Finally, someone mentioned IDS in this thread.
Implementing Outlook Web Access will affect the integrity of the current
security policy. By adding layers of security, you are buying yourself/IS
Dept./Company time to react to any possible form of intrusion.
Here are a few rough notes a collegue of mine and I discussed to help him
implement OWA,
-Tokens authenticate the client end
-Adding SSL helps protect the pathway
-A (application)firewall provides perimeter security, allow only SSL
-NT ACL to restrict OWA access
-Network IDS to monitor activity to and from OWA server, which could be
between OWA, Internet users, Exchange, and your PDC
-Host IDS on your PDC and/or Exchange, to detect tampering
-Educate the user on proper use of OWA
-Analyze Firewall/OWA/NT logs and audits
-Find out how to work with your ISP in the event someone has compromised the
security in place
-Consistent password change policy/if needed.
-A disaster plan(nothing is 100% secure)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
