Re: Outlook Web Access!!

From: INF (info4u2rd@yahoo.ca)
Date: 02/27/03 

From: info4u2rd@yahoo.ca (INF)
Date: 27 Feb 2003 13:25:12 -0800

Here is a link to a 3rd party test document for assisting in locking
down user sessions and timeouts
http://www.messageware.net/audits/owa.html. They also have software
that can assist in conjunction with your firewall and SSL approach.

Regards,
Inf

"Stephen O'Sullivan" <stevieo@eircom.net> wrote in message news:<#4qxXMn3CHA.1900@TK2MSFTNGP10.phx.gbl>...
> Skeptical is my middle name.............
>
> The roll out would be on Exchange 2000. The lads at Microsoft are fairly
> adamant that this is secure but i have yet to be persuaded.
>
> In the recent Windows & .NET Magazine there was a quarterly publication
> called Security Watch. These guys were plugging ISA big time.... They were
> saying that in addition to layer 4 protection, you can use ISA server to
> protect Exchange server in four different ways. First, you can use ISA's
> buit-in SMTP filtering. Second, you can implement Exchange RPC filtering.
> Third, if you use OWA, you can use ISA servers http filtering to protect the
> iis server. Fourth, ISA server includes a POP filter that checks POP traffic
> for buffer overflow attempts.
>
> That in my opinion is excellent but it doesn't fit my infrastructure. We've
> got tri-homed PIX connected to internet, DMX and LAN. We've got an SMTP
> relay agent on my DMZ talking through port 25 on my PIX to my Exchange
> Server on my LAN. One way of securing the whole communications between on
> the road sales people and my exchange through OWA would be setting up our
> own CA?? Deploying client certs to verify users are who they say the
> are..... ??
>
> I've never been as confused in all my life.
>
> Steve.
>
> "x y, mvp" <levinson_k@despammed.com> wrote in message
> news:uLSKRAn3CHA.1516@TK2MSFTNGP12.phx.gbl...
> > I too am skeptical about OWA. If nothing else, it adds additional
> > components that can break or be broken into and that need to be kept
> secure
> > ongoing... and also you'd unfortunately probably have to configure your
> > firewall to permit windows networking between your OWA server and your
> doain
> > controller and/or your Exchange server [if you have a firewall between
> > them], which is not ideal. I would only implement OWA if it is considered
> > necessary or desirable.
> >
> > The version of OWA makes a difference. OWA with Exchange 5.5 had some
> > issues and errors. I would guess that OWA with Exchange 2000 is better,
> > though it does not give you all the same features as using VPN with the
> > actual Outlook client.
> >
> > You probably want to use basic authentication with an SSL certificate to
> > encrypt the passwords. www.entrust.net is one place to get cheap certs
> that
> > work, around $120 / year, and www.iisfaq.com and the entrust site both
> walk
> > you through installing a cert.
> >
> > Microsoft also recommends installing OWA on a server that is NOT your
> > Exchange server. More information can be found by searching
> > www.microsoft.com/technet, www.microsoft.com/technet/security,
> > www.microsoft.com/support, www.google.com, www.exchangeadmin.com, etc.
> >
> > Other general things you'd want to consider doing to secure IIS and
> Windows:
> >
> > http://securityadmin.info/faq.htm#harden
> >
> > These articles may help you configure firewalls with windows networking:
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q179442
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q154596
> >
> >
> > "Stephen O'Sullivan" <stevieo@eircom.net> wrote in message
> > news:u5c9T6l3CHA.1888@TK2MSFTNGP10.phx.gbl...
> > > G/day forum,
> > >
> > > Just want to ask is Outlook Web Access safe??
> > >
> > > We plan on deploying same but only after proving its security. IS there
> any
> > > good guidelines i can follow that would aid me in my deployment, bear in
> > > mind that I've got a PIX as my firewall and a DMZ structure in place. I
> also
> > > use MIMEsweeper which as my SMTP relay and screening server, this is set
> up
> > > on my DMZ.
> > >
> > > Regards,
> > > Steve.
> > >
> > >
> >
> >

Relevant Pages

  • Re: SBS2k Exchange recovery - HELP!
    ... as it pulls mail out into a SQL database. ... I discovered something else I didn't know about Exchange.. ... If I could have got OWA working from the RDP into the Server (so only ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Exchange 2003 OWA
    ... Please check SMTP addresses setting for Exchange Virtual Server ... Path" of the OWA virtual server he/she is trying to use. ... Install MBExplorer by installing IIS 6 Resource Kit Tools:http://www.microsoft.com/downloads/details.aspx?FamilyId=56FC92EE-A71 ... ...
    (microsoft.public.windows.server.sbs)
  • RE: OWA HTTP 500 Error for users, but not for Admin (?)
    ... None of the previously added users can see the right side panel in OWA ... Exchange Server via OWA, you cannot see the right pane in OWA; ... Right click on Exchange virtual directory, ...
    (microsoft.public.windows.server.sbs)
  • RE: Getting swamped with NDRs. How do I stop them?
    ... is using non-delivery report (NDR), ... Start the Exchange System Manager program. ... Expand Servers, expand your Exchange server, and click Queues. ... Click the Recipient Filtering tab, click to select the Filter recipients ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2k Exchange recovery - HELP!
    ... I'll just answer about the badmail folder. ... I discovered something else I didn't know about Exchange.. ... If I could have got OWA working from the RDP into the Server (so only ...
    (microsoft.public.backoffice.smallbiz2000)