Office Web Apps 2013: Securing your WAC farm

Tags: WAC Server, Office Web Apps, SharePoint 2013, Security

With this new wave of SharePoint, the Office Web Apps Server (WAC – I don’t like the OWA acronym, that’s something else in my opinion) is its own server product, implementing the WOPI client protocol, which allows a client to retrieve documents from SharePoint on the behalf of the user. Documents will flow from the WOPI servers (SharePoint, Lync, Exchange etc.) to the Office Web Apps Server – this means that potentially confidential information will be transferred from the SharePoint environment and stored/cached on another server. This could result in unnecessary information leakage and compromise the enterprise security.

In this post I will walk through a number of steps that you can do to properly secure your Office Web Apps 2013 farms. And you should seriously consider and implement most of these methods.

Note: this post focuses on the Office Web Apps Server and not a WOPI client in general (but if you’re building your own you should consider security as well!).

The WOPI protocol specification and security

Note: I will not cover how WOPI clients and servers implements the server to server authentication and authorization.

WAC runs as Local System

To start with it is very important to know that the Office Web Apps Server 2013 runs as the Local System and Network Service on the machine it is installed on. There is no service account or anything! This means that you cannot protect your systems using dedicated accounts etc., like you do with SharePoint, SQL and other applications.

The images below shows the Office Web Apps Windows Service, which runs as LocalSystem.

Local System

And this image shows some of the applications pools in the IIS on an Office Web Apps machine.

Network Service

The advantage of using these local accounts is that it makes installation and configuration easier. But it is very important that you are aware of this configuration.

SSL is a requirement!

Exposing the Office Web Apps Server over HTTPS should be a requirement in my opinion. There is no reason not to. Having it on HTTP will only cause trouble for you; for instance if your SharePoint uses https you will not be able to render the iFrame containing the document (aka WOPI Frame) since you’re not allowed to show http content in an https environment. But first and foremost you’re sending data in clear text.

So what about SharePoint on HTTP then? Well, if you’re using SharePoint 2013 you should seriously consider running that over HTTPS as well – that IS a best practice. SharePoint 2013 leverages several technologies that sends tokens and credentials over the wire, OAuth for instance, so in order to have a secure environment make sure you use HTTPS for SharePoint as well. If you are running SharePoint on HTTP you must fiddle with the security settings in SharePoint to allow OAuth over HTTP – and this is not a good thing.

Certificates are king!

Any WAC farm running on SSL must have a certificate for the HTTPS endpoint. You can use self-signed, issue certificates using a Domain CA or buy a certificate. When you’re creating the WAC farm, using New-OfficeWebAppsFarm, you can/should specify the certificate.

For any SharePoint, WAC and even SQL installations nowadays certificates are more and more important. If you’re on the verge of deploying these in your organization you should consider deploying a Domain CA – which is not a lightweight task.

Securing the communication using IPSec

If you for some reason do not run HTTPS on SharePoint and/or WAC you could consider implementing IPSec. Unfortunately there is no button in the Control Panel that says “Use IPSec”. This is something that requires careful planning and testing. So going SSL might be an easier way. But consider the scenario where you have an internet facing web site which leverages WAC and using the HTTP protocol – then you should consider using IPSec for the communication between SharePoint and Office Web Apps Server.

Firewall considerations and requirements

When setting up your Office Web Apps Farm you should also configure the firewall for the WAC machines. Office Web Apps uses four different ports. It uses 80 and 443 for HTTP and HTTPS, that’s used by the end-users and the WOPI Server/Client communication. Internally Office Web Apps uses port 809 (HTTP) and 810(HTTPS) for communication between the WAC machines. I’ve only seen 809 in use, which is the default. There is no way (I’ve found at least, but internally WAC has a switch to use port 810) to configure WAC to use port 810 and if you do find a way, it’s likely unsupported. The things sent over the wire using the admin channel (809) is mainly health and configuration information for the WAC farm, but it would be nice to be able to secure this channel as well (IPSec!).

When installing WAC the Windows firewall is configured to allow incoming TCP connections on port 80, 443 and 809.

WAC Windows Firewall Rule

As always it is a good practice to evaluate these default rules and if you’re not using port 80, disable that port. For port 809 it might also be a good practice to make sure that it only allows incoming connections if they are secure (i.e. implement IPsec).

Even more secure...

Preventing rogue machines

So far we’ve been talking about how to secure information being transmitted from and to the Office Web Apps farm. Let’s take a look at Office Web Apps farm security from another angle. Joining a new WAC machine to an Office Web Apps Farm can be quite easy. The only thing that you need is local administrator access on the WAC machine that is the master (the Get-OfficeWebAppsMachine gives you the master machine). Depending on how you’re having your (virtual) metal hosted this might be a problem, too many sysadmins have to much permissions out there. If you have this access then you can easily join a rogue machine to the WAC farm and take control over it, without the users/client knowing anything about it.

There are a couple of methods you can and should use to protect the WAC farm. And the error messages below can also be a good troubleshooting reference…

Master Machine Local Administrator

If the account trying to create the new WAC machine does not have local admin access on the machine specified when joining the WAC farm you will simply get an “Access is denied”.

