Microsoft Exchange Outlook Web App – Restricting Users By Location (IP Subnet) & Group

The powers that be decided that we need to be more secure and most of our users should not be working remotely without permission, and that includes just checking email. So I had to devise a way to make this happen. I found a script somewhere online that seemed to provide such a restriction. The file to be changed is

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\forms\startpage.aspx
Of course, this is for Exchange 2010. I assume this would be similar in later versions of Exchange, but I cannot confirm.
This is my first iteration:

However, this did not work when I tried to restrict the user to group “pridedallas.com\\Outlook Web Access – Remote” – no user had access.

After much effort, I discovered that LogonUserIdentity is the Exchange service name, not the actual user name. So I modified it to this, which works great!

 

Who the heck has time to write a blog post post?

No, not a typo. But seriously, I have lots of ideas for blog posts – when I’m in the middle of doing whatever it is that gives the idea for a blog post, but the energy rarely exists outside of that task and then when I think about it later, I decide I have way more important things to do (which is true, that’s not my imagination).

So, how did I find time to write this blog post about writing a blog post? I didn’t.

7:11 AM here in Flower Mound, TX.

I decided that part of my problem is that I want to write the “right” blog post. Yea, that will never happen.

So if you wasted a minute of your time looking for insight on how to find time to write a blog post, here’s your great words of wisdom: quit spending so much time not writing it, or thinking about writing it, or pondering what you should write about, and just write.

As you were…

CKEditor Spellcheck Plugins Security

We have been using CKEditor a long time (since it was FCKEditor…always loved that name, makes me giggle like a little kid when I even say it to myself) and just love the product. There are 2 plugins that come with it for spell checking, SCAYT, and WebSpellChecker. Both SCAYT (Spell Check As You Type) and WellSpellChecker are enabled by default, however, SCAYT is not enabled for autoload by default. When I realized that I could enable the autoload for SCAYT, I did just that…and then one of my team members asked a very pertinent question, one that I should have asked a long time ago. Have we reviewed the security (or lack thereof) used by these plugins / service?

If don’t already realize this, these 2 spellchecking plugins are a service provided by WebSpellChecker.net. Both of these plugins send the text being checked to this service and return the results. I knew this fact, but that’s as far as I had really considered it.

What I had not considered is if this service was secure. The┬ásite that we use CKEditor on is secure – it has to be. We are a healthcare facility and we have to protect PHI (Protected Health Information). Now, users should never be entering PHI into text boxes that use CKEditor – nor should anyone ever be entering any other data that needs to be secure in these fields (like passwords). However, we all know that this will happen. The data itself is stored secured and we remove this information as we find find it.

After I was asked the question, I did some research on WebSpellChecker.net’s site and general searches as well, but I could find nothing that told me if these plugins used a secure connection or not. So, I finally just tested it myself using Fiddler and was shocked to find out these are not secure (SSL / TLS) connections, but plain text HTTP!

fiddler shows definitively no security is used for ckeditor spellcheck plugins

Needless to say, we have disabled these plugins completely. We were just using the free version of this service anyway. WebSpellChecker.net does have a paid service and maybe if we paid for it, they would provide some way to use HTTPS. I was very surprised thought that a service like this that was enabled by default in a very common WYSIWYG editor was not secure. Glad we caught it.

What we have here, is a failure to communicate…