Re: OWA security/hacking

From: Me (reply_in@newsgroup.only)
Date: 08/23/02 

From: "Me" <reply_in@newsgroup.only>
Date: Thu, 22 Aug 2002 22:19:49 -0400

Hi Andy,

Give us the URL and we'll tell you. :-)

Seriously, if you have not already done so, you need to run HfNetChk and
apply all missing patches. Actually, if you haven't already done this, it's
probably too late and you need to do a format and total reinstall on the
server. If you need to do this, create a separate partition for IIS to be
installed on so it's not on the OS partition. A year ago when we put OWA up,
the first exploit was attempted against it in four hours and it's gotten
worse. A lot worse.

There are also some Microsoft security patches for OWA itself that need to
be run on the OWA server but not the Exchange server. HfNetChk finds only OS
patches, usually not application security patches.

You need to install IISLockDown from Microsoft and select OWA 5.5 as the
usage (since I assume this server is doing nothing more than running OWA).

You then need to download URLScan v2.5 SRP version and run it on the OWA
server.

You definitely should run 128-bit SSL to protect the communications between
the browsers and OWA. Thawte (www.thawte.com) is probably the cheapest at
about $300 per year. Force 128-bit encryption for all connections, period.
Forget about the whiny home users running 40 bit browsers. They are a threat
to your network.

Go to http://www.leederbyshire.com/LOGONFRM-Mod.htm and make the code
changes you find there. Review the log file it creates each day. A
successful entry in this file means the person got to the server,
authenticated and got to their inbox. It's also great for importing into a
spread*** and getting usage statistics. Put a shortcut to it's log file on
the desktop and review it daily.

You need to review the folder security of everything on the OWA server and
get rid of the "everyone" "full control" access if appropriate. If you don't
know what you're doing, you can easily render the server inoperable if you
mess this up. Especially make sure no one can write into the
C:\INetPub\WWWRoot folder if you used the default.

Put a shortcut on the desktop to the IIS log files usually found in a folder
somewhere named W3SVC1. Change the default on what is logged to log almost
everything. Review the log files daily.

Put a shortcut on the desktop to the log files created by URLScan and review
them daily.

Internet cafes pose a problem because they can be set to keep SSL files in
the cache. If you're not using SSL... Also, you MUST beat on everyone to
assure they use the Log Off icon AND close every instance of the browser.
Otherwise someone can use the BACK key to get into their email. Many cafe's
do not allow you to close the browser.

Anonymous access is OK as long as you load LOGON.ASP into an editor such as
Microsoft FrontPage and remove all of the code that allows anonymous access
to public folders.

Install anti-virus on the server and set it to get new definitions daily.
Have it run a full hard drive scan early every morning.

Make darn sure that there are no unneeded processes running or even
installed! No FTP, no SMTP, no SNMP, no Index Server, no FrontPage
Extensions, etc.

This is pretty much what we did and we just survived an external security
audit. At the peak of their attacks, they were throwing 8 to 10 exploits per
second against it. No denial of service or penetration was achieved. They
tossed over 12,000 attacks and variants against it.

How are you limiting traffic from the OWA server to your internal network?
Is it on a DMZ? If someone is sitting on the OWA server, can they access any
internal resources other than what is needed for OWA (Exchange, DNS, etc.)
If so, you need to rethink this. Always assume the worst and assume someone
can get into the server and see everything as if they were seated at the
console. This is your last set of defenses.

HTH,

Ray

"Andy" <dad@ad.com> wrote in message
news:d09701c24a1d$32930c80$39ef2ecf@TKMSFTNGXA08...
> Hi, I have just got OWA up and running and have published
> a DNS name for it. We use a Exchange 5.5 server (sp4) and
> have OWA installed on a separate server which is a Win2k
> server with IIS 5.0. We have opened the http port on our
> server which is port 80 and 443 (I think) to point to our
> OWA server, however we are really worried about the
> security of this system. We are using anonymous logons so
> the user will get to logon screens, but how safe is it?
> Should we install the SSL patch? Can hackers get though
> easily, we need to know if someone can gain access, is
> there a way we can hack our own system at all? Also if a
> user logs on in an internet cafe and opens a confidentual
> document, does a temp file of it stay on that computer?
>
> Plus can we log how connected at what time & IP in IIS?
>
> Much regards
>
> Andy