Printable View
Is anyone aware of any security vulnerabilities of Outlook Web Access? All I can ascertain in terms of vulnerability that OWA introduces is the auto-execution of scripts embedded in HTML email when that email is viewed.
Does anyone know of any other "surprises" that might be introduced with this service?
Cheers,
Alan
To start:
http://search.support.microsoft.com/...fxSearch_Query
5-minute Security Advisor - Configuring Outlook Web Access
http://www.microsoft.com/technet/tre...n/5min-301.asp
Security Operations Guide for Exchange 2000 Server
http://www.microsoft.com/technet/tre...de/default.asp
Serach google for "outlook web access security" and you will find everything!
Besides the post above this for a start, in general do not accept the M$ defaults, have a good firewall, enforce long passwords (warning if owners are lammers and They Will have Their password of GOD and GOD2 they will be hacked and it is your fault). Consider adding 24/7 network monitoring, or at least one new person because you will spend much of your time nursing lame users and their accounts. I'd ask the simple question if web access is needed is it 24/7 becuase most employers do not pay 24/7 and if so is all the access really being used for company business. Limit the number of users close it down the hours when not in use or at least login hours. Just some of my general everyday wqorks events of the past. :)
exchange whitepaper
The bug I hated the worst is with the Service Account. Default allows the sa account access to all! Needless to say I wasnt happy when I could access the CEO's email account. Glad I found it before someone else did...
changing the service account
It would seem then, that there are no known issues with OWA, other than locking down Windows, Exchange and the OWA software in accordance with the usual white papers from Microsoft and other security related sources. Is this the groups general consensus?