Security 101 If a port open to all == security risk
https provides encryption, that is all. >From a hacking perspective whether it is http, https or RPC over https is irrelevant, they are all as insecure as the other, in principle. They all use IIS, so any exploit for IIS means the server you are running IIS on is open to unknown exploits and known ones if you don't keep up to date with your security patches :-) One good use of using a FE exchange server is that you can take this down and apply a patch without taking down the mailstore people ae using. One advantage of ISA2k4 (as I understand it, I don't use it)is that you can publish the URLs that you will allow to the exchange server, and control the type of "queries" hackers could use. This reduces your risk profile. Should you want to reduce it even further , then some form of two factor authentication (RSA,Aladdin,secureword token) integrated with ISA would provide you with the "maximum" Additionally, if you want to provide security for any and all conversations between a remote client and your network, then some form of VPN would be advisable. In my case I use a firewall with RSA tokens. Any client that wants access must install a VPN client on their machine and currently the only access is via terminal services and activesync. I also don't have to worry about certificates rather than just limiting them to OWa we give them their whole environment. It just means they have to be connected to use it. The advantage of Ed's "https over RPC" is that the sales people can compose and reply to messages offline, thus improving convenience and internet access costs (if paying by the hour) also if the sales people have low bandwidth then using terminal services or OWA can be painful (really need broadband) HTH Dean -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Henry Sent: Wednesday, 6 September 2006 04:52 To: Exchange Discussions Subject: OWA Pros & Cons Up until now, I have simply co-delivered mail for temporary "On the Road" Access. I have looked over OWA, to me it seems, it's not worth the effort. Well, I have a salesman who has believe the sales pitch they have received concerning a PDA, that can work with OWA. Beyond that, most of these people have laptops with VPN into our domain. So it's huge waste for such little benefits being duplicated. But I am falling prey to convenience of web access to solve "lack of planning" issues. But my problem is it's getting into the realm of what are my risks (security or otherwise) for such benefits? What are my setup options to make this as secure as possible? Has anyone been hacked through their OWA? Is there a definitive web page on all the reasons not to use OWA? ( My viewpoint is being questioned. No one will remember, I told them not to do this, if/when we fall prey to the Microsoft's Security Competency. ) We run E2K3 on W2K3 server, with a ISA2K4 on another W2K3 server for access setup. Regards, Michael ********************************************************************** Have you clicked on yet? www.nrc.govt.nz ********************************************************************** NORTHLAND REGIONAL COUNCIL This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify [EMAIL PROTECTED] ********************************************************************** _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
