TL;DR
Yes, Exchange/OWA can still compress static images and remain relatively immune to HTTP compression attacks with the correct configuration. Modern versions of Exchange automatically handle this for most scenarios, but it’s important to verify settings and understand potential risks.
Solution Guide
- Understand Image Compression in Exchange
- Exchange typically compresses images (like logos or background images) used within OWA. This reduces bandwidth usage and improves page load times.
- The compression is usually done on the server-side before sending the image to the client’s browser.
- Modern Exchange versions use efficient compression algorithms like gzip, which are generally safe when implemented correctly.
- HTTP Compression Attacks: The Risk
- An HTTP compression attack (like CRIME or BREACH) exploits vulnerabilities in how web servers handle compressed content.
- These attacks can potentially allow attackers to steal sensitive information from encrypted HTTPS connections by manipulating the compression process.
- The risk is higher when dealing with dynamic content that includes user-specific data within compressed responses. Static images are less vulnerable because they don’t change based on the user.
- Verify Compression Settings in Exchange
Check if HTTP compression is enabled globally for your Exchange server.
Get-ExchangeServer | Select HttpCompressionEnabled- If
HttpCompressionEnabledisFalse, you may need to enable it (see Step 4).
- If
- Enable HTTP Compression (if disabled)
Use the following command in Exchange Management Shell:
Set-ExchangeServer -Identity <YourExchangeServerName> -HttpCompressionEnabled $true- Replace
<YourExchangeServerName>with the actual name of your Exchange server. - Restart IIS after making changes: https://learn.microsoft.com/en-us/powershell/module/iisadministration/restart-webserver?view=iis-ps
- Replace
- Configure IIS Compression Levels
Fine-tune compression settings in Internet Information Services (IIS) for optimal performance and security.
- Open IIS Manager.
- Select your Exchange server in the Connections pane.
- Double-click “Compression Features”.
- Adjust compression levels for static files (like images). Generally, a moderate level of compression is sufficient. Avoid extremely high compression levels as they can increase CPU usage without significant benefit.
- Keep Exchange Updated
- Microsoft regularly releases security updates that address vulnerabilities in Exchange, including those related to HTTP compression attacks.
- Ensure your Exchange server is running the latest cumulative update (CU) or service pack.
- Use TLS 1.2 or Higher
- TLS 1.2 and higher provide stronger encryption than older versions, making it more difficult for attackers to exploit compression vulnerabilities.
- Verify that your Exchange server is configured to use TLS 1.2 or higher.
- Monitor for Suspicious Activity
- Regularly review Exchange logs for any unusual patterns of activity, such as large numbers of requests for static images or unexpected errors related to compression.