RE: OWA Security
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx (Nathan Liu [MSFT])
- Date: Thu, 02 Jun 2005 06:37:25 GMT
Hello Matt,
Thank you for posting in the SBS newsgroup.
According to your description, I understand that you would like to find a
way of securing the OWA for the Exchange 2003 server. If I have
misunderstood your concern, please don't hesitate to let me know.
Based on my research, when you run the CEICW and enable "Allow access OWA
Service from Internet" option, the OWA requires SSL for encrypted
communications by default, this forces OWA to only accept https:// requests.
For Outlook Web Access, the IIS SSL Configuration Component will modify the
virtual roots require SSL:
/Exchange
/Exadmin
/exchweb
/Public
In addition, the IIS SSL Configuration component will configure the Default
Web Site to be configured for Forms Based Authentication (FBA, also called
cookie
authentication). Due to this, OWA will be required to require SSL. The OWA
virtual roots /exchange and /exchweb will be configured to use cookie
authentication. The
wizard will configure /public to also still allow Windows Integrated
Authentication. This needs to be done after the Exchange FBA configuration
has been set.
In reference to your previous question, the OWA requires SSL for encrypted
communications by default, you don't need to do more security for OWA.
Forms Based Authentication
Forms-based authentication (Cookie-auth) lets you enable a new logon page
for Outlook Web Access that stores the user's name and password in a cookie
instead of in the browser. When a user closes the browser, the cookie is
cleared. Additionally, after a period of inactivity, the cookie is cleared
automatically. To access e-mail, the new logon page requires the user to
enter a domain, a user name, and a password, or a full user principal name
(UPN) e-mail address and password. This will prevent unsolicited access to
the user's mailbox when the user leaves his computer but forget to log off.
To get more additional information, you may refer to the following link:
Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/technet/security/secnews/articles/sec_sbs2003_netwo
rk.mspx#ELAA
I hope this helps. If you have any questions or concerns, please do not
hesitate to let me know. I am always happy to be of further assistance.
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>From: "Matt" <Matthew@xxxxxxxxx>
>Subject: OWA Security
>Date: Wed, 1 Jun 2005 14:01:52 -0600
>Lines: 8
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <OEDKrVuZFHA.1424@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: 64.207.45.37
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1
5.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:123377
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi,
>
>How secure is OWA for exchange 2003? I was wondering if I should add some
>security by adding an authentication page before you get to the OWA page?
>
>Thanks
>
>
>
.
- References:
- OWA Security
- From: Matt
- OWA Security
- Prev by Date: RE: SBS used as Windows Server ?
- Next by Date: SBS2000 Slow Printing...
- Previous by thread: Re: OWA Security
- Next by thread: I dont want a copy of messages sent to a distribution list
- Index(es):
Relevant Pages
|
