Thursday, July 13, 2023

Securing the Netcool EWS Probe

Background

The Netcool Probe for Microsoft Exchange Web Services (EWS Probe) documentation leads you to create the probe with a very large security issue. Specifically, following the IBM documentation, the probe is allowed to access ANY mailbox just by specifying the name of the mailbox (email address) WITH NO PASSWORD. That is not ideal.

Solution

My client and I contacted IBM support and got the following solution really quickly (within just a couple of hours):

The steps are taken from this link https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access.

Due to security concerns highlighted by customer, A Doc APAR to add the following steps into probe guide has been raised.

APAR number : IJ41418


Limiting probe access to specific Exchange Online mailboxes.


By default OAuth authentication enables the probe to access all mailboxes in an organization on Exchange Online. Administrators can identify the set of mailboxes to permit access by putting them in a mail-enabled security group. Administrators can then limit probe access to only that set of mailboxes by creating an application access policy for access to that group.


a. Create a new mail-enabled security group using steps in this link or use an existing one and identify the email address for the group.


b. Add the user of mailbox to be accessed by probe into the group.


c. Connect to Exchange Online PowerShell. For details, see Connect to Exchange Online PowerShell.


d. Create an access policy on the registered Azure Active Directory application.


New-ApplicationAccessPolicy -AppId <<Application/ClientID>> -PolicyScopeGroupId <<SecGroupEmail>> -AccessRight RestrictAccess -Description "IBM Netcool EWS Probe Mailbox"