Re: [fw-wiz] Outlook Web Access - Paranoid?
From: Paul Robertson (proberts@patriot.net)
Date: 11/26/02
- Next message: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Symon Thurlow: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- In reply to: Mark L. Evans: "[fw-wiz] Outlook Web Access - Paranoid?"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Stefan Norberg: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Robertson <proberts@patriot.net> To: "Mark L. Evans" <MEvans@CO.SLC.UT.US> Date: Tue Nov 26 16:40:21 2002
On Tue, 26 Nov 2002, Mark L. Evans wrote:
> We're trying to come up with the least dangerous method of allowing our
> users to check their email on MS Exchange. We currently allow them to use
> POP3 only. Our management would like to use Outlook Web Access. I have
> followed the issue on several mailing lists. I know it's a bad idea to use
> Exchange at all but management thinks I am too paranoid on this issue.
(I'm going to stop beating this drum after this one, if people insist on
using compromisable architechtures, there's not much else I can do[1].)
Let's take what we know to be true:
IIS has historically been prone to compromise.
SQL Server has been prone to compromise and escallation of priv.
Exchange includes IIS and SQL Server.
OWA has been prone to compromise and is hooked tightly IIS enough that we
get things like the following (MS01-023):
Disabling Internet Printing via the Internet Services Manager can
interfere with the operation of Outlook Web Access. Specifically, when you
unmap the Internet Printing ISAPI extension via the Internet Services
Manager on an Exchange 2000 server, you're prompted whether or not to
apply the changes to the child folders, including Exchange, Public, and
ExAdmin. If you choose to apply the setting to these child folders,
Outlook Web Access will stop functioning until you restart the Exchange
System Attendant.
Seems to me that you're not going to get a lot of detachment from the
parts of IIS we've historically seen the most brokeness in.
Add in (from the same bulletin):
Two practices in particular that should be followed are:
Web servers should be isolated within a DMZ. This not only
separates the servers from the Internet, but also separates
them from the rest of the network.
If possible, web servers should be configured as stand-alone
machines. If it's absolutely necessary to make them part of
a domain, the domain should only encompass machines
that reside on the DMZ. Web servers should never be members
of the larger network's domain.
Now, it seems to me that public-facing OWA servers fly directly in the
face of these two best practices Microsoft themselves recommend.
> It seems the best method is a reverse proxy using squid on a DMZ machine and
> then into the IIS server on the inside over SSL. What are your
> opinions/suggestions on this issue? Do you have any other methods that are
> more secure?
If your managment is going to fly in the face of MS' own recommendations
on IIS server placement, I'd document the heck out of the obvious
objections to doing so, and get it signed in ink before going any further.
Seriously. Store copies off-site too.
An HTTP proxy won't help- the attacks here are all in-band against either
IIS or Exchange, or perhaps a combination. You're exposing a service,
probably with user credentials that are good for other things (making
password guessing *really* productive.) You're exposing a machine that
must accept data from random places on the Internet (SMTP is a great way
to get tools onto a box) and you're exposing complex protocols like SSL,
HTTP and SMTP (with MS' content running extensions).
I can't imagine too many scenerios that would be in the category of "worse
ideas."
Maybe I'm just getting cranky, but I'd love to see someone post a
rationale that says that architecturally this isn't a disaster waiting to
happen.
Let's not forget that you're now putting this server in the critical
update path for every IIS, SQL and Exchange patch- can your mail users
afford the downtime that proper maintenance really requires? Can the
machine scale to meet the increased load as well?
Insurance- you should make sure that your management has seen the latest
compromise cost figures, and they're covered specifically by insurance for
this. If they're self-insuring, you should make sure they understand what
those cost figures mean to them when it hits the fan.
If you *have* to do this, VPN it. Make sure you have things covered for
when people leave or become disgruntled.
Paul
[1] I'll happily take the call to come in after an event. It's more
expensive than using products designed for this in the first place though.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
- Next message: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Previous message: Symon Thurlow: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- In reply to: Mark L. Evans: "[fw-wiz] Outlook Web Access - Paranoid?"
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Paul D. Robertson: "Re: [fw-wiz] Outlook Web Access - Paranoid?"
- Reply: Stefan Norberg: "RE: [fw-wiz] Outlook Web Access - Paranoid?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
