Re: Outlook Anywhere

[Danny Puckett <dpuckett () comresource com>]

If you just need to allow browser based email access then OWA is the quick and 
easy way to do this. If users need full Outlook functionality (usually for 
calendering) then you can setup an RPC over HTTPS proxy. Properly configured 
they are both about the same from a security standpoint. You can never truly 
trust the remote endpoint as they are out of your control but this is usually 
a risk most business are willing to accept with proper policies in place 
requiring end users use anti-virus and such.

On Thursday 07 December 2006 10:38 pm, Ahsan Khan wrote:
> Do you mean RPC over HTTPS for outlook 2003, if so there is not RPC port
> open from outside, you only need to open HTTPS and HTTP ports for your OWA
> servers and you are all set, talk to you Exchange Admins and have them
> configured OWA access for RPC over HTTP.
>
> Regards
> Ahsan Khan
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of clwsecurity () mistral co uk
> Sent: Thursday, December 07, 2006 9:36 AM
> To: security-basics () securityfocus com
> Subject: Outlook Anywhere
>
> Hi
>
> My company is thinking of implementing Outlook Anywhere but my boss & I
> don't think it's totally secure.
>
> 1> ATM, we don't allow RPC but from the blurb, we'll need to start
> allowing. How risky is this?
>
> 2> AFAIK, we'll be reliant on the users' AV rather than on the server.  AV
> is on the server but scans nightly and "on read".  Please could we have
> opinions on this.
>
> Has anybody else looked into this and decided it's either ok or too risky?
>
> All comments gladly received.
>
> ---------------------------------------------------------------------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
> ---------------------------------------------------------------------------
>
>
> ---------------------------------------------------------------------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
> ---------------------------------------------------------------------------

-- 
Danny Puckett
CISSP, MCSE:Security, Security+, 
CCNA, CCDA, CCA, CNA
Senior Systems Engineer
Technical Resource Manager
ComResource Inc.
614-221-6348 ext 23 

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------