The setup you have will encrypt any traffic going TO the web server using
the public certificate. The IIS Server will then use its local private key
to decrypt it. This would include any passwords sent in plain text.

However, as Mr. Bennett points out, you can install client certificates to
encrypt the data coming FROM the server to the client. This would include
any e-mails they view. Since this is not stated as a goal of your setup, I
would classify this as a requirement but possible a consideration. Setting
up and managing a PKI can be a truly cumbersome task (the managing of lost
certificates being the bulk of it), this may be greater then the scope of
this project.

What you are doing does meat your requirements and that all there is to it.
As for having the clients install it into their local trust, this will
alleviate the constant announcement they receive about an untrusted
certificate; however, if your root certificate is compromised someone could
then generate falsified certificates and your clients would automatically
trust them.

While for a web browser that just means they could setup encrypted channels
without them acknowledging they are doing it, it could provide for a
man-in-the-middle attack if they were able to place some form of proxy in
the way. Beyond that, nothing really new is introduced to my knowledge, but
if someone has another scenario, I'd like to hear it. You're not really
introducing any additional distribution of the certificate, because anyone
who connects to the site would receive that public certificate.

-K

-----Original Message-----
From: Evan Mann [mailto:emannquestinc.org]
Sent: Thursday, January 03, 2002 10:10 AM
To: 'focus-mssecurityfocus.com'
Subject: Securing OWA w/SSL on IIS5.0

I would like someone to tell me if what I did is the appropriate way to
secure my OWA connections. The main goal was to secure the password
exchange as my OWA server is firm external use and I have to allow
anon/basic text auth for it. The OWA server itself sits behind my firewall
and is accessed via an HTTP proxy from external to internal. SSL on port 443
also NATs the same way.

In any event, I found all the appropriate MS KB articles on setting up a CA
and securing an IIS5.0 website with SSL. It was pretty basic. Installed
the CA. Setup my OWA website with a certificate. Not much else needed to
be done according to the KB articles. Now whenever I hit the site the
typical IE popup about accepting a certificate pops up and I accept it and
IE shows the page as being secured, and all further OWA pages.

On my test computer, I also installed the certificated for the CA into my
trusted certificates list. I do not plan to have all my users of OWA do
this at this time, is this a good or bad idea?

I am "ignorning client certificates" on my particular website, mainly
because I am clueless as to how to configure these, and when I use "accept
client certificates", I get an additional certificate box where I am to
select a certificate, but none are in a list to select.

Am I at the point where I'm actually encrypting the password exchange and
all other data sent over OWA, or do I have a false sene of security?

Evan Mann

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]