RE: Securing OWA w/SSL on IIS5.0

From: Evan Mann (emann@questinc.org)
Date: 01/05/02


From: Evan Mann <emann@questinc.org>
To: "'Ogle Ron (Rennes) '" <OgleR@thmulti.com>, Evan Mann <emann@questinc.org>, "''focus-ms@securityfocus.com' '" <focus-ms@securityfocus.com>
Date: Sat, 5 Jan 2002 11:24:26 -0500 

Unfortunately, I am not at the luxury of taking the time or resources to do
things like you suggest. People always come up with some form of idea that
entails using Linux as the cheap route, but this also means one needs to
learn how to do these things in Linux, or go with a route that requires
spending money. In the end, it's just not worth it given the circumstance
and resources available. Some people may call you a bad admin for not doin
everything possible to make your OWA box as secure as possible, but when you
evaluate the use of the system, and the security measures you currently
have, it sometimes cones down the fact that it is simply not worth the
effort.
 

-----Original Message-----
From: Ogle Ron (Rennes)
To: 'Evan Mann'; 'focus-ms@securityfocus.com'
Sent: 1/4/2002 8:07 PM
Subject: RE: Securing OWA w/SSL on IIS5.0

I've looked at this issue myself for my organization. You have some
security issues that you have to solve. First SSL by itself doesn't
solve
completely your issues. With your current setup, you have some big
problems, you have IIS directly connected to the Internet and you can't
trust the client.

<---snipped-->