Re: Outlook Web Access!!
From: x y, mvp (levinson_k@despammed.com)
Date: 02/27/03
- Next message: lee silk: "Hidden Shares$"
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: can't set permission for creator owner"
- In reply to: Stephen O'Sullivan: "Re: Outlook Web Access!!"
- Next in thread: INF: "Re: Outlook Web Access!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y, mvp" <levinson_k@despammed.com> Date: Thu, 27 Feb 2003 11:46:20 -0500
I don't know how they can be so sure it's secure... AFAIK it's only secure
as long as you carefully configure IIS securely and continuously apply new
relevant IIS and other patches as they come out. Fail to do either of those
[which is very easy to do] and you're compromised. IIS is easy to configure
correctly but also easy to configure incorrectly or miss a patch. Said
differently, OWA is only secure if you secure it correctly yourself.
Also, once you start permitting netbios communications on your DMZ or from
OWA to your DC to do user authentication, intrusion detection becomes
difficult. Windows domain authentication must always use netbios null
sessions by design, and randomly chosen TCP ports for RPC, plus Netbios is a
chatty protocol. Because of these things, telling an SMB attack from the
constant stream of legitimate communications becomes very difficult. I just
skimmed the information you gave below, but I don't see anything there that
ameliorates this.
"Stephen O'Sullivan" <stevieo@eircom.net> wrote in message
news:#4qxXMn3CHA.1900@TK2MSFTNGP10.phx.gbl...
> Skeptical is my middle name.............
>
> The roll out would be on Exchange 2000. The lads at Microsoft are fairly
> adamant that this is secure but i have yet to be persuaded.
>
> In the recent Windows & .NET Magazine there was a quarterly publication
> called Security Watch. These guys were plugging ISA big time.... They were
> saying that in addition to layer 4 protection, you can use ISA server to
> protect Exchange server in four different ways. First, you can use ISA's
> buit-in SMTP filtering. Second, you can implement Exchange RPC filtering.
> Third, if you use OWA, you can use ISA servers http filtering to protect
the
> iis server. Fourth, ISA server includes a POP filter that checks POP
traffic
> for buffer overflow attempts.
>
> That in my opinion is excellent but it doesn't fit my infrastructure.
We've
> got tri-homed PIX connected to internet, DMX and LAN. We've got an SMTP
> relay agent on my DMZ talking through port 25 on my PIX to my Exchange
> Server on my LAN. One way of securing the whole communications between on
> the road sales people and my exchange through OWA would be setting up our
> own CA?? Deploying client certs to verify users are who they say the
> are..... ??
>
> I've never been as confused in all my life.
>
> Steve.
>
> "x y, mvp" <levinson_k@despammed.com> wrote in message
> news:uLSKRAn3CHA.1516@TK2MSFTNGP12.phx.gbl...
> > I too am skeptical about OWA. If nothing else, it adds additional
> > components that can break or be broken into and that need to be kept
> secure
> > ongoing... and also you'd unfortunately probably have to configure your
> > firewall to permit windows networking between your OWA server and your
> doain
> > controller and/or your Exchange server [if you have a firewall between
> > them], which is not ideal. I would only implement OWA if it is
considered
> > necessary or desirable.
> >
> > The version of OWA makes a difference. OWA with Exchange 5.5 had some
> > issues and errors. I would guess that OWA with Exchange 2000 is better,
> > though it does not give you all the same features as using VPN with the
> > actual Outlook client.
> >
> > You probably want to use basic authentication with an SSL certificate to
> > encrypt the passwords. www.entrust.net is one place to get cheap certs
> that
> > work, around $120 / year, and www.iisfaq.com and the entrust site both
> walk
> > you through installing a cert.
> >
> > Microsoft also recommends installing OWA on a server that is NOT your
> > Exchange server. More information can be found by searching
> > www.microsoft.com/technet, www.microsoft.com/technet/security,
> > www.microsoft.com/support, www.google.com, www.exchangeadmin.com, etc.
> >
> > Other general things you'd want to consider doing to secure IIS and
> Windows:
> >
> > http://securityadmin.info/faq.htm#harden
> >
> > These articles may help you configure firewalls with windows networking:
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596
> >
> >
> > "Stephen O'Sullivan" <stevieo@eircom.net> wrote in message
> > news:u5c9T6l3CHA.1888@TK2MSFTNGP10.phx.gbl...
> > > G/day forum,
> > >
> > > Just want to ask is Outlook Web Access safe??
> > >
> > > We plan on deploying same but only after proving its security. IS
there
> > any
> > > good guidelines i can follow that would aid me in my deployment, bear
in
> > > mind that I've got a PIX as my firewall and a DMZ structure in place.
I
> > also
> > > use MIMEsweeper which as my SMTP relay and screening server, this is
set
> > up
> > > on my DMZ.
> > >
> > > Regards,
> > > Steve.
> > >
> > >
> >
> >
>
>
- Next message: lee silk: "Hidden Shares$"
- Previous message: Ricardo M. Urbano - W2K/NT4 MVP: "Re: can't set permission for creator owner"
- In reply to: Stephen O'Sullivan: "Re: Outlook Web Access!!"
- Next in thread: INF: "Re: Outlook Web Access!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
