IIS4/5 Directory Security and OWA

From: Evan Mann (emann@questinc.org)
Date: 11/26/01

• Previous message: Morrow, Jason: "RE: how to save event log data and perfmon data in a database?"
• Next in thread: Morrow, Jason: "RE: IIS4/5 Directory Security and OWA"
• Reply: Morrow, Jason: "RE: IIS4/5 Directory Security and OWA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Message-ID: <3E9FA6A94E9FC34CAC48F081FEB163AC0AF6@EXCHANGE1>
From: Evan Mann <emann@questinc.org>
To: focus-ms@securityfocus.com
Subject: IIS4/5 Directory Security and OWA
Date: Mon, 26 Nov 2001 14:31:57 -0500

Two parts:

1) IIS4 has a directory security option for Windows NT Challenge/Response
option for use when Anonymous access is disabled which uses NTFS ACLs for
security and requires a username and password. Is this the same as
"Integrated Windows Authentication" in IIS5?

2) My existing Exchange IIS with OWA was not setup by me. I can tell you
the directory where the OWA components lies is set security wise to
Everone/Full Control. Directory security for the website has allow anon
checked using the IUSR account and the Windows NT Challenge/Response box
checked. Allow executables including scripts is enabled as are FrontPage
extensions.

I have a 2nd machine in my Exchange Site which I am transition to which runs
2000 and IIS5 and I know that there are much better ways to secure OWA with
reguards to NTFS ACLs and the IIS security settings. Could someone guide me
as to the best ways to set these IIS5 and NTFS permissions?

BTW - This IIS box is behind a firewall which is accessed via an SMTP proxy
and the .IDA and .IDQ ISAPI filters have been removed. The 2000 server is
patched appropriately, as is my exchange/owa install.

I am using Exchange 5.5 SP4

---

• Previous message: Morrow, Jason: "RE: how to save event log data and perfmon data in a database?"
• Next in thread: Morrow, Jason: "RE: IIS4/5 Directory Security and OWA"
• Reply: Morrow, Jason: "RE: IIS4/5 Directory Security and OWA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: IIS4/5 Directory Security and OWA ... IIS4/5 Directory Security and OWA ... but it isn't recomended to use straight NT Challenge/Response. ... There is a ton of IIS lockdown info out there. ... (Focus-Microsoft) RE: IIS4/5 Directory Security and OWA ... IIS4/5 Directory Security and OWA ... What you might want to do is install Front Page Server ... IIS4/5 Directory Security and OWA ... (Focus-Microsoft) RE: HTTP vs HTTPS for OWA ... I can also see that under the Directory Security tab if you edit Secure ... changed how OWA is reacting externally. ... (microsoft.public.exchange.connectivity) OWA And User Must Change Password at next logon ... I'm currently working on an issue with Exchange 2003, OWA, and changing ... change the password at the next logon, the end user is not allowed to logon ... No matter what kind of directory security I have set, ... (microsoft.public.exchange.admin) Re: PASSWORD POLICY ... "HTTP Error 403" Error Message When Password Changed with OWA ... I haven't tried this in Windows 2003 but I can't see it being much ... I have Exchange 2003 that was included ... (microsoft.public.exchange.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ms  > 2001-11