1. What about using the iis lockdown tool and url scan? Check technet for how to get this to work nicely w/ owa.
2. yeah, but you'll still need to allow an rpc/mapi session between owa and the mailbox server(s), so you'll need to have the dmz configured for the necessary ports. So the idea here is that now a hack will have to compromise the web with http/s (because that's all that's open on the public side of the firewall), gain root, then discover and compromise the mailbox servers using the limited number of ports available between them and the then compromised owa host (dmz). Or, alternatively you could leave it on the internal lan whereby a hack would need to compromise the web with http/s, gain root, then easily discover everything and have full socket access to your other systems (subject to your application layer security model). I guess there are many ways to look at it. I've done it either way w/ 5.5. Good luck-byron -----Original Message----- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:30 PM To: Exchange Discussions Subject: OWA and IIS Security Hi Everyone, Lately I've been noticing a number of attempts to hack one of our Exchange Servers. Our network is behind a Pix firewall and I've closed all unnecessary ports and have it fairly tightly locked down. However I have Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am considering the possibility of disabling IIS and OWA on the Exchange server to minimize attacks. I have all the latest NT4 security patches (that I know of) but the hackers are still attempting to do mischief. There are two things I'd like to know: - 1. Is there a means of making IIS bullet proof with a patch or 3rd party tool? 2. Is it possible to install the OWA component on a server that is running IIS but not Exchange? The reason I ask this is because we have a web server that's running IIS. I thought it may reduce the risk of attack if I remove IIS from the Exchange server and use our web server for OWA? I know this is probably a dumb question but I thought I'd ask it anyway. I've checked out the FAQ but couldn't find anything on this particular scenario. The Exchange server in question is running Exchange 5.5 and Nt4 (SP6). The web server is running W2K (SP2). I'd greatly appreciate feedback re this. Regards Tony Tony McCarthy Systems Engineer OSI Software Ltd Auckland New Zealand Ph:64 09 522 5909 Fax:64 09 522 5901 Mob: 021 703035 _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
