the logs that the Internet Information Services (IIS) process responsible for running OWA/ActiveSync generates.
    • Note: You cannot have logs nested in folders.
  2. Ensure that the IIS logs the expected fields to the log files.
  3. Share the log folder with a read and write credential that is also to be entered in InsightIDR.

Internet Information Services configuration

Perform the following steps:

  1. Gather the OWA/ActiveSync logs for InsightIDR to determine which server is responsible for handling OWA/ActiveSync client requests. 
  2. Launch the IIS Manager from the "Start" menu.
  3. Click the Logging icon in the IIS Manager.
  4. The Logging module displays where the IIS logs are recorded as well as how to specify the exact fields to log.  Make a note of the log folder because you will need to enter this folder in the InsightIDR event source.
  5. Click the Select Fields button to select the appropriate fields to log.

The fields selected for the log file must exactly match those shown in the following list:

1
date
2
time
3
s-ip
4
cs-method
5
cs-uri-stem
6
cs-uri-query
7
s-port
8
cs-username
9
c-ip
10
cs(User-Agent)
11
sc-status
12
sc-substatus
13
sc-win32-status
14
x-forwarded-for
  1. Click the OK button to save your changes.

Windows file system configuration

Configure the log folder to allow the Collector to reach the logs. 

  1. In Windows Explorer, right-click on the IIS log folder and click Properties.
  2. In Properties under Advanced Sharing, click Share this folder, then click the Permissions button.
  3. Click Add and provide the credential that will have access to this directory. The user name and password for this credential will also be entered in InsightIDR when the OWA/ActiveSync event source is set up.

How to Configure This Event Source

You can configure the OWA event source to read the shared folder via UNC notation and by providing the credential that was used when setting up the shared folder. UNC notation is Microsoft's Universal Naming Convention which is a common syntax used to describe the location of a network resource.

Mobile provider geoips do not show up on your ingress activity map due to the fact that the geolocation for these IPs is typically extremely inaccurate. Mobile logons via wireless networks will still show up on your ingress map.

Perform the following steps to configure OWA with InsightIDR.

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the Email & ActiveSync icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally choose to send unfiltered logs.
  6. Configure your default domain and any Advanced Event Source Settings.
  7. Select Watch Directory as your collection method.
  8. Click Save.

Format Logs to ELFF Format

The different logging formats for IIS logs are detailed here: https://msdn.microsoft.com/en-us/library/ms525807(v=vs.90).aspx.

InsightIDR only support logs in the ELFF format. The logs must have the correct fields in the order specified below. Any additional fields can be in the logs, but must come after the sc-win32-status field.

Troubleshoot OWA/ActiveSync Logging

If you are experiencing issues with OWA or ActiveSync, try one of the following solutions:

  • Wrong IP Address
  • Advanced Logging for IIS 7
  • Enhanced Logging for IIS 8.5+

Wrong IP Address

If there is an MDM, load balancer, or some other device between the external endpoint connecting to ActiveSync and the ActiveSync server, the "source IP" in the IIS logs for ActiveSync will be wrong, since it will point to the source IP of the intermediate device rather than the true source IP of the external endpoint and you won't get any ingress activity on your map.

All these appliances have their own unique way of providing the true source IP in a custom HTTP request field. To fix this, completing the following:

  1. Go to the Exchange server to configure it for advanced logging and configure the advanced logs to match exactly the basic logs.
  2. Substitute the source IP (which will be the intermediate appliance, in this case) with the new field the appliance has added which represents the true source IP of the external endpoint.

Advanced Logging for IIS 7

Microsoft documentation on advanced logging is located here: https://www.iis.net/learn/extensions/advanced-logging-module/advanced-logging-for-iis-custom-logging.

Notice how you add fields. Compare some of the actual logs coming out of the advanced logger to the logs coming out of the basic logger. You may have to make a few changes to the advanced logger the first time to make sure the fields are the ones you want and that they are in the proper order.

Enhanced Logging for IIS 8.5+

Follow the instructions provided by Load Balancer to configure enhanced logging here: http://www.loadbalancer.org/blog/iis-and-x-forwarded-for-header/.

You can learn about enhanced logging here: https://www.iis.net/learn/get-started/whats-new-in-iis-85/enhanced-logging-for-iis85.

The field ordering is the following:

1
date
2
time
3
s-ip
4
cs-method
5
cs-uri-stem
6
cs-uri-query
7
s-port
8
cs-username
9
c-ip
10
cs(User-Agent)
11
cs(Referrer)
12
sc-status
13
sc-substatus
14
sc-win32-status
15
x-forwarded-for

InsightIDR now parses the additional field appended to the end of the log as the true Client IP address (c-ip).