Secure remote mailbox access

Unauthorized access to users’ Exchange mailboxes is a critical security concern.
With UserLock, administrators can monitor and control IIS-based sessions such as Outlook Web Access (OWA) or ActiveSync connections.

This ensures visibility and protection over all remote mailbox access.

The procedure applies to:

• Exchange 2013

• Exchange 2010

• Exchange 2016 and later (see specific note below)

Before starting, ensure that:

• ✅️ The UserLock IIS Agent is deployed and configured on the Exchange server.

• ✅️ The IIS web applications (OWA, ActiveSync) are enabled on the monitored Exchange server.

1. Once the IIS Agent is installed on the Exchange server, connect to Outlook Web Access (OWA) using any account.

2. In the UserLock console ▸ Active sessions, you’ll see a new IIS session corresponding to the mailbox access.

3. If the user signs out of OWA and you refresh the Active Sessions view, the IIS session disappears, confirming the session tracking is active.
   

If a user’s mailbox is accessed from an unusual workstation or IP address, UserLock immediately makes it visible.

1. In the UserLock console, go to Activity ▸ Active sessions.

2. 👉️ Example: if Jean signs in to Alice’s mailbox through OWA, the session appears under Alice’s name but from Jean’s workstation IP address.

   

3. Identify the suspicious session.

4. Select it, then click Actions ▸ Logoff.

This immediately ends the unauthorized mailbox access.

To prevent future unauthorized access, administrators can restrict IIS sessions by IP address.

1. In the console, open Access Policies from the top menu.

2. Edit an existing policy for your user, or create a new access policy (see Create an access policy for detailed steps).

3. In the policy editor, select the Machine restrictions section.

4. Set Logon from the listed machines are to Denied.

5. Click Add.

6. Select by IP range and enter the values (e.g.: 10.2.2.201 to 10.2.2.201 for the example)

7. Select Session types to IIS.

8. Click Continue then Save.

• Jean is redirected to the OWA logon page.

  

  
  
  

• Any further attempt to log in using Alice’s credentials is denied.

  

The same procedure works on Exchange 2016 and later.
However, there is one specific point to note:

If you follow this procedure to the end, the IIS Agent will be configured only for the “OWA” and “Microsoft-Server-ActiveSync” applications.

With Exchange 2016 or higher, after any update, all HTTP modules (including the IIS Agent) configured only at the application level (not at the IIS root) are automatically disabled.

1. Configure the UserLock IIS Agent HTTP Module at the root level of IIS
   (as documented at the beginning of this article).

2. Specify IIS Application Pools to monitor:

   1. By default, when you configure the IIS agent on an IIS website, all applications from this site are monitored independently of the application pool they run on.

   2. If needed, you can choose to monitor only Web applications running on specific application pools by creating the following registry value (REG_MULTI_SZ type) on the IIS server:
      HKEY_LOCAL_MACHINE\SOFTWARE\ISDecisions\UserLock\IIS\ProtectedApplicationPools

   3. Then enter the list of all application pools you want to supervise (one per line).

   4. On an Exchange server for example, many Web applications are created on the 'IIS Default' website. If you configure the UserLock 'IIS agent' for this site, UserLock will display a lot of IIS sessions.

   5. In most cases, you only want to control sessions from 'Outlook Web Access' and ignore the other Web applications. You can do this by specifying only “MSExchangeOWAAppPool” as application pool to monitor.

   6. If you are interested in Active Sync, add “MSExchangeSyncAppPool”.

   7. Example with both “MSExchangeOWAAppPool” and “MSExchangeSyncAppPool” application pools: