RE: RPC over HTTPS security risks

["James McGee" <james () infosec co im>]

Enable them OWA, that way the only access they need is via HTTP(s)

Opening up RPC to the Internet is iffy in my opinion, unless you can get
them all static Ips, and then filter your front end firewall to only allow
them in.

Outlook Web Access would enable them to access the data from anywhere.  If
they use their own machines you are opening up a big can of worms!

Hope this helps!

JM

-----Original Message-----
From: Tim Hanekamp [mailto:thanekamp () gmail com] 
Sent: 07 December 2004 19:44
To: security-basics () securityfocus com
Subject: RPC over HTTPS security risks

We have begun to implement RPC over HTTPS for Exchange 2003 at our corporate
office.  Before rolling this service out to our users, who then could
possibly start using it on their home computers, which could easily be
insecured, we are trying to evaluate the possible security threats that this
poses.

It would seem that if someone were able to own a machine that had this
configured on it, it would be fairly easy for them to use the exchange
server as a relay for mail and/or completely flood the system with viruses,
especially if the computer were infected with a virus.

Do you think this would be the case, and, if so, what measures do you think
could be taken in order to mitigate this risk.  The only thing we could come
up with so far was requiring these clients to use digital certificates and
only install these certificates on machines that have been inspected and
will be used in the proper setting (not that we could ever really be certain
of the latter idea).

Thoughts?