Re: MS Exchange web interface.

From: Stefan Osterlitz (osterlitz@p-p.de)
Date: 09/04/02 

From: "Stefan Osterlitz" <osterlitz@p-p.de>
To: "security-basics@securityfocus.com" <security-basics@securityfocus.com>
Date: Wed, 04 Sep 2002 10:44:54 +0200

On Tue, 3 Sep 2002 09:02:04 -0400, Sergey Yefremov wrote:

>Hello everyone,
>I'm new to system administration, and therefore would like to know if there are any security implications in allowing users to read email by using MS
Exchange web interface?
>Thank you.
>

Microsoft itself has serious warnings about that topic. you can find much info in the ms knowledge base.

OWA (exchange web access) relies on the underlying services IIS, SMTP, NNTP, POP3, IMAP.
You do not only have to secure Exchange but also IIS AND SMTP at the very least.

MS itself recommends putting the exchange store (the mail database) on one machine and the Web Access with IIS on another.
The Web machine is to be put into the DMZ, as it is external to the network.
You then have to decide where to put the store. If you put it into the dmz, you should not give any internal machine access.
If you put it on the internal net, you have to allow access from the dmz (not good either).

So, these would be my recommendations if you decide to run exchange:
1. get a good firewall setup with dmz
2. get 3 machines (one for OWA, one for the store, one (if possible, linux based) smtp/pop/imap/http proxy)
3. put the store on the dmz (set firewall as gateway)
4. put the owa machine on the dmz (set firewall as gateway)
5. route all external traffic to the owa machine through your proxy, checking for possible attacks.
6. do not allow any direct outside connection to owa, unless through your http proxy
7. setup your firewall to allow imap between the owa machine and the store only.
8. do not allow any external traffic to the store apart from (8).
9. route any traffic within the dmz through your firewall, allowing only specified traffic (ok, this is paranoid)
10. keep on patching..!

Greetings,
Stefan Osterlitz

Relevant Pages

  • RE: MS Exchange web interface.
    ... Subject: MS Exchange web interface. ... MS itself recommends putting the exchange store on one ... The Web machine is to be put into the DMZ, as it is external to the network. ... route all external traffic to the owa machine through your proxy, ...
    (Security-Basics)
  • Ang: RE: Firewall and DMZ topology
    ... Network Engineer ... Subject: Firewall and DMZ topology ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • RE: Firewall and DMZ topology
    ... Subject: Firewall and DMZ topology ... Also, when I say firewall, I mean Router + Firewall. ... Should the DMZ be behind the LAN and not split off at the firewall, ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
    (Security-Basics)
  • Re: Unable to join AD domain from DMZ network
    ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
    (microsoft.public.windows.server.active_directory)