Firewall Wizards mailing list archives
Re: Outlook Web Access - Paranoid?
From: Paul Robertson <proberts () patriot net>
Date: Tue, 26 Nov 2002 16:57:35 -0500 (EST)
On Tue, 26 Nov 2002, Mark L. Evans wrote:
We're trying to come up with the least dangerous method of allowing our users to check their email on MS Exchange. We currently allow them to use POP3 only. Our management would like to use Outlook Web Access. I have followed the issue on several mailing lists. I know it's a bad idea to use Exchange at all but management thinks I am too paranoid on this issue.
(I'm going to stop beating this drum after this one, if people insist on using compromisable architechtures, there's not much else I can do[1].) Let's take what we know to be true: IIS has historically been prone to compromise. SQL Server has been prone to compromise and escallation of priv. Exchange includes IIS and SQL Server. OWA has been prone to compromise and is hooked tightly IIS enough that we get things like the following (MS01-023): Disabling Internet Printing via the Internet Services Manager can interfere with the operation of Outlook Web Access. Specifically, when you unmap the Internet Printing ISAPI extension via the Internet Services Manager on an Exchange 2000 server, you're prompted whether or not to apply the changes to the child folders, including Exchange, Public, and ExAdmin. If you choose to apply the setting to these child folders, Outlook Web Access will stop functioning until you restart the Exchange System Attendant. Seems to me that you're not going to get a lot of detachment from the parts of IIS we've historically seen the most brokeness in. Add in (from the same bulletin): Two practices in particular that should be followed are: Web servers should be isolated within a DMZ. This not only separates the servers from the Internet, but also separates them from the rest of the network. If possible, web servers should be configured as stand-alone machines. If it's absolutely necessary to make them part of a domain, the domain should only encompass machines that reside on the DMZ. Web servers should never be members of the larger network's domain. Now, it seems to me that public-facing OWA servers fly directly in the face of these two best practices Microsoft themselves recommend.
It seems the best method is a reverse proxy using squid on a DMZ machine and then into the IIS server on the inside over SSL. What are your opinions/suggestions on this issue? Do you have any other methods that are more secure?
If your managment is going to fly in the face of MS' own recommendations on IIS server placement, I'd document the heck out of the obvious objections to doing so, and get it signed in ink before going any further. Seriously. Store copies off-site too. An HTTP proxy won't help- the attacks here are all in-band against either IIS or Exchange, or perhaps a combination. You're exposing a service, probably with user credentials that are good for other things (making password guessing *really* productive.) You're exposing a machine that must accept data from random places on the Internet (SMTP is a great way to get tools onto a box) and you're exposing complex protocols like SSL, HTTP and SMTP (with MS' content running extensions). I can't imagine too many scenerios that would be in the category of "worse ideas." Maybe I'm just getting cranky, but I'd love to see someone post a rationale that says that architecturally this isn't a disaster waiting to happen. Let's not forget that you're now putting this server in the critical update path for every IIS, SQL and Exchange patch- can your mail users afford the downtime that proper maintenance really requires? Can the machine scale to meet the increased load as well? Insurance- you should make sure that your management has seen the latest compromise cost figures, and they're covered specifically by insurance for this. If they're self-insuring, you should make sure they understand what those cost figures mean to them when it hits the fan. If you *have* to do this, VPN it. Make sure you have things covered for when people leave or become disgruntled. Paul [1] I'll happily take the call to come in after an event. It's more expensive than using products designed for this in the first place though. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Outlook Web Access - Paranoid? Mark L. Evans (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 26)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Symon Thurlow (Nov 26)
- RE: Outlook Web Access - Paranoid? Steve Evans (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Frank Knobbe (Nov 28)
- RE: Outlook Web Access - Paranoid? Christopher Lee (Nov 28)
- Re: Outlook Web Access - Paranoid? Mikael Olsson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)