RE: OWA and IIS Security
1.The lockdown tool can't lock down the *.htr files that keeps the most important thing (username password). Lockdown tool can lock down the whole IIS lope holes.(If I do this, user cant log in) If I use lockdown tool to unblocked the *.htr files, I've tried the url scan, there are lope holes that gave hacker chance to hack in. Any suggestion? Thanks Rgds Fioon -Original Message- From: Byron Kennedy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 09, 2002 5:10 AM To: Exchange Discussions Subject: RE: OWA and IIS Security 1. What about using the iis lockdown tool and url scan? Check technet for how to get this to work nicely w/ owa. 2. yeah, but you'll still need to allow an rpc/mapi session between owa and the mailbox server(s), so you'll need to have the dmz configured for the necessary ports. So the idea here is that now a hack will have to compromise the web with http/s (because that's all that's open on the public side of the firewall), gain root, then discover and compromise the mailbox servers using the limited number of ports available between them and the then compromised owa host (dmz). Or, alternatively you could leave it on the internal lan whereby a hack would need to compromise the web with http/s, gain root, then easily discover everything and have full socket access to your other systems (subject to your application layer security model). I guess there are many ways to look at it. I've done it either way w/ 5.5. Good luck-byron -Original Message- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:30 PM To: Exchange Discussions Subject: OWA and IIS Security Hi Everyone, Lately I've been noticing a number of attempts to hack one of our Exchange Servers. Our network is behind a Pix firewall and I've closed all unnecessary ports and have it fairly tightly locked down. However I have Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am considering the possibility of disabling IIS and OWA on the Exchange server to minimize attacks. I have all the latest NT4 security patches (that I know of) but the hackers are still attempting to do mischief. There are two things I'd like to know: - 1. Is there a means of making IIS bullet proof with a patch or 3rd party tool? 2. Is it possible to install the OWA component on a server that is running IIS but not Exchange? The reason I ask this is because we have a web server that's running IIS. I thought it may reduce the risk of attack if I remove IIS from the Exchange server and use our web server for OWA? I know this is probably a dumb question but I thought I'd ask it anyway. I've checked out the FAQ but couldn't find anything on this particular scenario. The Exchange server in question is running Exchange 5.5 and Nt4 (SP6). The web server is running W2K (SP2). I'd greatly appreciate feedback re this. Regards Tony Tony McCarthy Systems Engineer OSI Software Ltd Auckland New Zealand Ph:64 09 522 5909 Fax:64 09 522 5901 Mob: 021 703035 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and IIS Security
1) I think you can't really make anything bulletproof but Microsoft has a security tool that sets perms for an IIS server running OWA to minimize risk. Search for the IIS security tool or something like that. 2) Yes you can run OWA on a different server. I do that. I have a cheapo ex-desktop that runs IIS and OWA and that is it. But I don't have very many users on it either. Be aware that if you have the IIS server in a DMZ then you may have to open more holes in your firewall than you would like. Some folks recommend keeping the OWA server inside the firewall so you don't have to open more than 2 ports to it. This has been discussed on the list in the past. People can get somewhat passionate about their view on the subject. You might want to check the archives although I don't know how well the search feature is working right now. -Original Message- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:30 PM To: Exchange Discussions Subject: OWA and IIS Security Hi Everyone, Lately I've been noticing a number of attempts to hack one of our Exchange Servers. Our network is behind a Pix firewall and I've closed all unnecessary ports and have it fairly tightly locked down. However I have Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am considering the possibility of disabling IIS and OWA on the Exchange server to minimize attacks. I have all the latest NT4 security patches (that I know of) but the hackers are still attempting to do mischief. There are two things I'd like to know: - 1. Is there a means of making IIS bullet proof with a patch or 3rd party tool? 2. Is it possible to install the OWA component on a server that is running IIS but not Exchange? The reason I ask this is because we have a web server that's running IIS. I thought it may reduce the risk of attack if I remove IIS from the Exchange server and use our web server for OWA? I know this is probably a dumb question but I thought I'd ask it anyway. I've checked out the FAQ but couldn't find anything on this particular scenario. The Exchange server in question is running Exchange 5.5 and Nt4 (SP6). The web server is running W2K (SP2). I'd greatly appreciate feedback re this. Regards Tony Tony McCarthy Systems Engineer OSI Software Ltd Auckland New Zealand Ph:64 09 522 5909 Fax:64 09 522 5901 Mob: 021 703035 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and IIS Security
