1 |
On Monday 06 December 2004 22:46, Andrew Cowie wrote: |
2 |
> You can't secure Exchange's "Outlook Web Access" by sticking it behind |
3 |
> an Apache reverse proxy for a few reasons: |
4 |
> |
5 |
> 1) OWA will still be running in Internet Information Server, which is |
6 |
> buggy and ridden with security holes. |
7 |
> |
8 |
> 2) OWA, like every other web application, is liable to attacks that |
9 |
> target some weakness in its design at the application level, as opposed |
10 |
> to targetting vulnerabilities in the host web server. SQL injection type |
11 |
> attacks are the poster-children here, but there are many others. A proxy |
12 |
> (or firewall, for that matter) will not help you because such things are |
13 |
> conveyed as legitimate web requests. |
14 |
> |
15 |
|
16 |
I'm not aware of any unpatched exploits in either IIS or OWA, but I do take |
17 |
on board that new vulnerabilities will be found in both products sooner or |
18 |
later. |
19 |
|
20 |
Remote access is always a weak spot in network security, but I still maintain |
21 |
you can use OWA in this kind of setup that will be secure enough for most |
22 |
people. Here are things you can do: |
23 |
|
24 |
1. Use client certificates |
25 |
2. Run the service on a non-default port |
26 |
3. Use account lockouts for multiple password attempts |
27 |
4. Filter URL requests for obvious application attacks |
28 |
|
29 |
In addition, you're only giving potential attackers a fairly small window to |
30 |
aim at -- http requests on OWA. Compare this with other remote access |
31 |
technologies like VPN which will typically give you a much wider range of |
32 |
targets, even if you are restricting their access internally. |
33 |
|
34 |
|
35 |
Casper. |