Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

OWA and 525 1

Status
Not open for further replies.
DV37201

DV37201

MIS
Dec 21, 2001
19
US
In an earlier post Yizhar wrote the following:
"My suggestion is not to solve that problem, but to avoid future worse advantures by not allowing OWA to your internal Exchange server, or at least only allowing it via VPN."
I am assuming this is due to the security risk? I am curious if putting the Exchange box in the DMZ would be preffered if requiring VPN is not always possible? Or would security still be an issue since the Exchange box would need to have paths to a DC on the inside of the PIX?

Thanks,
Brian
 
Sort by date Sort by votes
HI.

There are 2 risks that you take if you allow OWA:

1) Since it relies on IIS - an attacker or virus like Code Red might take over and/or damage the system using IIS faults.
Most known problems are blocked using latest security patches and proper configuration, but the risk is still there.

2) An attacker might get access to a user mailbox, and using it might mess things up more easyli.

Placing an Exchange server in the DMZ isn't simple, and as you wrote, if the attacker hacks the Exchange system it can access other servers from there using open ports unless the server in the DMZ is realy isolated.


Using VPN is also not a perfect solution and posses many security risks, but is currently a safer cost-effective compromise if properly configured.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the reply Yizhar.
You are absolutely right. Without being patched up, a IIS server exposed to the web will get hit by code red fast. In our case we monitor external PC's infected with Nimda (which can spread just like code red) trying to hit our IIS servers 1-2 times a day.
I wish we could require our users to VPN to use OWA. But this is not possible since they travel a lot and use several PC's.
It appears my best solution is to put the Exchange box in the DMZ and lock it down as tightly as possible.
Thanks again for the help Yizhar. BYW the tools and utilities you wrote are quite impressive.

Brian
 
Upvote 0 Downvote
HI.

OK, here are some more tips for your scenario:

* If possible, implement a separate Exchange server for traveling users in the DMZ, that will only communicate with the internal one using SMTP. This can minimize the risks.

* Change the OWA http port to a random higher one, like 22334.
This will reduce visibility of your server since it won't be hit by Code Red and such scans, but ofcourse a specific port scan on your server ip will revile it.

* Make sure that all traveling users have strong passwords and that other users are not enabled for HTTP (in the Exchange Administrator).

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
269
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
233
nnaarrnn
nnaarrnn
Nitta84
  • Locked
  • Question
navigation slow and tcp syc/ack drop
Replies
0
Views
192
Nitta84
Nitta84
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
69
brownmab53
brownmab53
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
77
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top