Full Disclosure mailing list archives
Re: Secure OWA
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 26 Aug 2006 14:30:22 -0400
On 8/26/06, Adriel Desautels <simon () snosoft com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dude, which is more secure in your opinion. A base install of sendmail or a base install of OWA/exchange?
sorry, that was a bad comparison/joke. They are two different products. One is a mailserver, the other a webpage. To answer your question, leaving any SMTP server open to the web with only its base install is asking for trouble. A secure messaging infrastructure has layers just like any secure system. Firewall, SMTP Gateway, front end, then back end server is my preference, in that order, with the SMTP gateway being a different OS than your back end servers. OWA is pretty nifty though, with almost every feature of the MAPI client. The only real fault I know about is the fact that you can guess passwords eternally without locking out user accounts. Also, as with any web front end, you can access it from anywhere. This means two things: 1: You cant control the security of the client machines. Whether it is a home PC, internet kiosk, or wifi connection at starbucks, the connection is going to be made from an infected machine sooner or later. 2: Using two factor authentication has to be done with SecureID, as most Kiosks and public use PC's dont have card readers. If two factor authentication is not a possibility (due to cost or some such) then make sure to watch your logs for massive amounts of authentication attempts or even an unsusal amount of attempts for the same account. -JP _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Secure OWA Lohan Spies (Aug 25)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 25)
- Re: Secure OWA Dimitri Limanovski (Aug 25)
- Re: Secure OWA Danny (Aug 25)
- Re: Secure OWA <...> (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Adriel Desautels (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Valdis . Kletnieks (Aug 26)
- Re: Secure OWA Dude VanWinkle (Aug 26)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 25)
- <Possible follow-ups>
- RE: Secure OWA Renshaw, Rick (C.) (Aug 30)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 30)
- Re: Secure OWA Bardus Populus (Aug 30)
- Re: Secure OWA Mark Senior (Aug 30)
- Re: Secure OWA Brian Eaton (Aug 30)
- Re: Secure OWA Brendan Dolan-Gavitt (Aug 30)
- RE: Secure OWA Renshaw, Rick (C.) (Aug 30)
- RE: Secure OWA Fetch, Brandon (Aug 30)
- Re: Secure OWA Lohan Spies (Aug 31)