On Fri, Jul 17, 2009 at 2:04 AM, David Lum<[email protected]> wrote: > Further comments from my SE's: "The main difference is that if you > go to: http://<hostname>.<domain> (which is all that script kiddies > would find), there is no login prompt. No login prompt = no brute > force attacks. Having the IP does nothing for you in this case."
If someone's doing untargeted IP scanning for OWA servers and running brute force attacks against any they find, then they're almost certainly going to be trying <http://host/exchange> as well as <http://host/>, since the former is the default. <http://host/obscure> would stop such blind attacks (but not anything more sophisticated). Again, this is more of a "reduce the amount of log noise" measure than a real security measure. As such, I would only implement it if there actually is a significant amount of log noise problem. If there are any links to your OWA URL anywhere on the Internet, web crawlers will find them. Some untargeted scanners use crawlers. So your obscure URL will not stay secret for long. Someone will eventually put it in an email or something that ends up harvested by a spam robot or something. The hallmark of "security through obscurity" is a feature which is expected to remain secret but is not intended to be easily/frequently changed to counter disclosure. So unless you plan on changing your <http://host/obscure> URL on a regular basis, it is security through obscurity. So, again, maybe worth it to reduce log noise (or maybe not), but otherwise not worth the user support burden. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
