Configure Download Domains in Exchange Server

  • Article

Overview

The Download Domains feature causes attachments to be loaded from a different URL than the one, which is used by the user to access Outlook on the Web (OWA). This cross-site call enforces the so-called SameSite cookies standard of the browser, which enables a better protection against cross-site request forgery (CSRF) attacks. A vulnerability that is addressed by the Download Domains feature is, for example, CVE-2021-1730.

What are cookies and when are they used

Cookies are text strings sent from websites and stored on a computer by the web browser. They're used for authentication and personalization. For example, cookies are used to recall stateful information, preserve user settings, record browsing activity, and display relevant ads. Cookies are always linked to a particular domain and are installed by various parties.

Historically, sites such as example.com that make cross-origin requests to other domains such as contoso.com have caused the browser to send example.com cookies as part of any request.

In most cases, the user benefits by being able to reuse some state (for example, login state) across sites no matter from where a request originated. However, this behavior can be abused in CSRF attacks. The SameSite component reduced the exposure through its implementation and management in the Set-Cookie header.

A SameSite is defined as a top-level domain (TLD) plus one more domain name.

Example:

Scheme Domain Name TLD
https:// contoso .com

The URL scheme is also taken into account. A request that comes from https://contoso.com and goes to http://contoso.com (for example, by clicking on a link), is considered as cross-site requests.

With the SameSite cookies standard, sites or web applications can set the SameSite attribute on cookies via the Set-Cookie header or by using the document.cookie JavaScript property to restrict in which cases a cookie is sent.

The SameSite cookies specification was introduced in Google Chrome version 51 as an optional attribute. It was introduced with Windows 10 Build 17672 for Microsoft Edge and Internet Explorer.

There are three values that are supported:

  • Strict
    • The browser won't send this cookie in any cross-site request
  • Lax
    • The browser sends this cookie in cross-site requests under certain conditions (all conditions must apply):
      • The "safe" HTTP GET method is used
      • The request comes from a top-level navigation, which was performed by the user (for example, a link was clicked)
  • None
    • The browser sends the cookie in any cross-site request as this setting disables the SameSite restriction

The SameSite cookies standard is supported by all major web browsers and if the SameSite attribute isn't explicitly set by the web site or application, which issues the cookie, it's automatically presumed by the web browser and treated by default as SameSite=Lax to improve security against CSRF attacks.

Looking at the Download Domains feature, a call to attachments.owa.contoso.com that was initiated from owa.contoso.com is considered as cross-site request and cookies are only sent if the conditions, described for the Lax value, have been met.

Enable Download Domains in your organization

There are several steps that must be performed before the Download Domain feature can be turned on for your organization. Follow the steps to configure the feature:

  1. Create a new DNS record of type CNAME (Alias). The record must point to the domain that you use to access Outlook on the Web (OWA).

    Example:

    Name Type Value
    attachments.owa.contoso.com CNAME owa.contoso.com

    Note

    If you are using different namespaces for internal and external OWA access, it's required to create two CNAME records and set them accordingly via the InternalDownloadHostName and ExternalDownloadHostName parameter as described in step 3.

    Important

    Users must NOT use the Download Domains to access Outlook on the Web as this would eliminate the protection provided by the Download Domains feature.

  2. Make sure to add the new subdomain to the certificate, which is used by Exchange Server and bound to the front-end. More information about certificate request on Exchange Server can be found in the Certificate procedures in Exchange Server article.

  3. Add the new subdomain to the Outlook on the Web configuration by running the following command from an elevated Exchange Management Shell (EMS):

    Set-OwaVirtualDirectory -Identity "Contoso\OWA (Default Web Site)" -InternalDownloadHostName "attachments.owa.contoso.com" -ExternalDownloadHostName "attachments.owa.contoso.com"

    Note

    Make sure to set the correct hostnames if your Exchange configuration uses different namespaces for accessing OWA from internal and external networks. Using the wrong namespace can cause the user experience to be degraded (for example, inline images are invisible etc.).

  4. After all OWA virtual directories have been prepared and the new certificate has been deployed to all Exchange servers, the feature can be turned on by running the following command from an elevated Exchange Management Shell (EMS):

    Set-OrganizationConfig -EnableDownloadDomains $true

  5. It's required to restart the World Wide Web Publishing service and the Windows Process Activation Service on each Exchange server to activate the feature. Run the following command from an elevated PowerShell window or restart the server:

    Restart-Service -Name W3SVC, WAS -Force

Confirm that Download Domains are enabled

You can follow these steps to confirm that the Download Domain feature is enabled and works as expected:

  1. Send an email with an inline image to your mailbox. It doesn't matter if the email was sent from an internal or external mailbox.
  2. Login into OWA and search for the test email that was sent to your mailbox.
  3. Make sure that the image is loaded and displayed in the reading pane.
  4. Right-click on the inline image and select Copy Image link
  5. Paste the link into Notepad.exe and check the URL. It should be the configured Download Domain (for example, attachments.owa.contoso.com). This result confirms that the Download Domain feature is active and works as expected.

Disable Download Domains in your organization

The Download Domain feature is configured via an organization-wide configuration and as a result, can only be enabled or disabled on all or no Exchange servers. If you want to disable the feature, it's sufficient to run the following command from an elevated Exchange Management Shell (EMS):

Set-OrganizationConfig -EnableDownloadDomains $false

Follow the steps as outlined in the Confirm that Download Domains are enabled section of this article to confirm, that the feature is disabled.