Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Secure OWA
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 26 Aug 2006 14:30:22 -0400

On 8/26/06, Adriel Desautels <simon () snosoft com> wrote:
Hash: SHA1

Dude, which is more secure in your opinion. A base install of sendmail
or a base install of OWA/exchange?

sorry, that was a bad comparison/joke. They are two different
products. One is a mailserver, the other a webpage. To answer your
question, leaving any SMTP server open to the web with only its base
install is asking for trouble. A secure messaging infrastructure has
layers just like any secure system. Firewall, SMTP Gateway, front end,
then back end server is my preference, in that order, with the SMTP
gateway being a different OS than your back end servers.

OWA is pretty nifty though, with almost every feature of the MAPI
client. The only real fault I know about is the fact that you can
guess passwords eternally without locking out user accounts. Also, as
with any web front end, you can access it from anywhere. This means
two things:

1: You cant control the security of the client machines. Whether it is
a home PC, internet kiosk, or wifi connection at starbucks, the
connection is going to be made from an infected machine sooner or

2: Using two factor authentication has to be done with SecureID, as
most Kiosks and public use PC's dont have card readers.

If two factor authentication is not a possibility (due to cost or some
such) then make sure to watch your logs for massive amounts of
authentication attempts or even an unsusal amount of attempts for the
same account.


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]