Security Basics mailing list archives
RE: RPC over HTTPS security risks
From: "Depp, Dennis M." <deppdm () ornl gov>
Date: Wed, 08 Dec 2004 07:02:09 -0500
Tim, IMHO the largest problem with RPC is its lack of authentication. With RPC over HTTPS, the user must authenticate through HTTPS before the RPC connection is created. Let's look at the worst case scenario, one where a hacker has physical access to a home machine that has been setup to access Exchange via RPC over HTTPS. Hopefully your users are not using the same userID and password at home as they are using at work. Given this scenario, a user with access to the home machine would attempt to launch Outlook and would be prompted for his credentials. They could attempt a brute force attack but this should be detectable in the web logs. This could possibly be detected via IDS. Normal traffic should have a much larger amount of information coming from the Exchange server than a denial of authentication request. Another worst case scenario is a company computer such as a laptop that is stolen or has somehow found its way into a hacker's hands. In this scenario the user would have to guess the users id and password to gain access to your Exchange server. With physical access to the box, this can be done. However, with a local account, the user will have to authenticate with the Exchange server prior to being able to access mail. If the user is using a domain account discovering the password will be more difficult. If you are already allowing home users to use VPN to access Exchange I see no new problems added by using RPC over HTTPS. If VPN is not used on home machines, RPC over HTTPS adds some additional risk. IMHO this risk is off set by the increase in staff productivity by have wider access to their Exchange data. Dennis -----Original Message----- From: Tim Hanekamp [mailto:thanekamp () gmail com] Sent: Tuesday, December 07, 2004 2:44 PM To: security-basics () securityfocus com Subject: RPC over HTTPS security risks We have begun to implement RPC over HTTPS for Exchange 2003 at our corporate office. Before rolling this service out to our users, who then could possibly start using it on their home computers, which could easily be insecured, we are trying to evaluate the possible security threats that this poses. It would seem that if someone were able to own a machine that had this configured on it, it would be fairly easy for them to use the exchange server as a relay for mail and/or completely flood the system with viruses, especially if the computer were infected with a virus. Do you think this would be the case, and, if so, what measures do you think could be taken in order to mitigate this risk. The only thing we could come up with so far was requiring these clients to use digital certificates and only install these certificates on machines that have been inspected and will be used in the proper setting (not that we could ever really be certain of the latter idea). Thoughts?
Current thread:
- RPC over HTTPS security risks Tim Hanekamp (Dec 07)
- RE: RPC over HTTPS security risks James McGee (Dec 08)
- Re: RPC over HTTPS security risks xyberpix (Dec 09)
- <Possible follow-ups>
- RE: RPC over HTTPS security risks adisegna (Dec 08)
- RE: RPC over HTTPS security risks Depp, Dennis M. (Dec 08)