Jordan_Tsafaridis Posted February 5, 2010 Report Share Posted February 5, 2010 Αγαπητοί συνάδελφοι του autoexec.gr παρακάτω σας παραθέτω την Εφαρμογή αλγορίθμου ασφαλείας Captcha Validation σε περιβάλλον OWA 2007 με Forms-Based Authentication. Δεδομένης της αυξανόμενης ζήτησης για ασφάλεια σε κάθε μορφή διαδικτυακής επικοινωνίας πιστεύω ότι το παρακάτω άρθρο είναι πολύ χρήσιμο για όποιον θέλει πραγματικά να ασφαλίσει με ένα επιπλέον επίπεδο ασφαλείας το logon page του outlook web access 2007. Δυστυχώς λόγω ελλείψεως χρόνου δεν προλαβαίνω να μεταφράσω το κείμενο από τα αγγλικά στα Ελληνικά, αλλά το κείμενο είναι απόλυτα κατανοητό : CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. You will no doubt have seen this implemented in various web pages as an image of a visually distorted common word, which must be typed into an input field, thus proving that you are indeed a real person. This has become necessary to prevent the actions of bots, which roam the web looking for opportunities to inject spam into message boards, etc. Shown here in Figure 1 is an example of such an image. The idea is that a human user will recognize the word 'part', whereas a spambot will not. Figure 1: A CAPTCHA image displaying the word 'part' OWA Forms-based Authentication is very secure by itself, of course, since you still need to supply valid credentials to log in, but there is still a significant amount of interest in adding CAPTCHA validation to it. Here, I will show how it can be done by modifying Exchange's logon.aspx file. I have chosen to use a freely available CAPTCHA script written by Jonathan Feaster, which is available for download from Archreality (http://www.archreality.com/jcap/) . This script uses JavaScript, and unlike some other solutions has the advantage of not requiring a second .aspx page to process the form input; the validation is done by the user's browser before the credentials are sent to the OWA server. Any CAPTCHA scripts which require a second page will not work with FBA, since there is no opportunity to insert anything between the logon page and the OWA GUI. Procedure First, extract the files to a suitable place on the server. There are two .js files, and a folder named cimg, which contains the word images to be displayed on the logon page. Place the entire extracted jcap folder in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth folder as shown in figure 2: Figure 2: The extracted jcap files in the auth folder Next, use Explorer to locate the logon.aspx file that creates the FBA logon page. This is inside the same auth folder that you just placed the jcap folder into. Before doing anything else, make a backup copy of the logon.aspx file. Right-click it, then select Copy, then right-click the folder, and then select Paste. This creates a copy of your logon.aspx file named 'Copy of logon.aspx' . If your modifications are unsuccessful, you will need to revert to this original file to restore FBA functionality. Now, open the logon.aspx using Notepad. I'm going to insert the image just above the 'Public Computer' radio button, so press F3 and search for the text rdoPblc . Assuming that you successfully found the text, insert the following just before the preceding <tr> tag: <script type="text/javascript" language="javascript" src="jcap/md5.js"></script> <script type="text/javascript" language="javascript" src="jcap/jcap.js"></script> <script type="text/javascript" language="javascript"> function doJcap() { if (jcap() == true) {document.forms[0].action = "owaauth.dll"; return true;} else return false } </script> <tr><td colspan="2" align="center"> Enter the code as it is shown below <script language="JavaScript">sjcap();</script> <noscript>This resource requires a JavaScript enabled browser</noscript> </td></tr> The result should look something like figure 3: Figure 3: The amended contents of logon.aspx in Notepad Next, press CTRL-HOME to go back to the top of the file, and then press CTRL-F, and search for the text <form (without a closing angled bracket). Assuming that you successfully found the form tag, remove its action attribute and replace it with the following text: onsubmit="return doJcap();" This part of the page should now look like that shown in figure 4: Figure 4: The modified <form> tag Now save the file back to disk, and close Notepad. All that is required now is a small change to the jcap.js file that was saved in C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\jcap . Right-click the jcap.js file, and select Edit. It should open in Notepad. On the line that begins with var imgdir, you need to change the path to point to the current location of the cimg folder. Change it so that the beginning of the line looks like this: var imgdir = "/owa/auth/jcap/cimg/"; The complete line looks like this: Figure 5: Defining the path to the image files Save the file, and we're finished. The next time you open the FBA logon page, it should look something like this (figure 6). Also shown is the alert message displayed if the typed text does not match the distorted text in the image when you click the Log On button. Figure 6: The modified FBA logon page Please remember that due to updates made by Exchange service packs and patches, future versions of the logon.aspx file may be different to the version shown. The basic principles described should, however, remain the same. References CAPTCHA described at Wikipedia Turing test discussed at Wikipedia The CAPTCHA Project · A CAPTCHA or Captcha (pronounced /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process usually involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. Thus, it is sometimes described as a reverse Turing test, because it is administered by a machine and targeted to a human, in contrast to the standard Turing test that is typically administered by a human and targeted to a machine. A common type of CAPTCHA requires that the user type letters or digits from a distorted image that appears on the screen. · The term "CAPTCHA" (based upon the word capture) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas J. Hopper (all of Carnegie Mellon University), and John Langford (then of IBM). It is a contrived acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart." Carnegie Mellon University attempted to trademark the term,[2] but the trademark application was abandoned on 21 April 2008.[3] Currently, CAPTCHA creators recommend use of reCAPTCHA as the official implementation.[4] Ελπίζω να το βρείτε χρήσιμο. Ιορδάνης Τσαφαρίδης Link to comment Share on other sites More sharing options...
Akladakis Posted February 5, 2010 Report Share Posted February 5, 2010 Ιορδάνη, φαίνεται πολύ καλό. Το έχεις τεστάρει και δουλεύει καλά για μεγάλο χρονικό διάστημα? Link to comment Share on other sites More sharing options...
pkalog Posted February 6, 2010 Report Share Posted February 6, 2010 Πολυ ενδαιφέρον οντως!!! πολυ καλη ιδεα θα το δοκιμασω σε Τεστ περιβάλλον Ευχαριστουμε!! [] Link to comment Share on other sites More sharing options...
Jordan_Tsafaridis Posted February 6, 2010 Author Report Share Posted February 6, 2010 Θανάση βεβαίως και το έχω δοκιμάσει. Μάλιστα βρίσκεται σε λειτουργία από τον περασμένο Οκτώβριο χωρίς προβλήματα. Ιορδάνης Link to comment Share on other sites More sharing options...
Recommended Posts