Firewall Wizards mailing list archives

Re: Outlook Web Access - Paranoid?

From: Paul Robertson <proberts () patriot net>
Date: Tue, 26 Nov 2002 16:57:35 -0500 (EST)

On Tue, 26 Nov 2002, Mark L. Evans wrote:

We're trying to come up with the least dangerous method of allowing our
users to check their email on MS Exchange. We currently allow them to use
POP3 only. Our management would like to use Outlook Web Access. I have
followed the issue on several mailing lists. I know it's a bad idea to use
Exchange at all but management thinks I am too paranoid on this issue.


(I'm going to stop beating this drum after this one, if people insist on 
using compromisable architechtures, there's not much else I can do[1].)

Let's take what we know to be true:

IIS has historically been prone to compromise.
SQL Server has been prone to compromise and escallation of priv.
Exchange includes IIS and SQL Server.
OWA has been prone to compromise and is hooked tightly IIS enough that we 
get things like the following (MS01-023):

Disabling Internet Printing via the Internet Services Manager can 
interfere with the operation of Outlook Web Access. Specifically, when you 
unmap the Internet Printing ISAPI extension via the Internet Services 
Manager on an Exchange 2000 server, you're prompted whether or not to 
apply the changes to the child folders, including Exchange, Public, and
ExAdmin. If you choose to apply the setting to these child folders, 
Outlook Web Access will stop functioning until you restart the Exchange 
System Attendant.

Seems to me that you're not going to get a lot of detachment from the 
parts of IIS we've historically seen the most brokeness in.

Add in (from the same bulletin):

Two practices in particular that should be followed are: 

              Web servers should be isolated within a DMZ. This not only 
              separates the servers from the Internet, but also separates
              them from the rest of the network. 

              If possible, web servers should be configured as stand-alone 
              machines. If it's absolutely necessary to make them part of 
              a domain, the domain should only encompass machines
              that reside on the DMZ. Web servers should never be members 
              of the larger network's domain. 

Now, it seems to me that public-facing OWA servers fly directly in the 
face of these two best practices Microsoft themselves recommend.

It seems the best method is a reverse proxy using squid on a DMZ machine and
then into the IIS server on the inside over SSL. What are your
opinions/suggestions on this issue? Do you have any other methods that are
more secure?


If your managment is going to fly in the face of MS' own recommendations 
on IIS server placement, I'd document the heck out of the obvious 
objections to doing so, and get it signed in ink before going any further.  
Seriously.  Store copies off-site too.

An HTTP proxy won't help- the attacks here are all in-band against either 
IIS or Exchange, or perhaps a combination.  You're exposing a service, 
probably with user credentials that are good for other things (making 
password guessing *really* productive.)  You're exposing a machine that 
must accept data from random places on the Internet (SMTP is a great way 
to get tools onto a box) and you're exposing complex protocols like SSL, 
HTTP and SMTP (with MS' content running extensions).  

I can't imagine too many scenerios that would be in the category of "worse 
ideas."

Maybe I'm just getting cranky, but I'd love to see someone post a 
rationale that says that architecturally this isn't a disaster waiting to 
happen.

Let's not forget that you're now putting this server in the critical 
update path for every IIS, SQL and Exchange patch- can your mail users 
afford the downtime that proper maintenance really requires?  Can the 
machine scale to meet the increased load as well?  

Insurance- you should make sure that your management has seen the latest 
compromise cost figures, and they're covered specifically by insurance for 
this.  If they're self-insuring, you should make sure they understand what 
those cost figures mean to them when it hits the fan.

If you *have* to do this, VPN it.  Make sure you have things covered for 
when people leave or become disgruntled.  

Paul
[1] I'll happily take the call to come in after an event.  It's more 
expensive than using products designed for this in the first place though.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Outlook Web Access - Paranoid? Mark L. Evans (Nov 26)
- Re: Outlook Web Access - Paranoid? Paul Robertson (Nov 26)
  - Re: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 26)
- <Possible follow-ups>
- RE: Outlook Web Access - Paranoid? Symon Thurlow (Nov 26)
- RE: Outlook Web Access - Paranoid? Steve Evans (Nov 28)
  - RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)
    - RE: Outlook Web Access - Paranoid? Frank Knobbe (Nov 28)
  - RE: Outlook Web Access - Paranoid? Christopher Lee (Nov 28)
    - Re: Outlook Web Access - Paranoid? Mikael Olsson (Nov 28)
    - RE: Outlook Web Access - Paranoid? Paul D. Robertson (Nov 28)