|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Outlook Web access Question.
From: Mitch James (mitchj
AVANADE.COM)Date: Thu Aug 24 2000 - 12:59:45 CDT
- Next message: Terrence Scahill: "Re: OS Fingerprinting"
- Previous message: Paul Suggitt: "Re: Outlook Web access Question."
- Maybe in reply to: Mitch James: "Outlook Web access Question."
- Next in thread: Woods,Stan: "Re: Outlook Web access Question."
- Maybe reply: Mitch James: "Re: Outlook Web access Question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The situation is that we pretty much have to allow it to happen, and we will
encrypt everywhere we can. To help prevent people from going to a cyber café
and exposed to whatever is on those things is this: We are looking at using
a java script or Active x control that is on the persons company laptop.
When they connect to the OWA it will look for a unique signature provided by
that control. If it's not present it won't bring up the login page for OWA
but a generic error page. The applet will be deep enough so that they can't
carry it around on a floppy disk and restrict them to only logging on from
their laptop.
-----Original Message-----
From: Gene R. Gomez [mailto:ggomezVERANCE.COM]
Sent: Tuesday, August 22, 2000 12:46 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Outlook Web access Question.
This a question my company has been playing with for a while now. I'd
recommend you take a look at pop3s (port 993) and imaps (port 995). Both of
these are are SSL-encrypted.
Another alternative is OWA. I'd also recommend you use SSL for this on
https (port 443).
You can't do much about the keystroke-loggers but warn your users about the
dangers of being on a public terminal. WHATEVER you do, ENCRYPT, ENCRYPT,
ENCRYPT. If you don't, you're just ASKING for trouble. ;)
-Gene
-----Original Message-----
From: Mitch James [mailto:mitchjAVANADE.COM]
Sent: Tuesday, August 22, 2000 8:58 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Outlook Web access Question.
Once again the question ahs come up in my organization to look at
what it will take to let users access their email thru the internet.
In the security group we dread the thought of letting this happen. We can
only imagine someone sitting at a cyber cafe pulling up their email, while a
keystroke logger is capturing every letter. The possibility of One time
passwords is one the horizon but not soon enough to address the need we have
now.
The question I'm posing to the group is: The need exist for staff to access
their email thru the internet, what options do we have to accomplish this?
I understand that it will probably involve a hole in the firewall but how
can we minimize the risk involved?
Mitchell James
- Next message: Terrence Scahill: "Re: OS Fingerprinting"
- Previous message: Paul Suggitt: "Re: Outlook Web access Question."
- Maybe in reply to: Mitch James: "Outlook Web access Question."
- Next in thread: Woods,Stan: "Re: Outlook Web access Question."
- Maybe reply: Mitch James: "Re: Outlook Web access Question."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]