There's one significant issue which doesn't get touched on very often
during these OWA security debates. Most people seem to be worried about
securing the email and the user's credentials. What about a new IIS buffer
overflow attack which would allow someone to gain system level access on a
domain member server behind your firewall through an encrypted protocol?
  Your IDS system is useless because you are using SSL. It doesn't matter
that you are up to date on the patches because it's a newly discovered
vulnerability. How long does it take for the rest of your network to fall
victim through the compromised IIS server?
 Unfortunately, I don't have any good OWA recommendations - maybe someone
else does. What we're currently looking at is using a web<->imap gateway
program which would be on a server outside the firewall and allowing only
IMAP traffic from that server through the firewall. The clients would
access the IMAP<->web gateway server using SSL and you can enable IMAP over
SSL as well (for the hop between the gateway and the firewall/IMAP server).

Keith

-----Original Message-----
From: Evan Mann [mailto:emannquestinc.org]
Sent: Thursday, January 03, 2002 11:10 AM
To: 'focus-mssecurityfocus.com'
Subject: Securing OWA w/SSL on IIS5.0

I would like someone to tell me if what I did is the appropriate way to
secure my OWA connections. The main goal was to secure the password
exchange as my OWA server is firm external use and I have to allow
anon/basic text auth for it. The OWA server itself sits behind my firewall
and is accessed via an HTTP proxy from external to internal. SSL on port 443
also NATs the same way.

In any event, I found all the appropriate MS KB articles on setting up a CA
and securing an IIS5.0 website with SSL. It was pretty basic. Installed
the CA. Setup my OWA website with a certificate. Not much else needed to
be done according to the KB articles. Now whenever I hit the site the
typical IE popup about accepting a certificate pops up and I accept it and
IE shows the page as being secured, and all further OWA pages.

On my test computer, I also installed the certificated for the CA into my
trusted certificates list. I do not plan to have all my users of OWA do
this at this time, is this a good or bad idea?

I am "ignorning client certificates" on my particular website, mainly
because I am clueless as to how to configure these, and when I use "accept
client certificates", I get an additional certificate box where I am to
select a certificate, but none are in a list to select.

Am I at the point where I'm actually encrypting the password exchange and
all other data sent over OWA, or do I have a false sene of security?

Evan Mann

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]