New-OfficeWebAppsMachine : Access is denied

As a side note; if you’re not running the cmdlet using elevated privileges you will get an “You must be authenticated as a machine administrator in order to manage Office Web Apps Server”.

Using the Firewall

I already mentioned the firewall. If the machine joining the WAC farm cannot access the HTTP 809 channel the New-OfficeWebAppsMachine will throw a “The destination is unreachable error”.

The destination is unreachable error

This is a fairly easy way to protect the farm, but if the user has local admin access on the master machine it can easily be circumvented.

Certificate permissions

If you’re using a domain CA, make sure that you protect the private key using ACL’s, or if you’re buying a certificate make sure to store the certificate private key in a secure location. If you’ve specified a certificate when the Office Web Apps farm was created, which you should have, then the user cannot join the new machine – regardless of local machine admin, since the user cannot install the certificate locally. The error message shown is “Office Web Apps was unable to find the specified certificate”.

Office Web Apps was unable to find the specified certificate

Using an Organizational Unit in Active Directory

The way that Microsoft recommends to secure your WAC farm is to have a dedicated OU in Active Directory where the computer accounts for the WAC farm is located. When joining a new machine to the farm the cmdlet verifies that the account is in the OU specified by the WAC configuration. If it’s not then you’ll see the “The current machine is not a member of the FarmOU”.

The current machine is not a member of the FarmOU

The Farm OU is specified when creating a new WAC farm or using the Set-OfficeWebAppsFarm/ cmdlet. The only caveat with this OU is that it has to be a top level OU in Active Directory. Creating that OU in your or your customers AD might cause some headache, but if you want to use the FarmOU as protection method for your farm it has to be this way. That’s the way it is designed!

Also having all the WAC servers in a OU gives you other benefits; such as using Group Policies to control the WAC servers.

Limit the WOPI Server and host access

Now we’ve seen how we protect the farm from rogue machines and data tampering. Another issue with the WAC farm in it’s default configuration is that any WOPI Server can use it. Might not be a big problem for most of the internal installations, but what if you’ve designed a WAC farm and someone with a huge SharePoint collaboration implementation connects to your WAC farm. It can sure bring it down. Or if you’re exposing your Office Web Apps farm on the internet anyone on the internet can potentially use it.

For this purpose there’s a cmdlet called New-OfficeWebAppsHost. This cmdlet allows you to specify host names that will be accepted by the WAC farm. The cmdlet interprets any domain with a wildcard. For instance the following cmdlet will allow all WOPI Servers on contoso.com (www.contoso.com, extranet.contoso.com etc.) to contact the WAC farm:

Set-OfficeWebAppsHost -Domain "contoso.com"

Do not forget to do this!!

Summary

You’ve seen quite a few ways how to protect your WAC farm from information leakage, rogue machines, undesired excessive usage etc. Using HTTPS and certificates together with a dedicated OU in Active Directory will give you the most secured WAC Farm. Hopefully you also understand a bit more on how Office Web Apps Server works internally. It’s a magnificent and simple server product, but it should be handled with care. 

No Comments

  • MP said

    Very Goood Artcicle. I just finished setting up OfficeWebApps Farm for Sharepoint 2013. I am trying to add new machien to office Farm and i am getting error "Office Web Apps was unable to find the specified certificate”. I have already imported the certificated into Certificate store on the new machine. Any idea how to rectify this ?

    Thanks

  • wei said

    In case of a Lync deployment whereby Office web apps server is also configured for external user to do powerpoint presentation. If I use new-officewebapphost -domain "companyname.com", will it stop external user from using OWA functions?

  • SG said

    Hi Wictor,

    Thanks for the Great Article.

    I have a question about SharePoint extranet publishing.

    We will be publishing SharePoint 2013 to external users using TMG 2010. Do we need to publish Office web app's external URL through TMG so that external user's can view office documents in the browser?

    Thanks

  • Lena Linn said

    Hi Wictor, thanks for a greate article. However when I try set-OfficewebappsHost, PowerShell do not recognize the comandlet. Running get-OfficeWebAppsHost is no problem. I cannot find any other references to the commandlet than your article. I have made a single server installation of Office Web Apps, to be used by a single server SharePoint 2013. Any suggestion?
    Kind regards
    Lena

  • Nattis said

    Hi, Wictor
    Grate detailed article!
    I just wonder why WAC has to be in top-level OU?
    Microsoft has no documented requirements on this particular topic and our test installation works just fine to run FarmOU parameter on the subOU 5 levels bellow the top.
    So why are you stating that top-level OU is a requirement för FarmOU parameter to work?
    Regards, Nattis

Comments have been disabled for this content.

About Wictor...

Wictor Wilén is a Director and SharePoint Architect working at Connecta AB. Wictor has achieved the Microsoft Certified Architect (MCA) - SharePoint 2010, Microsoft Certified Solutions Master (MCSM) - SharePoint  and Microsoft Certified Master (MCM) - SharePoint 2010 certifications. He has also been awarded Microsoft Most Valuable Professional (MVP) for four consecutive years.

And a word from our sponsors...

SharePoint 2010 Web Parts in Action