Re: Outlook security

From: Sherman H. (shung_at_charter.net)
Date: 11/11/04 

Date: Thu, 11 Nov 2004 10:02:17 -0800

Thanks. In response to #1, would it be correct if I say it depends the
remote user's IE settings. The company cannot do anything to ensure if the
encryption or digital signature is on?

I heard that Outlook 2003 has enhancements that provide encryption through
VPN or other encryption methods. Is that correct?

"neo [mvp outlook]" <neo@online.mvps.org> wrote in message
news:e5SXNKByEHA.2040@tk2msftngp13.phx.gbl...
> Comments inline...
>
> "Sherman H." <shung@charter.net> wrote in message
> news:10p722ummgnvgca@corp.supernews.com...
> >I have the following Outlook 2000 security questions:
> >
> > 1. How can I verify if the OWA (Outlook 2000) has encryption or digital
> > signature? Is that true that Outlook 2000 does not have strong features
> > for
> > encryption through Internet?
>
> Little confused here since you mention OWA and then put Outlook 2000 in
> parens, so I'll cover both.
>
> Outlook Web Access (OWA) is something that you access via a web browswer.
> For sake of clarity, I will assume that you are using Internet Explorer 6
> SP1 on Windows 2000 or Windows XP (SP1). When you access OWA and complete
> your logon, you should see a lock in the lower right hand corner of the IE
> window. If you double click on that lock, you will see the details of the
> digital certificate that is securing the connection between you and the
> internet information server.
>
> Outlook 2000 can support digital certificates for encryption and/or signed
> mail. If you are not certian if you have a personal certificate for such
> activities, the easiest way to check is to open Internet Explorer and
select
> Tools | Internet Options | Content tab | Certificates button. Under the
> personal tab are certificates that are assigned to the individual for use.
> To see if the certificate can be used for encryption/digital signatures
you
> can highlight one and then look below in the certificate intended
purposes.
> If you see secure e-mail, then that certificate could be used to digitally
> sign and/or encrypt e-mail.
>
> When Outlook 2000 was released, export laws prohibited MS from
distributing
> a client that could support 128-bit security. This support could be added
> by downloading a patch from Microsoft providing that you lived in the
> "right" area. Laws have changed in regards to this since its release and
> can be downloaded. See
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=FCD97EAE-8B51-443B-9170-B0CA8482DC89&displaylang=en.
>
>
> > 2. What would be the best way to verify if administrator accounts have
> > email
> > accounts? Would this be considered a security exposure?
>
> The best way in an Exchange 5.5 world is to open Exchange system
admistrator
> and review the mailboxes of accounts of person(s) you know that are
> designated the role of "administrators". For Exchange 2000/2003, you
would
> use Active Directory and Users to retrieve this information.
>
> Is it a security risk for a domain administrator to have an e-mail
account?
> I would say that depends on the policies and regulations for your site
since
> u could easily put two security minded individuals and have each argue the
> pros and cons until blue in the face. For example, I manage two sites.
In
> both I have network god rights and each site practices different
behaviors.
> In one, I logon with domain administrator previliges but have reconfigured
> my workstation to where I only have user rights (e.g. removed domain
> administrators from the workstations local administrators group). This
> helps secure my workstation because I've have taken away some of things
that
> exploits want to do when taking over a machine (e.g. no writing to
specific
> areas in the registry or swaping out of keys files in program files or
> system32). While I'm anal about this, the next person may not be and say
> hell no, I need local administrator rights to do these tasks and not even
> consider thinking outside the box so to speak.
>
> In the other I'm issued two accounts. One is a domain administrator
account
> that is to be used for administering the domain via a remote
> desktop/terminal server session to a designated management server. The
> other is my domain user account that is used for everyday activities.
>
> As yo can see, the two examples above are just two possibilities and
leaves
> a world of gray in-between. One site might decide that I can be a domain
> user and delegate the necessary tasks I need to do (e.g. say I only need
the
> right to manage user and computer accounts. This can be delegated in
Active
> Directory w/out having to grant domain administrator rights.) So as you
can
> see, it really does boil down to what the site deems correct behavior from
> its staff.
>
>
> > 3. I saw Microsoft has provided a free download scanner for Outlook. Is
> > this a good tool to verify Outlook security settings?
>
> Any tools that lets you quickly gather settings so you can make an
informed
> decision on what changes can be made w/out effecting usability is a good
> thing. Just keep in mind that security vendors don't know your site
and/or
> how the system is used. This is where you step in and have to make
informed
> decisions about the data provided and what changes are appropriate for you
> environment.
>
> Just my $.02
>
> /neo
>
>

Loading