OWA Security? Is there any?
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: OWA Security? Is there any?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    OWA Security? Is there any?

    Ok..... I've looked all over this morning and can't find anything definitive so I'm asking for people's experience.

    Assuming a properly and regularly patched Exchange 2000 server, properly protected behind a firewall, (ports 25 and 80 allowed, all others blocked), Intrusion Detection Systems in place, centralized logging of System Events on a separate server that are parsed and scrutinized daily and a policy of three authentication attempts and you're locked out for 3 days.........

    The question(s), do you consider remote access from client machines to internal email any more of a risk than a regular web site?

    Is it worth moving it to a less well "travelled" port to avoid detection by worms etc.?

    Any other insights would be helpful. We just converted to Exchange 2000, (finally), and I am considering making people's email public. Yes I could run it through a VPN but I don't really want the grief of dealing with all my non-tech users trying to set up their own PPTP connections.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    IMHO it should be no less secure then running any other webapp. I have used OWA in the past and it is good on the userside of things but remember it is putting all of their email onto a web accessable site, weak paswords can be a major headace...definatly move it to a littel usedport, and change the default directory, and the name of the login page. Also consider running over SSL.
    Who is more trustworthy then all of the gurus or Buddha’s?

  3. #3
    Member
    Join Date
    Sep 2001
    Posts
    37
    I've also heard that OWA is reasonably OK provided you lock down Exchange and the OS in the usual way.

    Has anyone any experience in using OWA via SSL to give limited privacy protection when viewing email over the net?

    Regards,

    Alan Mott

  4. #4
    Junior Member
    Join Date
    May 2003
    Posts
    2
    I use OWA with SSL (would never even consider it without, network passwords in plain text over the net is a bad idea) you don't *have* to buy a certificate, in W2K set up a CA on your network and make your own.

    We use IISLockdown on the OWA server to secure it further, and firewall it of course. IISLockdown needed some tweaking though to work well.

    Also make sure to use up to date AV,

    Hope this helps,

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    bb & Alan: I'm trying to set up SSL right now and trying to be my own Certificate Authority. It works fine except for the fact that the remote clients always get the error that they can't follow the entire trust path. It's a firewall or where I have placed the certificate issue but if the client accepts the certificate as valid despite the warning they do have an SSL connection. I will probably move the SSL port to something less well scanned for though, frankly, having checked my portscan logs there really is not much traffic for 443 but i'll do it anyway when I get the cert issue worked out.

    As for changing the Dir and renaming the base page..... I'll leave that for a while.... We only started the transition on monday and it has gone so smoothly to date I don't want to mess it up at the 11th hour...... Much rather be able to say "see that.... you barely even noticed the change"...... in a week or two I'll consider it..... Then I can pass it off as not being part of the transition.......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    Definitely use SSL with OWA, I wouldn't use it any other way. I've been using it that way for years and have not had any issues with it(knock on wood...). I do recall coming across an issue in which certain users that were using a particular piece of F5 network gear had issues with OWA/SSL. This piece of gear had issues handling OWA/SSL traffic or something like that, but it was localized to the F5 gear? It is not hard to get setup, and you can also configure the server in a way that your users only have to enter http:// and not https://. The server will automatically redirect them to an https:// session. If you need me to I can post a how-to, just say the word.

    Hope this helps
    just making some minor adjustments to your system....

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok..... To revisit this little B#%^^d......

    I have SSL set up with my own Certificate Authority..... It works like a charm with Win98, WINNT, Win2k server and workstation as clients.......

    I have two users with WINXP home who cannot get in though they are doing everything right. The problem is that on the other clients they get a username/password/domain combination but on the XP Home clients they only get the username/password combo and the ensuing login failure......

    Now I have searched the knowledgebase and it says update to SP1 so I had a relatively knowledgable user do that..... Same error. I have a chap with WINXP Pro testing that tonight. If that works then it has to be something to do with the fact that you can't do domain functions on an XP Home machine.....

    ...... or am I off-base there and there is some kind of fix for this little frustrator......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by Tiger Shark
    Ok..... To revisit this little B#%^^d......

    I have SSL set up with my own Certificate Authority..... It works like a charm with Win98, WINNT, Win2k server and workstation as clients.......

    I have two users with WINXP home who cannot get in though they are doing everything right. The problem is that on the other clients they get a username/password/domain combination but on the XP Home clients they only get the username/password combo and the ensuing login failure......

    Now I have searched the knowledgebase and it says update to SP1 so I had a relatively knowledgable user do that..... Same error. I have a chap with WINXP Pro testing that tonight. If that works then it has to be something to do with the fact that you can't do domain functions on an XP Home machine.....

    ...... or am I off-base there and there is some kind of fix for this little frustrator......
    I could be wrong or misinformed but the little experience I've had with XP home, it riddled with domain limitations. I don't believe XP home has the ability to interact with domains.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  9. #9
    Junior Member
    Join Date
    May 2003
    Posts
    2
    XP Home doesn't have the ability to be a member of a domain but you can still access resources on a domain, you just have to put domain\username in the username box and then chuck the password in as normal.

    I'm surprised you're getting the 3 entry box anyway as you only get this if you're using integrated windows authentication which implies a lot of open ports. SSL and basic authent is the normal way, set the default domain for authentication in IIS and this should solve your probs.

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Actually the only ports open to this machine are 25 and 443, all the others are blocked and it still works fine. Probably because this machine is not in a demil zone.... I didn't want all those ports open back and forth into the trusted so I forego the defense in depth and place stronger policies on the box and better monitoring of the connections. I also get the lockout policies invoked which are quite draconian, (3 tries and out for 3 days), which I believe the Basic does not afford me.

    I tried the basic auth with the default set to my domain and it gave me the two boxes but refused to authenticate me...... Go figure..... So in my tinkering I put both Integrated and Basic on it, got the three boxes and everything has been swimming ever since except those durned XP boxes......

    I'll have someone try the mydomain\username tactic and see what happens....

    Thanks
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •