OWA Security? Is there any?

Printable View

May 14th, 2003, 04:07 PM
Tiger Shark

OWA Security? Is there any?

Ok..... I've looked all over this morning and can't find anything definitive so I'm asking for people's experience.

Assuming a properly and regularly patched Exchange 2000 server, properly protected behind a firewall, (ports 25 and 80 allowed, all others blocked), Intrusion Detection Systems in place, centralized logging of System Events on a separate server that are parsed and scrutinized daily and a policy of three authentication attempts and you're locked out for 3 days.........

The question(s), do you consider remote access from client machines to internal email any more of a risk than a regular web site?

Is it worth moving it to a less well "travelled" port to avoid detection by worms etc.?

Any other insights would be helpful. We just converted to Exchange 2000, (finally), and I am considering making people's email public. Yes I could run it through a VPN but I don't really want the grief of dealing with all my non-tech users trying to set up their own PPTP connections.......
May 14th, 2003, 04:20 PM
bballad

IMHO it should be no less secure then running any other webapp. I have used OWA in the past and it is good on the userside of things but remember it is putting all of their email onto a web accessable site, weak paswords can be a major headace...definatly move it to a littel usedport, and change the default directory, and the name of the login page. Also consider running over SSL.
May 15th, 2003, 11:10 AM
alanmott

I've also heard that OWA is reasonably OK provided you lock down Exchange and the OS in the usual way.

Has anyone any experience in using OWA via SSL to give limited privacy protection when viewing email over the net?

Regards,

Alan Mott
May 15th, 2003, 12:53 PM
shmooster

I use OWA with SSL (would never even consider it without, network passwords in plain text over the net is a bad idea) you don't *have* to buy a certificate, in W2K set up a CA on your network and make your own.

We use IISLockdown on the OWA server to secure it further, and firewall it of course. IISLockdown needed some tweaking though to work well.

Also make sure to use up to date AV,

Hope this helps,
May 15th, 2003, 12:57 PM
Tiger Shark

bb & Alan: I'm trying to set up SSL right now and trying to be my own Certificate Authority. It works fine except for the fact that the remote clients always get the error that they can't follow the entire trust path. It's a firewall or where I have placed the certificate issue but if the client accepts the certificate as valid despite the warning they do have an SSL connection. I will probably move the SSL port to something less well scanned for though, frankly, having checked my portscan logs there really is not much traffic for 443 but i'll do it anyway when I get the cert issue worked out.

As for changing the Dir and renaming the base page..... I'll leave that for a while.... We only started the transition on monday and it has gone so smoothly to date I don't want to mess it up at the 11th hour...... Much rather be able to say "see that.... you barely even noticed the change"...... in a week or two I'll consider it..... Then I can pass it off as not being part of the transition.......;)
May 15th, 2003, 01:02 PM
ol jeb

Definitely use SSL with OWA, I wouldn't use it any other way. I've been using it that way for years and have not had any issues with it(knock on wood...). I do recall coming across an issue in which certain users that were using a particular piece of F5 network gear had issues with OWA/SSL. This piece of gear had issues handling OWA/SSL traffic or something like that, but it was localized to the F5 gear? It is not hard to get setup, and you can also configure the server in a way that your users only have to enter http:// and not https://. The server will automatically redirect them to an https:// session. If you need me to I can post a how-to, just say the word.

Hope this helps
May 21st, 2003, 08:11 PM
Tiger Shark

Ok..... To revisit this little B#%^^d...... :mad:

I have SSL set up with my own Certificate Authority..... It works like a charm with Win98, WINNT, Win2k server and workstation as clients.......

I have two users with WINXP home who cannot get in though they are doing everything right. The problem is that on the other clients they get a username/password/domain combination but on the XP Home clients they only get the username/password combo and the ensuing login failure......

Now I have searched the knowledgebase and it says update to SP1 so I had a relatively knowledgable user do that..... Same error. I have a chap with WINXP Pro testing that tonight. If that works then it has to be something to do with the fact that you can't do domain functions on an XP Home machine.....

...... or am I off-base there and there is some kind of fix for this little frustrator......
May 21st, 2003, 08:22 PM
KorpDeath

Quote:

Originally posted here by Tiger Shark
Ok..... To revisit this little B#%^^d...... :mad:

I have SSL set up with my own Certificate Authority..... It works like a charm with Win98, WINNT, Win2k server and workstation as clients.......

I have two users with WINXP home who cannot get in though they are doing everything right. The problem is that on the other clients they get a username/password/domain combination but on the XP Home clients they only get the username/password combo and the ensuing login failure......

Now I have searched the knowledgebase and it says update to SP1 so I had a relatively knowledgable user do that..... Same error. I have a chap with WINXP Pro testing that tonight. If that works then it has to be something to do with the fact that you can't do domain functions on an XP Home machine.....

...... or am I off-base there and there is some kind of fix for this little frustrator......

I could be wrong or misinformed but the little experience I've had with XP home, it riddled with domain limitations. I don't believe XP home has the ability to interact with domains.
May 21st, 2003, 08:42 PM
shmooster

XP Home doesn't have the ability to be a member of a domain but you can still access resources on a domain, you just have to put domain\username in the username box and then chuck the password in as normal.

I'm surprised you're getting the 3 entry box anyway as you only get this if you're using integrated windows authentication which implies a lot of open ports. SSL and basic authent is the normal way, set the default domain for authentication in IIS and this should solve your probs.
May 21st, 2003, 09:03 PM
Tiger Shark

Actually the only ports open to this machine are 25 and 443, all the others are blocked and it still works fine. Probably because this machine is not in a demil zone.... I didn't want all those ports open back and forth into the trusted so I forego the defense in depth and place stronger policies on the box and better monitoring of the connections. I also get the lockout policies invoked which are quite draconian, (3 tries and out for 3 days), which I believe the Basic does not afford me.

I tried the basic auth with the default set to my domain and it gave me the two boxes but refused to authenticate me...... Go figure..... So in my tinkering I put both Integrated and Basic on it, got the three boxes and everything has been swimming ever since except those durned XP boxes......

I'll have someone try the mydomain\username tactic and see what happens....

Thanks
May 22nd, 2003, 03:13 PM
Tiger Shark

Hah..... One of my employees was playing with it last night and discovered the putting your email address in works too. So in the username box you can put [email protected] and coupled with the right password access is granted.