Re: SP2 and OWA

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Ben Winzenz [Exchange MVP]" <ben_winzenz@nospamdotmessageonedotcom>
wrote:

That's fair, but in Lanwench's defense,

Oh, she's a big girl. She doesn't need defending. :-) And I just used
her post as a jumping off point (hijacking the thread, if you will),
not as a reproach to her.

communication from a FE to a BE
isn't really the same as communication from the Internet to a FE (or BE in a
single server environment), is it?

How would HTTPS vs. HTTP prevent the compromise of the F-E server? I
guess that's the point I'm really after. Keep in mind the current "no
F-E in the DMZ" mind-set (not that it's wrong, just keep it in mind).

I mean, the same vulnerabilities don't
exist once the traffic is inside your networl.

Really? I'd like to go on record as saying that there are a lot more
risks inside the network that outside. Or maybe it just that there are
usually a lot fewer protections once inside the network. There's
usually a crunchy outside and a soft, chewey inside to the "perimeter
defense" espoused today (or was that yesterday?).

The last few problems we've had came from inside. They were brought in
on mobile devices (laptops, USB drives, etc.), or they were launched
(inadvertantly, one hopes) by "security" people (Hmmmm . . . I wonder
how many weak passwords there are in the AD? The result of that test
was close to 10,000 locked out accounts). How about deleted OU's? (How
many admins use a priviledged account for everyday chores?) How long
do you think it would take to break into a web site? (It's been tried,
again locking out accounts).

So, using HTTPS to attack a web site (which is what OWA is) would make
it more difficult how? How does not using HTTPS make the web site more
resistant to attack (besides not exposing passwords)?

Also to be fair, as you
originally mention, it would be better to do IPSec between the FE and BE.
The other questions are really for the Exchange Product team, as you know

I do.


--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • Re: User configuration question
    ... > I'm using AD user accounts as I'm not aware of another way of doing it. ... not recommend use of IIS on a DC - but in a single server SBS ... Deny local login and to Deny network login. ... >>> The web site is configured to use Windows authentication, ...
    (microsoft.public.windows.server.security)
  • Re: Internet Security
    ... :accounts by logging into our network through the normal network ... :when they go to the login page on the web site, ... What is "the normal network authentication login prompt"? ...
    (comp.security.misc)
  • Re: UI, Lisp, CLOS, MVC, design
    ... this cookie thing? ... But most apps don't bother, because it puts quite a load on the server. ... hand, when I type in some Web2.0 thingie and add a https before it, I ... The web site that was ...
    (comp.lang.lisp)
  • Re: RWW with no https
    ... I thought Kerio was on the same ... I understand it is just another web server on the network with SBS. ... it is just a web server, why not change its HTTPS port instead of changing ...
    (microsoft.public.windows.server.sbs)
  • RE: 504 Proxy timeout only with SSL traffic
    ... the DMZ network is considered External to the ... you have rules in place to allow the internal network to external on HTTPS? ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ...
    (microsoft.public.isa)