Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Does SSL with OWA protect you?

Status
Not open for further replies.
ashleym

ashleym

MIS
Mar 30, 2001
375
I am curious, I have OWA and IIS installed (on my exchange 5.5 SP4 server) and configured for SSL, so only 56 or 128 bit encrypted browsers can access OWA. Am I protected from external attacks more because I am using SSL? I am referring to the attacks that hackers run when they type very long strings into a browsers address window trying to exploit IIS. I am using basic authentication for OWA with SSL. I am just curious if it is necessary to apply all of the relevant patches to IIS 4 after a new install if OWA is configured with SSL. I know I am still vulnerable to internal attacks such as Code Red and nimda.

Thanks
 
Sort by date Sort by votes
HI!

You are better protected agains "bulk attacks" like Code Red does, since these attacks normally scan for port 80 only.
However, you are NOT better protected from attacking the same exploits using HTTPS, since the same IIS handles the requests.
So you should apply latest Service Pack (for NT and Exchange) and SRP from MS.
A better solution is to install OWA on a different machine.
You may also wish to change the HTTP and/or HTTPS port used.
Virusses and worms normaly scans for default ports. Changing them will give you better protection, however malicious users scanning your server will still find the new port easily.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thank you for your reply. I do not want to install IIS on a different machine as that would give me another point of failure. My Exchange server is very robust with mulitple levels of fault tolerance, so they chances of it going down are remote. If I were to install OWA on another IIS server I would have to invest in fault tolerance on that machine to ensure it would not go down and take my OWA with it.

I am mainly concerned about the common vulnerabilites that plague IIS.

Thank you.
Ashley
 
Upvote 0 Downvote
fault tolerant machines are great - hard disks, psu's and so on. do you have fault tolerant software? if you are breached, that is it...

a separate iis means only that server goes down in a breach.
 
Upvote 0 Downvote
I am not sure what you mean by "breached" If you mean "hacked" by a virus or an exploit, then the fact that I have a network would mean all of my servers would be vulnerable, unless I had my OWA machine on a DMZ. Sure, software is the next logical level of FT, but I don't honestly think I need to go there.

Thanks

Ashley
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

microsGuy16
  • Locked
  • Question
Global Address List Names not showing in Outlook OWA 365
Replies
0
Views
3K
microsGuy16
microsGuy16
ponoodle
  • Locked
  • Question
Disabling OWA for on prem Exchange while in a hybrid envirenment.
Replies
0
Views
2K
ponoodle
ponoodle
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
2K
Wesaf
Wesaf
BroBias
  • Locked
  • Question
mailbox databases dismounting frequently without followable reason
Replies
1
Views
2K
BroBias
BroBias
Rupinder Kaur
  • Locked
  • Question
How do you delete time from activity in QuickBooks?
Replies
3
Views
345
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top