RE: Windows/Exchange security auditing tool

• Previous message: snoofy_at_gmx.net: "RE: How to Recovering files encrypted with Microsoft EFS without the key?"
• In reply to: Bourque Daniel: "RE: Windows/Exchange security auditing tool"
• Next in thread: Scott Harrington: "RE: Windows/Exchange security auditing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Bourque Daniel'" <Daniel.Bourque@loto-quebec.com>, "'Chad Lorenc '" <CLorenc@entfederal.com>, <focus-ms@securityfocus.com>
Date: Sat, 11 Sep 2004 17:21:02 +0800

I recently did something similar with using ISA 2004.
 Internet Client ----------ISA 2004 (Form based OWA)---------exchange 2003.

The good thing here is that ISA2004 generates the FORM for form-based
authentication OWA with SSL. Hence un-authenticated traffic never goes to
the Exchange server. It is stopped at ISA.

ISA then passes the name/password details to the exchange backend, behalf of
the client. ISA does this by creating another SSL channel to the Exchange
server. In other words ISA does SSL bridging.

Finally if you have a single public, you could create multiple Web Listeners
(this objects listen to traffic from Internet on specific ports and ip), and
then chain them up. You could therefore do Form-based authentication and
basic authentication on the same public IP and port number (443).

Checkout isaserver.org for more details.
Regards
Gill

-----Original Message-----
From: Bourque Daniel [mailto:Daniel.Bourque@loto-quebec.com]
Sent: Monday, September 06, 2004 4:14 AM
To: 'Chad Lorenc '; 'focus-ms@securityfocus.com '
Subject: RE: Windows/Exchange security auditing tool

 What about using a reverse Proxy in the DMZ to keep OWA inside?
Better, keep the OWA server inside isolate with access list so it can only
talk to the DC and the Exchange server?

I think you should look at Microsoft ISA server for that role or use
dedicated box like Ciphertrust Ironmail.

-----Message d'origine-----
De: Chad Lorenc
A: focus-ms@securityfocus.com
Date: 9/2/2004 6:00 PM
Objet: RE: Windows/Exchange security auditing tool

I have a quick question, we are rolling out exchange 2003 with OWA. Our OWA
server sits one of our DMZ's, because of the active directory component the
engineers state that OWA must be a part of our internal AD domain. We
currently do not have any servers bridging the internal AD domain into the
DMZ's.

Is there anyway around this requirement?
How significant of a risk does this create, or more importantly are the
feasible exploits past information probing?

We do have multiple layers of protection such as two factor authentication
(AD login + random authenticator), host monitoring, firewall rules, VLAN's
etc. I am just curious, on its own, what kind of risk we assume with this
design.

Chad Lorenc

DISCLAIMER:
The information contained in this email and in any attachments is intended
for the person or entity to which it is addressed and may contain
confidential and/or privileged material. If you have received this email in
error, please notify us immediately by replying to the message and delete
the email from your computer. Use of this information by persons or entities
other than the intended recipient is prohibited.

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: snoofy_at_gmx.net: "RE: How to Recovering files encrypted with Microsoft EFS without the key?"
• In reply to: Bourque Daniel: "RE: Windows/Exchange security auditing tool"
• Next in thread: Scott Harrington: "RE: Windows/Exchange security auditing tool"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]