Security Basics mailing list archives
RE: RPC over HTTP security
From: "LordInfidel" <LordInfidel () directionweb com>
Date: Fri, 28 Jan 2005 21:18:14 -0500
You don't need ISA server to do that though, issue cert's that is. Any NT4, 2K or 2K3 server can be configured as a stand-alone root CA and issue client certs. (I prefer using OpenSSL and linux to create my own root CA's and issue client certs from it, but that is me) If this is a corporate network that is using exchange2k3, then I would really dissuade against using IMAPs or POP3s for remote users. The reasoning is because you start to lose control over the users mailboxes when you start allowing them to download and remove e-mail from the server. Yes IMAP allows it to be stored on both, but you lose the GroupWise features that is one of the prevalent reasons of moving to exchange. You don't want to have the conversation with your boss about not being able to retrieve a disgruntled employees e-mail. SMTPs? Why run an open relay? Unless your forcing the smtp VS to reject any connections that do not have a client cert mapped (which I have not seen available to an 2k/2k3 smtp vs). All because the connection is encrypted does not mean a hill of beans when anyone in the world can connect to it with a valid u/p. Not to mention you will need to create another VS and either bind it to a second IP or to a port other then 25 if using the same IP. One thing that should not be overlooked here is the new OWA interface on 2K3. It is pretty powerful and can be used in lieu of Outlook while still retaining a lot of the Outlook perks. As long as you run it under IE on a pc. (Heck, I even find myself forgoing connecting to my desktop remotely to check e-mail and opt for OWA) Also, If you deploy front end and back end servers <ex2k3 does not have the hefty price tag anymore to run a FE server>, you get gains in performance and security. Basically remote mail systems connect to the FE server to include your remote OWA and RPC over HTTPS clients, leaving your back end servers to just serve up requests to your users. (and you can have multiple FE servers that can connect to multiple BE servers, it's very sexy when your in a enterprise scenario, but I digress.) JMO and everyone has one. -----Original Message----- From: Price, Robert H [mailto:rhpric () sandia gov] Sent: Friday, January 28, 2005 11:06 AM To: LordInfidel; sf_mail_sbm () yahoo com; security-basics () securityfocus com Subject: RE: RPC over HTTP security Using the ISA Server setup an Secure mail.domain.com and a SMTPS.domain.com and issue certificates, if configured correctly the users can even setup a imap client not on your network and use the SMTPS for relaying messages. -----Original Message----- From: LordInfidel () directionweb com [mailto:LordInfidel () directionweb com] Sent: Thursday, January 27, 2005 9:33 AM To: sf_mail_sbm () yahoo com; security-basics () securityfocus com Subject: RE: RPC over HTTP security http://office.microsoft.com/en-us/assistance/HA011402731033.aspx ~tips~ Make sure you use it over https and not http. (use self signed CA certs) The client side needs to be outlook 2003, previous versions will not work. -----Original Message----- From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com] Sent: Wednesday, January 26, 2005 8:03 AM To: security-basics () securityfocus com Subject: RPC over HTTP security Hi List, We are thinking about deploying RPC over HTTP to access email from the Internet Wanted to get some information on the technology and the security implications of same Not much info from Microsoft's site any help would be greatly apreciated Thanks, Ronish
Current thread:
- RE: RPC over HTTP security, (continued)
- RE: RPC over HTTP security Killian Doyle (Jan 28)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 28)
- Re: RPC over HTTP security sf_mail_sbm (Jan 28)
- RE: RPC over HTTP security Eric McCarty (Jan 31)
- RE: RPC over HTTP security Beauford, Jason (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 31)
- RE: RPC over HTTP security LordInfidel (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 31)
- RE: RPC over HTTP security James McGee (Jan 31)
- RE: RPC over HTTP security Shawn Wall (Jan 31)
- RE: RPC over HTTP security LordInfidel (Jan 31)
- RE: RPC over HTTP security Paris E. Stone (Jan 31)
- RE: RPC over HTTP security Depp, Dennis M. (Jan 31)