Outlook Web Access

[ElijahBaley]

Hi

I am just considering what would be required to set up Outlook Web Access, and would like to clarify some points

Is Network Address Translation through a router "good enough" security to protect my LAN.

To enable OWA I will have to translate HTTP on port 80 to the internal server ?

I have to set up IIS to make the Exchange server act also as a Web server ?

I would like to get a grasp of the concept before I start looking at the details - any comments would be welcome,

Thanks

Graham


"r tape loading error"

 

[yizhar]

HI.

I recommended not to open OWA from the Internet because it is a potential for many security related problems.

But if you insist on doing it, there are some important things that can minimize risks:
* Use strong passwords for user accounts.
* Install SP6a and SRP on the IIS server.
* Use a firewall with VPN to limit and protect access from the Internet.
* If not using VPN, use a different port (not 80) if you can.

And Again -
I recommended not to open OWA from the Internet because it is a potential for many security related problems.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[ElijahBaley]

Thanks Yizhar

I am still unclear as to whether Network address translation is adequate security - is this considered a firewall of sorts?

Graham
"r tape loading error"

 

[Zelandakh]

I run OWA straight to the Internet. Been up and running for 2.5 years with no troubles except the chinese hackers changed my IIS home page.

Patch your IIS THOROUGHLY, Exchange SP3 at least. Make sure you know NT really well, don't share anything to the everyone group unless you mean to. Set your shares and groups up properly to avoid easy hacks.

Once your network is fully sorted, add a hardware firewall. Set it to close every port possible inbound and then choose to open up relevant ports only (usually 25 and 80 only). Have the firewall installed by an expert.

This should cover you. NAT is a fair solution is you are really hot on it and understand how to lock everything down but it is nowhere near as good as a Cisco firewall

 

[ElijahBaley]

Thanks once again for your help Zelandakh, seems that we really should get a firewall.

I note your comments about NT - makes sense to really get on top of a user/group's but if a hacker can access the everyone group, then surely they can access the administrators group ?

Graham
"r tape loading error"

 

[CaffieneNnicotine]

What Zelandakh means is that with NT, when you create a share on a server, it is by default shared out to the Everyone group with full control. That means that if a hacker were to get into your system by brute forcing a username/password, even if the account they broke was very low level, they would still be able to access the majority of shares on your network. Because every user belongs to the Everyone group. Block acces to the everyone group unless there is some weird legacy program that needs it for some reason. Use groups and permissions wisely on sensitive documents and shares so even if your are compromised they won't be able to do much. I would also recommend changined the name of your admin account. 90% of hackers try that account and another 50% of Admins leave their username as administrator, that means hackers already have 1/2 of the puzzle. All Complaints Will Be Routed To /dev/null

 

[ElijahBaley]

Understood - I suppose that I have always given hackers too much respect, in that I have always felt that if they get in, then they can pretty much do what they want, but as you suggest - the more barriers we put in their way the more difficult it will be for them to do any damage.

Thanks

Graham
"r tape loading error"

 

[l3vy]

Use SSL and author your own certs!

 

[Griffyn]

I wanted to jump in on the NAT and/or Firewall question. Everybody I talk to tells me that you need a firewall regardless, or a firewall is better, etc. etc. But nobody can tell me *why*.

Security folks like to point out that when you have a NAT router providing internet access that it's not secure because users can download trojans or zombies or whatever that then have free reign because NAT won't stop them. Fair enough I guess.

I think it's highly likely the security aspect of NAT is downplayed by those in the know, because these same people are trying to flog their very expensive firewall products.

ElijaBailey - I've studied NAT very closely and cannot see how it's possible it could be compromised so long as a few things are noted:

1. You *must* disable the telnet port of your router if it has one. I have a Zyxel router here and I had to route all traffic on Port 23 to 255.255.255.255 to do this. Actually I routed every port to 255.255.255.255 except for port 25.

2. NAT port routing makes it seem as if the server is the machine connected to the internet. So you need to be sure of the vulnerabilities it has on those ports and have them blocked.

3. A firewall provides extensive logging, which your NAT router probably doesn't. If your server is compromised due to a software bug, you may never know if you have NAT. The firewall log will tell you everything.

Hope that helps.