December 2nd, 2002, 02:56 PM
Outlook Web Access
Is anyone aware of any security vulnerabilities of Outlook Web Access? All I can ascertain in terms of vulnerability that OWA introduces is the auto-execution of scripts embedded in HTML email when that email is viewed.
Does anyone know of any other "surprises" that might be introduced with this service?
December 2nd, 2002, 07:06 PM
5-minute Security Advisor - Configuring Outlook Web Access
Security Operations Guide for Exchange 2000 Server
Serach google for "outlook web access security" and you will find everything!
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
December 2nd, 2002, 08:08 PM
Besides the post above this for a start, in general do not accept the M$ defaults, have a good firewall, enforce long passwords (warning if owners are lammers and They Will have Their password of GOD and GOD2 they will be hacked and it is your fault). Consider adding 24/7 network monitoring, or at least one new person because you will spend much of your time nursing lame users and their accounts. I'd ask the simple question if web access is needed is it 24/7 becuase most employers do not pay 24/7 and if so is all the access really being used for company business. Limit the number of users close it down the hours when not in use or at least login hours. Just some of my general everyday wqorks events of the past.
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
December 3rd, 2002, 08:59 AM
The bug I hated the worst is with the Service Account. Default allows the sa account access to all! Needless to say I wasnt happy when I could access the CEO's email account. Glad I found it before someone else did...
changing the service account
December 3rd, 2002, 11:55 AM
It would seem then, that there are no known issues with OWA, other than locking down Windows, Exchange and the OWA software in accordance with the usual white papers from Microsoft and other security related sources. Is this the groups general consensus?