Firewall Wizards mailing list archives
RE: Outlook Web Access - Paranoid?
From: "Stefan Norberg" <stefan () orbisec com>
Date: Tue, 3 Dec 2002 21:45:36 +0100
An HTTP proxy won't help- the attacks here are all in-band against either IIS or Exchange, or perhaps a combination. You're exposing a service, probably with user credentials that are good for other things (making password guessing *really* productive.) You're exposing a machine that must accept data from random places on the Internet (SMTP is a great way to get tools onto a box) and you're exposing complex protocols like SSL, HTTP and SMTP (with MS' content running extensions).
Paul and others, I've always thought/said that setting up an IIS server as an OWA-server with the Exchange-server on the inside is useless because of all the ports you need to allow between the IIS and the Exchange boxes. I tend to recommend the following: For web access -------------- 1) Run OWA on your Exchange server. Yes, on your Exchange server 2) Set up an Apache server on Unix (if you can secure and maintain it that is) running a reverse proxy. mod_rewrite does the trick nicely. Use Secure/ID (or similar) on the Apache server to eliminate password guessing and attacks to the Exchage server. The downside is that the user will be prompted twice for passwords, but most vpn users are used to that anyway. Often the company does have some form of 'strong-auth' for the vpn so try to leverage that solution. For incoming smtp in general ---------------------------- 1) Run Postfix or qmail (or possibly another non-bloated mail server) as a non-privileged user, chrooted on your smtp host (running Unix). 2) Next hop should be a good, easy to use content-scanner (ie Mail Marshal) with a policy that blocks everything that contain vbscript/java-script/exe-files and virus-scans it too. Generally you want to send an email to the recepient that you blocked the mail and he'll have to come with gifts/sacrifices to the b0th-cave if he ever wants to see it. 3) The Exchange server(s) or whatever other bloated internal mailer. ...and the other way around for outgoing. Stefan Norberg (stefan () orbisec com) NAAPOI _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Outlook Web Access - Paranoid? Matt Wilbur (Nov 30)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- IP/HTTP from the internet to internal network Shimon Silberschlag (Dec 02)
- Re: IP/HTTP from the internet to internal network Paul D. Robertson (Dec 02)
- Message not available
- Re: IP/HTTP from the internet to internal network Dave Piscitello (Dec 04)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Dec 01)
- Re: Outlook Web Access - Paranoid? Luca Berra (Dec 02)
- Re: Outlook Web Access - Paranoid? Devdas Bhagat (Dec 01)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Stefan Norberg (Dec 03)
- RE: Outlook Web Access - Paranoid? Joseph Steinberg (Dec 05)