Re: SP2 and OWA

In news:g8spe2pbtvt0k7tl7itmtpeubsjq7pkubp@xxxxxxx,
Rich Matheisen [MVP] <richnews@xxxxxxxxxxxxxxxxxxxxx> typed:
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

[ snip ]

Okay . . . I'll bite. Why is allowing HTTP into your network less
secure than allowing HTTPS (ignoring the "sniffing passwords" bit)?

Well, I can see I inadvertently started something here,

Nope. You didn't . . . I did. I just hijacked your thread to do it.

I'll allow it this time, Mathiesen. <stern look>


but my first
reaction is that what you ask me to ignore is one of the main
reasons I want SSL!

That's okay, but you said allowing HHTP into your network was a risk,
not that exposing passwords was a risk (which is a given). I'm
interested in knowing how HTTP is more of a risk than HTTPS and I want
to exclude the obvious from the disscussion.

Ah, yes. I fear I am out of my depth here (I'm not much of a web server
person), so it's entirely possible I've been living in a fool's paradise,
but doesn't forcing SSL encrypt more than just the authentication process to
help protect against eavesdropping?


I can use an IPS to examine HTTP. I can't look at the contents of
the data if it's encrypted.

Traffic between a F-E and B-E server is HTTP, not HTTPS.

In a switched network, those data aren't broadcast to everyone.

If security is a concern, why not use IPSec and limit the IP
addresses from which you'll accept HTTP/HTTPS? Or another firewall?

Because OWA is a necessary evil and I can't know from where my
clients might be connecting.....and most of my clients are teeny
offices where a FE/BE config isn't an option.

Do they also have a web site?

Not internally hosted, no...unless it's in a DMZ, and it probably wouldn't
even be running IIS then :)


Do they insist that the https scheme be
used instead of http? Let's move away from just Exchange and OWA and
get back to the HTTP vs. HTTPS part. :)

OWA's pretty the only website I myself ever run & to which I allow access to
from the Internet, and I always force SSL. And yes, I know it's not a magic
bullet.



.

Relevant Pages

  • Re: SP2 and OWA
    ... secure than allowing HTTPS (ignoring the "sniffing passwords" bit)? ... That's okay, but you said allowing HHTP into your network was a risk, ...
    (microsoft.public.exchange.admin)
  • Re: SP2 and OWA
    ... secure than allowing HTTPS (ignoring the "sniffing passwords" bit)? ... That's okay, but you said allowing HHTP into your network was a risk, ... MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm ...
    (microsoft.public.exchange.admin)
  • RE: ISA 2006 and SSL
    ... same user can access the site in question by creating an SSL-Tunnel and is ... Microsoft Online Partner Support ... | Subject: RE: ISA 2006 and SSL ... | | rule to allow HTTPS to local host, instead of all http and https ...
    (microsoft.public.isa)
  • Re: RWW with no https
    ... I do not consider a:8080 a url that is appropriate for a SSL end user connection. ... So just so we are all clear, RWW HAS to go over HTTPS. ... Even if I do https but port 8080 would not matter ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot Access Includes Above Current Directory if using SSL
    ... I'm new to your list and configuring Apache with the SSL module enabled ... similar nested levels in directory tree but not SSL). ... within the https directory tree. ... The SSI is mostly for testing trying to figure out why my PHP scripts ...
    (php.general)
Loading