RE: Securing OWA w/SSL on IIS5.0

From: RandallM (randallm@fidmail.com)
Date: 01/07/02


From: "RandallM" <randallm@fidmail.com>
To: "Evan Mann" <emann@questinc.org>, "'Ogle Ron (Rennes) '" <OgleR@thmulti.com>, <focus-ms@securityfocus.com>
Date: Mon, 7 Jan 2002 11:06:17 -0600

It is common among crackers that this is the type of attitude in admins that
they look for. Crackers have only time to deal with. And when they find such
unsecured servers, it was all worth it. You as the admin are always in the
battle between ease of use, functionality and security, as noted in the book
"Hackers Beware". The former is his enemy but your goal. Which brings me to
a silly question:
Are crackers job security?

-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: Saturday, January 05, 2002 10:24 AM
To: 'Ogle Ron (Rennes) '; Evan Mann; ''focus-ms@securityfocus.com' '
Subject: RE: Securing OWA w/SSL on IIS5.0

Unfortunately, I am not at the luxury of taking the time or resources to do
things like you suggest. People always come up with some form of idea that
entails using Linux as the cheap route, but this also means one needs to
learn how to do these things in Linux, or go with a route that requires
spending money. In the end, it's just not worth it given the circumstance
and resources available. Some people may call you a bad admin for not doin
everything possible to make your OWA box as secure as possible, but when you
evaluate the use of the system, and the security measures you currently
have, it sometimes cones down the fact that it is simply not worth the
effort.

-----Original Message-----
From: Ogle Ron (Rennes)
To: 'Evan Mann'; 'focus-ms@securityfocus.com'
Sent: 1/4/2002 8:07 PM
Subject: RE: Securing OWA w/SSL on IIS5.0

I've looked at this issue myself for my organization. You have some
security issues that you have to solve. First SSL by itself doesn't
solve
completely your issues. With your current setup, you have some big
problems, you have IIS directly connected to the Internet and you can't
trust the client.

<---snipped-->



Relevant Pages

  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.security.misc)
  • (no subject)
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... You just hit a sore spot w/ me...the CSI/FBI survey. ... it's probably an admin who has ...
    (comp.os.ms-windows.nt.admin.security)
  • Re: Food for Thought
    ... Look at the Navy-Marine Corps Internet, a contract ... Security is secuirty and penetration means exactly that. ... that telling the reader to do a Google search for sources isn't going to ... it's probably an admin who has ...
    (microsoft.public.win2000.security)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rather funny; looks like page defacement to me
    ... > afford one (and often when they can't afford one this person works ... On top of all that pressure, ... so I was a bit caustic on the "incompetent admin" point; ... Nobody would hire me (I'm a security engineer) to draw structural diagrams. ...
    (Focus-IDS)