Re: Securing webmail - changing a port necessary to ensure security?

[Miles Stevenson <miles () mstevenson org>]

When configuring webemail
> (such as owa) that is using https, is it better to change the default
> port (443) to an uncommon port (20000)for security reasons? 

Hi Jennifer. Generally, running services on non-default ports (changing
the port from 443 default to 20000 non-default) does nothing to improve
your security. This kind of tactic is called "Security through
Obscurity" and it is usually considered a bad idea within the security
community.

The reason that this doesn't add any security, is that modern portscan
tools such as nmap are smart enough to detect services running on
non-standard ports. They don't just look at the port number to identify
services, but they actually connect to the port and evaluate what kind
of response they get back. Generally, this kind of strategy will not
even fool amateur hackers/script kiddies. 

The reason that similar security strategies (security through obscurity)
is considered a bad idea, is because it creates a false sense of
security. Administrators start to think that because they are "hiding"
the weaknesses in their systems that they are safe. This is not only
taking a huge risk, but it's almost guaranteed to fail. In this way,
security is a lot like dieting. While we would all love to believe that
we can take a magic pill and overnight we will lose weight and look
great, it's nothing but wishful thinking. The only way to lose weight is
proper diet and exercise, which is hard work and takes time. Security is
the same way. The only way to keep the bad guys out is to secure your
systems properly, and to maintain that security on a daily basis.


-- 
Miles Stevenson
miles () mstevenson org

Attachment: signature.asc
Description: This is a digitally signed message part