| 1 |
On Monday 06 December 2004 22:46, Andrew Cowie wrote: |
| 2 |
> You can't secure Exchange's "Outlook Web Access" by sticking it behind |
| 3 |
> an Apache reverse proxy for a few reasons: |
| 4 |
> |
| 5 |
> 1) OWA will still be running in Internet Information Server, which is |
| 6 |
> buggy and ridden with security holes. |
| 7 |
> |
| 8 |
> 2) OWA, like every other web application, is liable to attacks that |
| 9 |
> target some weakness in its design at the application level, as opposed |
| 10 |
> to targetting vulnerabilities in the host web server. SQL injection type |
| 11 |
> attacks are the poster-children here, but there are many others. A proxy |
| 12 |
> (or firewall, for that matter) will not help you because such things are |
| 13 |
> conveyed as legitimate web requests. |
| 14 |
> |
| 15 |
|
| 16 |
I'm not aware of any unpatched exploits in either IIS or OWA, but I do take |
| 17 |
on board that new vulnerabilities will be found in both products sooner or |
| 18 |
later. |
| 19 |
|
| 20 |
Remote access is always a weak spot in network security, but I still maintain |
| 21 |
you can use OWA in this kind of setup that will be secure enough for most |
| 22 |
people. Here are things you can do: |
| 23 |
|
| 24 |
1. Use client certificates |
| 25 |
2. Run the service on a non-default port |
| 26 |
3. Use account lockouts for multiple password attempts |
| 27 |
4. Filter URL requests for obvious application attacks |
| 28 |
|
| 29 |
In addition, you're only giving potential attackers a fairly small window to |
| 30 |
aim at -- http requests on OWA. Compare this with other remote access |
| 31 |
technologies like VPN which will typically give you a much wider range of |
| 32 |
targets, even if you are restricting their access internally. |
| 33 |
|
| 34 |
|
| 35 |
Casper. |
Archives