OWA - Best Practise

[siddyp]

I have just set up OWA on our exchange 2000 server. I have some worries that it is not as secure as it could be, as we are just using basic authentication. I've looked in to setting up SSL but the cost of purchasing a certificate is quite high (unless anyoneknows of any freebies). Being a small comany the cost is too much compared to the benifits received.

So my question: Is there any other way of making OWA more secure than the current way we are doing it?

Thanks

siddyp

 

[tony72000]

You can set up your own certificate for your domain (you need to install the certification authority in the windows set-up).

Any one from the internet will be warned that you are an unrecognised certification authority, but if they know it’s you then they can ignore this and continue with a secure connection. Access over a domain would not cause any warnings, as your issuing server should be listed in the authorised certificate authority.

Another thing, if you access this server over the internet, say for example using this address 'webmail.yourdomain.com' then make sure your certificate is issued as '*.yourdomain.com'. Then this certificate can also be used for other services (e.g. secure SMTP or POP3 if you use 'pop3.yourdomain.com' etc.)

Or you could use reversible encryption on your passwords, but this is more complicated.

 

[tony72000]

Store password using reversible encryption for all users in the domain.

(Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy)

This policy Determines whether Windows 2000 Server, Windows 2000 Professional, and Windows XP Professional store passwords using reversible encryption.

This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

This policy is required when using CHAP authentication through remote access or IAS services. It is also required when using Digest Authentication in Internet Information Services (IIS).

By default, this policy is disabled.

 

[siddyp]

Many thanks for your time and help. I will have a go at setting up my own certificate.


Cheers.

 

[siddyp]

Does anyone know where I can find a step by step guide for setting up my own CA for OWA on Windows and exchange server 2000. Every where I seem to look has info for either setting up thrid party CA's or it's for windows 2003.

Many Thanks

 

[tony72000]

Have you looked at Windows help?

This gives a full guide on how to set up CA and how to use it with IIS.

 

[siddyp]

Sorry to open this discussion agin, but I've only just had time to progress any further with this, and require some help.

I managed to create my own certificate on my our server using KB837354. I then went to Internet Informaation Service , Default Website, Directory Security, Secure Communication, Edit, and ticked Requires secure channel for both Exchange and Public.

Next I put in the address

http://server.domain.com/exchange

and I got back a page saying "The page must be viewed over a secure channel" which I thought great it seems to be working. But when I I tried the address

https://server.domain.com/exchange

it came back telling me "The page cannot be displayed"

Have I missed something obviuos here or is the genral feeling I'm playing with fire and should just leave it well alone. I'm no idiot when it come to IT but I will admit this has got the better of me so far.

 

[tony72000]

I do know this one, as I came across it myself, but I'm struggleing to remember.

Are you using a some sort of web filtering? (e.g. ISA server)

I'm sure this has something to do with secure pages use port 443 and not port 80 and because I use ISA, I had to terminate the secure connection at the gateway and create a bridge between ISA and IIS, but I just can't remember.