Re: Secure OWA

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 8/26/06, Adriel Desautels <simon () snosoft com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dude, which is more secure in your opinion. A base install of sendmail
> or a base install of OWA/exchange?


sorry, that was a bad comparison/joke. They are two different
products. One is a mailserver, the other a webpage. To answer your
question, leaving any SMTP server open to the web with only its base
install is asking for trouble. A secure messaging infrastructure has
layers just like any secure system. Firewall, SMTP Gateway, front end,
then back end server is my preference, in that order, with the SMTP
gateway being a different OS than your back end servers.

OWA is pretty nifty though, with almost every feature of the MAPI
client. The only real fault I know about is the fact that you can
guess passwords eternally without locking out user accounts. Also, as
with any web front end, you can access it from anywhere. This means
two things:

1: You cant control the security of the client machines. Whether it is
a home PC, internet kiosk, or wifi connection at starbucks, the
connection is going to be made from an infected machine sooner or
later.

2: Using two factor authentication has to be done with SecureID, as
most Kiosks and public use PC's dont have card readers.

If two factor authentication is not a possibility (due to cost or some
such) then make sure to watch your logs for massive amounts of
authentication attempts or even an unsusal amount of attempts for the
same account.

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/