RE: RPC over HTTPS security risks

["Depp, Dennis M." <deppdm () ornl gov>]

Tim,

IMHO the largest problem with RPC is its lack of authentication.  With
RPC over HTTPS, the user must authenticate through HTTPS before the RPC
connection is created.  Let's look at the worst case scenario, one where
a hacker has physical access to a home machine that has been setup to
access Exchange via RPC over HTTPS.  Hopefully your users are not using
the same userID and password at home as they are using at work.  Given
this scenario, a user with access to the home machine would attempt to
launch Outlook and would be prompted for his credentials.  They could
attempt a brute force attack but this should be detectable in the web
logs.  This could possibly be detected via IDS.  Normal traffic should
have a much larger amount of information coming from the Exchange server
than a denial of authentication request.  

Another worst case scenario is a company computer such as a laptop that
is stolen or has somehow found its way into a hacker's hands.  In this
scenario the user would have to guess the users id and password to gain
access to your Exchange server.  With physical access to the box, this
can be done.  However, with a local account, the user will have to
authenticate with the Exchange server prior to being able to access
mail.  If the user is using a domain account discovering the password
will be more difficult.

If you are already allowing home users to use VPN to access Exchange I
see no new problems added by using RPC over HTTPS.  If VPN is not used
on home machines, RPC over HTTPS adds some additional risk.  IMHO this
risk is off set by the increase in staff productivity by have wider
access to their Exchange data.

Dennis

-----Original Message-----
From: Tim Hanekamp [mailto:thanekamp () gmail com] 
Sent: Tuesday, December 07, 2004 2:44 PM
To: security-basics () securityfocus com
Subject: RPC over HTTPS security risks

We have begun to implement RPC over HTTPS for Exchange 2003 at our
corporate office.  Before rolling this service out to our users, who
then could possibly start using it on their home computers, which
could easily be insecured, we are trying to evaluate the possible
security threats that this poses.

It would seem that if someone were able to own a machine that had this
configured on it, it would be fairly easy for them to use the exchange
server as a relay for mail and/or completely flood the system with
viruses, especially if the computer were infected with a virus.

Do you think this would be the case, and, if so, what measures do you
think could be taken in order to mitigate this risk.  The only thing
we could come up with so far was requiring these clients to use
digital certificates and only install these certificates on machines
that have been inspected and will be used in the proper setting (not
that we could ever really be certain of the latter idea).

Thoughts?