RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Paul D. Robertson (proberts@patriot.net)
Date: 11/28/02 

From: "Paul D. Robertson" <proberts@patriot.net>
To: Christopher Lee <complexity@bigfoot.com>
Date: Thu Nov 28 19:53:00 2002

On Thu, 28 Nov 2002, Christopher Lee wrote:

> While the number of RPC ports one must open to allow OWA(or any MS DCOM apps)
> to work is insane, that doesn't mean you have open them manually. Check Point
> firewall (for example) has the smarts to be able to open them dynamically as
> needed. This way, unless the intruder is able to forge the same DCOM/RPC
> communications, the exposure is not all that bad...

While you stop random acts of senseless scanning, the point here is that
there's likely to be an attack vector *through* the OWA box- any in-band
attack against either IIS or OWA gets the firewall happily opening the
ports dynamically- the end result is still a compromised server allowing
access to your domain infrastructure.

This would be a bad thing in most cases- it's a worse thing when you have
historically broken services which don't appear to have been engineered to
live in hostile environments.

"When an attacker can compromise your mail server, then access your domain
controller, that's one degree of separation?"

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation