RE: [NTSysADM] RE: OWA and Exchange 2007

[Ken Schaefer]

And there seems to be a potentially unfounded assumption that no one has 
previously guessed these passwords...

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of Andrew S. Baker
Sent: Friday, 14 November 2014 10:34 AM
To: ntsysadm
Subject: Re: [NTSysADM] RE: OWA and Exchange 2007

>>
That employee (assuming he didn't do anything nasty with the guessed passwds) 
did you a big favor


No, the former employee didn't.
Just because the result was comparatively *better* than having external 
malicious parties do it, doesn't make it *good*.
Weak company security policies (or lack thereof) = bad.
Employee exploiting said weak company security policies = bad.
External entity
exploiting said weak company security policies =
much worse (but doesn't turn #2 into "good")
.



ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Thu, Nov 13, 2014 at 6:06 PM, Edward A. Berry 
<ber...@upstate.edu<mailto:ber...@upstate.edu>> wrote:
<another lurker>
Are you kidding?
That employee (assuming he didn't do anything
nasty with the guessed passwds) did you a big favor by exposing
the weak passwords before the really bad boys got them.

On 11/13/2014 02:24 PM, Gordon Pegue wrote:
<lurker response>

Wouldn't a more effective solution be to:

1.Terminate the employee who "guessed" the pwds

2.Institute a password change for all OWA users immediately requiring a strong 
pwd

Seems to me that turning off OWA is a business-line decision in this case, not 
an IT decision

Gordon

*From:*listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
*On Behalf Of *Stefan Jafs
*Sent:* Thursday, November 13, 2014 12:14 PM
*To:* ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
*Subject:* [NTSysADM] OWA and Exchange 2007

We had a security breach where an employee have guessed about 20 peoples 
passwords and ben able to access their e-mail with OWA. Since most people use 
company Laptops and / or Surfaces to access their e-mails while on the road 
using RPC / HTTP with Outlook we are thinking about disable OWA for all but  a 
few users, will that break anything else? Did some Googling and looks like it 
may be a problem in Exchange 2013 but we are still on 2007.

__________________________________

*Stefan Jafs***