Security Basics mailing list archives

RE: OWA security

From: "UK Bajan" <ukbajan () hotmail com>
Date: Fri, 16 Jan 2004 13:36:46 +0000

Securing your OWA server requires a number of steps over and above where itis placed on the Network.

1. You need to harden the service OS and IIS services so that only theessential services for OWA are running. This is somewhat easier if usingWindows 2003, more work if using Windows 2000 IIS5.0.

2. As Martin has Pointed out your connection of your PIX diectly to yourInternal Network is Puzzling seeing that you have a second firewall ISAserver. The standard practice is



        Internet
        !
        !
        !
        Border Firewall (PiX or other dedicated firwall appliance)
        1
        1
        1
        DMZ  (web applications, FTP, OWA, SMTP proxy, IDS)
        2
        2
        2
        Internal Firewal (ISA Server for Example,)
        3
        3
        3
        Internal Network

Give the state of attacks at the moment I do not find this entirelysatifactory.

Anti-Virus measures, anti-worm, etc checks have to be done. Statefullypacket inspection alone does not cut it anymore. You need a level ofapplication layer inspection.

This with others measures is where ISA server, and SMTP proxying comes intotheir own. With inspection at the application level a lot of todays and(some of tomorrows nasties are stripped out before they get into yournetwork.

For this reason I place the OWA server behind the ISA server. I Use the ISAServer and other proxies to cleaned the application layer. It also makesauthentication less awkward and prone to misconfiguration of your firewall.

3. Again as Martin pointed out, this is all for nothing if you allow usersto connect via http to your OWA server. Plain text credentials an easy hackmake. Settings up https is essential. Http to the OWA server should beblocked at the firewall.


Good Luck.

UKB

_________________________________________________________________

Express yourself with cool emoticons - download MSN Messenger today!http://www.msn.co.uk/messenger



---------------------------------------------------------------------------

Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off anycourse! All of our class sizes are guaranteed to be 10 students or less.We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,and many other technical hands on courses.Visit us at http://www.infosecinstitute.com/securityfocus to get $720 offany course!----------------------------------------------------------------------------

Current thread:

RE: OWA security Martin K. Lee - XML Consulting (Jan 13)
- <Possible follow-ups>
- RE: OWA security Kollman, Christopher (Jan 13)
  - Re: OWA security Michael Gale (Jan 14)
- RE: OWA security DeGennaro, Gregory (Jan 14)
- RE: OWA security Nicholas Diotte (Jan 15)
- RE: OWA security UK Bajan (Jan 16)