Re: Outlook Web Access!!

From: Stephen O'Sullivan (stevieo@eircom.net)
Date: 02/27/03 

From: "Stephen O'Sullivan" <stevieo@eircom.net>
Date: Thu, 27 Feb 2003 15:13:58 -0000

Skeptical is my middle name.............

The roll out would be on Exchange 2000. The lads at Microsoft are fairly
adamant that this is secure but i have yet to be persuaded.

In the recent Windows & .NET Magazine there was a quarterly publication
called Security Watch. These guys were plugging ISA big time.... They were
saying that in addition to layer 4 protection, you can use ISA server to
protect Exchange server in four different ways. First, you can use ISA's
buit-in SMTP filtering. Second, you can implement Exchange RPC filtering.
Third, if you use OWA, you can use ISA servers http filtering to protect the
iis server. Fourth, ISA server includes a POP filter that checks POP traffic
for buffer overflow attempts.

That in my opinion is excellent but it doesn't fit my infrastructure. We've
got tri-homed PIX connected to internet, DMX and LAN. We've got an SMTP
relay agent on my DMZ talking through port 25 on my PIX to my Exchange
Server on my LAN. One way of securing the whole communications between on
the road sales people and my exchange through OWA would be setting up our
own CA?? Deploying client certs to verify users are who they say the
are..... ??

I've never been as confused in all my life.

Steve.

"x y, mvp" <levinson_k@despammed.com> wrote in message
news:uLSKRAn3CHA.1516@TK2MSFTNGP12.phx.gbl...
> I too am skeptical about OWA. If nothing else, it adds additional
> components that can break or be broken into and that need to be kept
secure
> ongoing... and also you'd unfortunately probably have to configure your
> firewall to permit windows networking between your OWA server and your
doain
> controller and/or your Exchange server [if you have a firewall between
> them], which is not ideal. I would only implement OWA if it is considered
> necessary or desirable.
>
> The version of OWA makes a difference. OWA with Exchange 5.5 had some
> issues and errors. I would guess that OWA with Exchange 2000 is better,
> though it does not give you all the same features as using VPN with the
> actual Outlook client.
>
> You probably want to use basic authentication with an SSL certificate to
> encrypt the passwords. www.entrust.net is one place to get cheap certs
that
> work, around $120 / year, and www.iisfaq.com and the entrust site both
walk
> you through installing a cert.
>
> Microsoft also recommends installing OWA on a server that is NOT your
> Exchange server. More information can be found by searching
> www.microsoft.com/technet, www.microsoft.com/technet/security,
> www.microsoft.com/support, www.google.com, www.exchangeadmin.com, etc.
>
> Other general things you'd want to consider doing to secure IIS and
Windows:
>
> http://securityadmin.info/faq.htm#harden
>
> These articles may help you configure firewalls with windows networking:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596
>
>
> "Stephen O'Sullivan" <stevieo@eircom.net> wrote in message
> news:u5c9T6l3CHA.1888@TK2MSFTNGP10.phx.gbl...
> > G/day forum,
> >
> > Just want to ask is Outlook Web Access safe??
> >
> > We plan on deploying same but only after proving its security. IS there
> any
> > good guidelines i can follow that would aid me in my deployment, bear in
> > mind that I've got a PIX as my firewall and a DMZ structure in place. I
> also
> > use MIMEsweeper which as my SMTP relay and screening server, this is set
> up
> > on my DMZ.
> >
> > Regards,
> > Steve.
> >
> >
>
>

Relevant Pages

  • Re: SBS2k Exchange recovery - HELP!
    ... as it pulls mail out into a SQL database. ... I discovered something else I didn't know about Exchange.. ... If I could have got OWA working from the RDP into the Server (so only ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Exchange 2003 OWA
    ... Please check SMTP addresses setting for Exchange Virtual Server ... Path" of the OWA virtual server he/she is trying to use. ... Install MBExplorer by installing IIS 6 Resource Kit Tools:http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71 ... ...
    (microsoft.public.windows.server.sbs)
  • RE: OWA HTTP 500 Error for users, but not for Admin (?)
    ... None of the previously added users can see the right side panel in OWA ... Exchange Server via OWA, you cannot see the right pane in OWA; ... Right click on Exchange virtual directory, ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Disaster Recovery Server
    ... The backup server is setup also in the lab so I ... >>> The Microsoft Exchange Server computer is not available. ... >>> Microsoft Exchange Server Information Store ...
    (microsoft.public.exchange2000.admin)
  • Re: Outlook Web Access!!
    ... > protect Exchange server in four different ways. ... you can implement Exchange RPC filtering. ... > Third, if you use OWA, you can use ISA servers http filtering to protect the ...
    (microsoft.public.security)