RE: [fw-wiz] Outlook Web Access - Paranoid?

From: Stefan Norberg (stefan@orbisec.com)
Date: 12/03/02 

From: "Stefan Norberg" <stefan@orbisec.com>
To: "'Paul Robertson'" <proberts@patriot.net>
Date: Tue Dec  3 15:29:01 2002

> An HTTP proxy won't help- the attacks here are all in-band
> against either
> IIS or Exchange, or perhaps a combination. You're exposing a
> service,
> probably with user credentials that are good for other things (making
> password guessing *really* productive.) You're exposing a
> machine that
> must accept data from random places on the Internet (SMTP is
> a great way
> to get tools onto a box) and you're exposing complex
> protocols like SSL,
> HTTP and SMTP (with MS' content running extensions).

Paul and others,

I've always thought/said that setting up an IIS server as an OWA-server
with the Exchange-server on the inside is useless because of all the
ports you need to allow between the IIS and the Exchange boxes.

I tend to recommend the following:

For web access
--------------
1) Run OWA on your Exchange server. Yes, on your Exchange server
2) Set up an Apache server on Unix (if you can secure and maintain it
that is) running a reverse proxy. mod_rewrite does the trick nicely. Use
Secure/ID (or similar) on the Apache server to eliminate password
guessing and attacks to the Exchage server. The downside is that the
user will be prompted twice for passwords, but most vpn users are used
to that anyway. Often the company does have some form of 'strong-auth'
for the vpn so try to leverage that solution.

For incoming smtp in general
----------------------------
1) Run Postfix or qmail (or possibly another non-bloated mail server) as
a non-privileged user, chrooted on your smtp host (running Unix).
2) Next hop should be a good, easy to use content-scanner (ie Mail
Marshal) with a policy that blocks everything that contain
vbscript/java-script/exe-files and virus-scans it too. Generally you
want to send an email to the recepient that you blocked the mail and
he'll have to come with gifts/sacrifices to the b0th-cave if he ever
wants to see it.
3) The Exchange server(s) or whatever other bloated internal mailer.

...and the other way around for outgoing.

Stefan Norberg (stefan@orbisec.com)
NAAPOI

Relevant Pages

  • RE: Exchange Web
    ... Use Metabase Explorer from the IIS 6.0 Resource Kit Tools to reset OWA VD ... To restart the Microsoft Exchange System Attendant service, ... When you are prompted to restart the dependant Exchange Server ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2k3 and activesync over the air
    ... Do you have ISA server in your structure? ... the Exchweb virtual directory. ... Open IIS from the Server Management ... Check the same settings on the Exchange Virtual Directory and make sure ...
    (microsoft.public.windows.server.sbs)
  • RE: Exchange & IIS on SBS2003 not working
    ... Thank you for posting in the SBS newsgroup. ... I understand that the Exchange and IIS don't ... work on the SBS 2003 Server. ... What does the "IIS isn't started" mean? ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Outlook Web Access - Paranoid?
    ... > Exchange at all but management thinks I am too paranoid on this issue. ... IIS has historically been prone to compromise. ... SQL Server has been prone to compromise and escallation of priv. ... Disabling Internet Printing via the Internet Services Manager can ...
    (Firewall-Wizards)
  • Re: SBS2k3 and activesync over the air
    ... Did you apply Exchange SP2 on your Small ... Business Server? ... Open IIS from the Server Management ... Click Edit under Authentication and ...
    (microsoft.public.windows.server.sbs)