Hi,
We have Exchange 2013 running with OWA. Our accounts have mailboxes which we sometimes (succesfully) disable for webmail. However, it is possible to simply open webmail so that it asks for your credentials. If you enteraccount@domain.com and a wrong password it will simply tell you password incorrect. If you enter the correct password it will log you in but give this 'error' (which it is supposed to since webmail is disabled for this account): Outlook Web App is currently disabled for user domain\account.
My problem here is that even though behaviour is as expected this seems to be vulnarable for brute force attacks and such.
So basically my question is: is there a way to disable OWA completely for these accounts in such a way, that it won't let you notice wether or not the password is entered correctly/incorrectly. Or is there another way to somehow work around this making webmail more secure?
Best regards, J