Hi Ed I think you'll find that I followed my initial post with an immediate follow up that stated:
"Sorry, I should have said that it eliminates any key-logging concerns related to authentication - it obviously can't stop the actual recording of keystrokes by key-logging software. It will however, basically eliminate the possibility of someone gaining access to your email system using credentials "left behind" by one of your users which is where we happen to draw the line in terms of functionality/security. Greg" -----Original Message----- From: Ed Crowley [mailto:[EMAIL PROTECTED] Sent: Friday, 19 September 2003 7:02 AM To: Exchange Discussions Subject: RE: OWA front end server - licensing and security Perhaps, but that's not what he said. Ed --- Steve Evans <[EMAIL PROTECTED]> wrote: > It doesn't, but it keeps people from reusing > credentials. At least I > believe that's the posters point. > > > Steve Evans > SDSU Foundation > > -----Original Message----- > From: Ed Crowley [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 18, 2003 1:40 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and > security > > I don't see how that would stop key-logging. > > Ed > > --- Greg Marr <[EMAIL PROTECTED]> wrote: > > We have set up our OWA to require two-factor > authentication (SecurID) > > which eliminates any key-logging concerns but this > system is not cheap > > > at approx $300 AU ($160 US) per user. > > > > The upside is that you can use the same system to > authenticate all of > > your remote access users (dial-up, VPN, etc) and > this is the function > > that really allows me to sleep well at night. > > > > I guess that it all depends on how many people are > going to require > > this functionality and of course, your budget..... > > > > Greg > > > > -----Original Message----- > > From: Erick Thompson [mailto:[EMAIL PROTECTED] > > Sent: Thursday, 18 September 2003 10:07 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > security > > > > We talked about this exact scenario. We decided > that given how easy it > > > is to install a key logger, and other malware, on > public systems we > > decided it was too risky. We are planning on using > public folders > > quite heavily with data that we can't risk getting > out. > > Same with the address > > books. > > > > We are trying to figure out a way to give people > access to email only > > from a public terminal. No public folders or > address books. If you > > have any suggestions, that would be great. > > > > Erick > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > Behalf Of Ed Crowley > > > Sent: Wednesday, September 17, 2003 4:40 PM > > > To: Exchange Discussions > > > Subject: RE: OWA front end server - licensing > and > > security > > > > > > > > > ISA is a better solution in a DMZ because it > > doesn't > > > require the plethora of holes in the internal > firewall. > > > > > > > > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > > hnet/prodtechnol/isa/deploy/isaexch.asp > > > > > > Requiring VPN (your other message) is a good > idea, > > > however, you may be coming back to ISA or some > > other > > > idea when your users demand to be able to get > > e-mail > > > from a coffeehouse kiosk terminal. > > > > > > Ed > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > > I have to admit to being a little confused, > how > > > > would ISA help, aside from being a proxy? > Which > > > > isn't nothing, but I'm wondering if I'm > missing > > > > something else. > > > > > > > > Thanks, > > > > Erick > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > > [mailto:[EMAIL PROTECTED] > > > > Behalf Of Webb, Andy > > > > > Sent: Wednesday, September 17, 2003 7:04 AM > > > > > To: Exchange Discussions > > > > > Subject: RE: OWA front end server - > licensing > > and > > > > security > > > > > > > > > > > > > > > Don't forget you also have to fully protect > > the > > > > front end server from > > > > > all the other servers on the DMZ from which > it > > is > > > > not isolated. > > > > > > > > > > Those other systems may have been placed on > > the > > > > DMZ in an > > > > > insecure state > > > > > with the thought that if anyone broke them, > > they > > > > would be > > > > > isolated from > > > > > the internal LAN. What happens when you put > > the > > > > FE in the DMZ is you > > > > > break that theory. The DMZ is no longer > > isolated > > > > from the LAN. > > > > > > > > > > You definitely have to secure the FE, but > once > > you > > > > have, why > > > > > not put it > > > > > inside where it is not at risk from > > questionable > > > > systems on the DMZ? > > > > > > > > > > Better to put an ISA server in the DMZ as > was > > > > suggested earlier. > > > > > > > > > > Regarding IPSEC, Exchange 2003 explicitly > > states > > > > that IPSEC is now > > > > > supported between front end and back end. > So > > if > > > > you upgrade, that's > > > > > perhaps an option. Though a lesser one than > > using > > > > ISA imho. > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] > > On > > > > Behalf Of Leeann > > > > > McCallum > > > > > Sent: Tuesday, September 16, 2003 6:32 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: OWA front end server - > licensing > > and > > > > security > > > > > > > > > > You could throw an OWA front end server in > the > > > > DMZ, put certificate on > > > > > as Ed suggests, and then wrap everything up > in > > an > > > > IPSEC > > > > > packet that goes > > > > > between the front end and backend. Between > > the > > > > client on the net and > > > > > the front end, you would use SSL, so just > open > > > > 443. > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Erick Thompson > === message truncated === __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
