Security Basics mailing list archives
OWA, basic authentication, and Windows NT Challenge and Response NTLM
From: bret.lugo () gmail com
Date: 16 Mar 2006 01:22:18 -0000
If a user uses Outlook Web Acess over https on a untrusted network such as a wifi hotspot or a airport and does not check the certificate to make sure its valid would it be possible for someone to use a program proxy such as paros to see there user name and password if basic authentication is used on the OWA server? Would using Windows NT Challenge and Response NTLM not allow this to happen? Also what would be the best defense against this sort of attack if your users do not check for valid certificates when using untrusted networks? Maybe make them IPsec VPN in before they can access OWA? Thanks for the help --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- OWA, basic authentication, and Windows NT Challenge and Response NTLM bret . lugo (Mar 16)
- <Possible follow-ups>
- RE: OWA, basic authentication, and Windows NT Challenge and Response NTLM LordInfidel (Mar 21)
- RE: OWA, basic authentication, and Windows NT Challenge and Response NTLM Matt Toczek (Mar 21)