Hello all –
I’m wondering if anyone knows of a more secure OWA construction than just enhancing it with SSL. My current plan for our small company is to have one Exchange server on the inside lan to which I will allow OWA over the Internet using SSL. I’ve tested this and it works fine. But it has occurred to me that Internet hackers might conceivably go to town trying to get into the machine, and our lan. Of course these attempts will be logged, but I’d like to anticipate a situation where there might be so many hack attempts that I'd want to take security a step further. So my question is twofold:
a) SSL obviously is meant to provide server authentication for the client. But is there any mechanism for requiring the client PCs to also have a certificate? In other words, two-way authentication using certificates? I’m concerned – maybe unjustifiably – that a focused hacker might succeed in providing the correct User ID and password to get to the inside server. Since we have only a handful of prospective OWA users, an extra certificate would be easy to administer.
b) An alternative to the above would be to ask if there is a way to limit the number of allowed logon attempts to OWA, similar to how Windows locks out a user after several unsuccessful tries. I know that many on-line billing sites have the ability to lock out a User in this way.. But I didn’t see any setting for this in IIS.
Any thoughts on this would be appreciated.
I’m wondering if anyone knows of a more secure OWA construction than just enhancing it with SSL. My current plan for our small company is to have one Exchange server on the inside lan to which I will allow OWA over the Internet using SSL. I’ve tested this and it works fine. But it has occurred to me that Internet hackers might conceivably go to town trying to get into the machine, and our lan. Of course these attempts will be logged, but I’d like to anticipate a situation where there might be so many hack attempts that I'd want to take security a step further. So my question is twofold:
a) SSL obviously is meant to provide server authentication for the client. But is there any mechanism for requiring the client PCs to also have a certificate? In other words, two-way authentication using certificates? I’m concerned – maybe unjustifiably – that a focused hacker might succeed in providing the correct User ID and password to get to the inside server. Since we have only a handful of prospective OWA users, an extra certificate would be easy to administer.
b) An alternative to the above would be to ask if there is a way to limit the number of allowed logon attempts to OWA, similar to how Windows locks out a user after several unsuccessful tries. I know that many on-line billing sites have the ability to lock out a User in this way.. But I didn’t see any setting for this in IIS.
Any thoughts on this would be appreciated.
