RE: RPC over HTTP security

["LordInfidel" <LordInfidel () directionweb com>]

You don't need ISA server to do that though, issue cert's that is.  Any
NT4, 2K or 2K3 server can be configured as a stand-alone root CA and
issue client certs. (I prefer using OpenSSL and linux to create my own
root CA's and issue client certs from it, but that is me)

If this is a corporate network that is using exchange2k3, then I would
really dissuade against using IMAPs or POP3s for remote users.

The reasoning is because you start to lose control over the users
mailboxes when you start allowing them to download and remove e-mail
from the server.  Yes IMAP allows it to be stored on both, but you lose
the GroupWise features that is one of the prevalent reasons of moving to
exchange.  You don't want to have the conversation with your boss about
not being able to retrieve a disgruntled employees e-mail.

SMTPs? Why run an open relay?  Unless your forcing the smtp VS to reject
any connections that do not have a client cert mapped (which I have not
seen available to an 2k/2k3 smtp vs).  All because the connection is
encrypted does not mean a hill of beans when anyone in the world can
connect to it with a valid u/p.  Not to mention you will need to create
another VS and either bind it to a second IP or to a port other then 25
if using the same IP.

One thing that should not be overlooked here is the new OWA interface on
2K3.  It is pretty powerful and can be used in lieu of Outlook while
still retaining a lot of the Outlook perks.  As long as you run it under
IE on a pc. (Heck, I even find myself forgoing connecting to my desktop
remotely to check e-mail and opt for OWA)

Also, If you deploy front end and back end servers <ex2k3 does not have
the hefty price tag anymore to run a FE server>, you get gains in
performance and security.  Basically remote mail systems connect to the
FE server to include your remote OWA and RPC over HTTPS clients, leaving
your back end servers to just serve up requests to your users. (and you
can have multiple FE servers that can connect to multiple BE servers,
it's very sexy when your in a enterprise scenario, but I digress.)

JMO and everyone has one.

-----Original Message-----
From: Price, Robert H [mailto:rhpric () sandia gov] 
Sent: Friday, January 28, 2005 11:06 AM
To: LordInfidel; sf_mail_sbm () yahoo com;
security-basics () securityfocus com
Subject: RE: RPC over HTTP security

Using the ISA Server setup an Secure mail.domain.com and a
SMTPS.domain.com and issue certificates, if configured correctly the
users can even setup a imap client not on your network and use the SMTPS
for relaying messages. 

-----Original Message-----
From: LordInfidel () directionweb com [mailto:LordInfidel () directionweb com]

Sent: Thursday, January 27, 2005 9:33 AM
To: sf_mail_sbm () yahoo com; security-basics () securityfocus com
Subject: RE: RPC over HTTP security

http://office.microsoft.com/en-us/assistance/HA011402731033.aspx

~tips~
Make sure you use it over https and not http. (use self signed CA certs)
The client side needs to be outlook 2003, previous versions will not
work.

-----Original Message-----
From: sf_mail_sbm () yahoo com [mailto:sf_mail_sbm () yahoo com]
Sent: Wednesday, January 26, 2005 8:03 AM
To: security-basics () securityfocus com
Subject: RPC over HTTP security



Hi List,
We are thinking about deploying RPC over HTTP to access email from the
Internet

Wanted to get some information on the technology and the security
implications of same

Not much info from Microsoft's site

any help would be greatly apreciated

Thanks,
Ronish