Re: Outlook Web Access

["David Glosser" <david_glosser () yahoo com>]

We placed a linux box running apache in reverse-proxy mode. That box is
accessible from the outside world (port 80/443), not the webmail box  (we
run domino web access but the same principle would apply).  Most of the
code-red and nimda ca-ca is filtered on tat box.  A clientless SSL VPN
should achieve the same thing with better security if you can afford it.
Other comments, such as running a web application firewall, should be
implemented as well if you can afford it.


----- Original Message ----- 
From: "steve" <securityfocus () delahunty com>
To: <security-basics () securityfocus com>
Sent: Wednesday, June 02, 2004 9:35 AM
Subject: Outlook Web Access


> We are still running Exchange 5.5 and until we start our Exchange 2003
> migration we want to improve the way we are running Outlook Web Access
(OWA)
> in terms of security.  We use SSL.  We prohibit traffic to the box other
> than port 80 and 443.  Other than the obvious recommendations of using the
> recommended OWA install and hardening the OS where OWA is running does the
> list have any other recommendations on protecting the OWA box?  For
> instance, can OWA be configured to run on Linux/Apache instead of Windows
> 2000/IIS5?
>
> Thanks
>
>
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------