Thanks for the info. I'll have a go at installing OWA on the web server I think. I see IIS as a necessary evil. We're basically a Microsoft environment here so since I have to use IIS for the web server I may as well install OWA on it as well. Do I just install the OWA component from SP4? Any other Exchange components required? Regards Tony -Original Message- From: Smith, Ronni [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 9 July 2002 8:49 a.m. To: Exchange Discussions Subject: RE: OWA and IIS Security 1) I think you can't really make anything bulletproof but Microsoft has a security tool that sets perms for an IIS server running OWA to minimize risk. Search for the IIS security tool or something like that. 2) Yes you can run OWA on a different server. I do that. I have a cheapo ex-desktop that runs IIS and OWA and that is it. But I don't have very many users on it either. Be aware that if you have the IIS server in a DMZ then you may have to open more holes in your firewall than you would like. Some folks recommend keeping the OWA server inside the firewall so you don't have to open more than 2 ports to it. This has been discussed on the list in the past. People can get somewhat passionate about their view on the subject. You might want to check the archives although I don't know how well the search feature is working right now. -Original Message- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:30 PM To: Exchange Discussions Subject: OWA and IIS Security Hi Everyone, Lately I've been noticing a number of attempts to hack one of our Exchange Servers. Our network is behind a Pix firewall and I've closed all unnecessary ports and have it fairly tightly locked down. However I have Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am considering the possibility of disabling IIS and OWA on the Exchange server to minimize attacks. I have all the latest NT4 security patches (that I know of) but the hackers are still attempting to do mischief. There are two things I'd like to know: - 1. Is there a means of making IIS bullet proof with a patch or 3rd party tool? 2. Is it possible to install the OWA component on a server that is running IIS but not Exchange? The reason I ask this is because we have a web server that's running IIS. I thought it may reduce the risk of attack if I remove IIS from the Exchange server and use our web server for OWA? I know this is probably a dumb question but I thought I'd ask it anyway. I've checked out the FAQ but couldn't find anything on this particular scenario. The Exchange server in question is running Exchange 5.5 and Nt4 (SP6). The web server is running W2K (SP2). I'd greatly appreciate feedback re this. Regards Tony Tony McCarthy Systems Engineer OSI Software Ltd Auckland New Zealand Ph:64 09 522 5909 Fax:64 09 522 5901 Mob: 021 703035 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and IIS Security
You need to start with the Exchange install cd and then apply SP4 as far as I know (I had to do that but we were only on SP3 at that point). I thought there was something in the FAQ about this too? In one of the appendices maybe? Yup, here it is: http://www.swinc.com/resource/exch_faq_appxg.htm Ronni -Original Message- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 2:15 PM To: Exchange Discussions Subject: RE: OWA and IIS Security Thanks for the info. I'll have a go at installing OWA on the web server I think. I see IIS as a necessary evil. We're basically a Microsoft environment here so since I have to use IIS for the web server I may as well install OWA on it as well. Do I just install the OWA component from SP4? Any other Exchange components required? Regards Tony -Original Message- From: Smith, Ronni [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 9 July 2002 8:49 a.m. To: Exchange Discussions Subject: RE: OWA and IIS Security 1) I think you can't really make anything bulletproof but Microsoft has a security tool that sets perms for an IIS server running OWA to minimize risk. Search for the IIS security tool or something like that. 2) Yes you can run OWA on a different server. I do that. I have a cheapo ex-desktop that runs IIS and OWA and that is it. But I don't have very many users on it either. Be aware that if you have the IIS server in a DMZ then you may have to open more holes in your firewall than you would like. Some folks recommend keeping the OWA server inside the firewall so you don't have to open more than 2 ports to it. This has been discussed on the list in the past. People can get somewhat passionate about their view on the subject. You might want to check the archives although I don't know how well the search feature is working right now. -Original Message- From: Tony McCarthy [mailto:[EMAIL PROTECTED]] Sent: Monday, July 08, 2002 1:30 PM To: Exchange Discussions Subject: OWA and IIS Security Hi Everyone, Lately I've been noticing a number of attempts to hack one of our Exchange Servers. Our network is behind a Pix firewall and I've closed all unnecessary ports and have it fairly tightly locked down. However I have Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am considering the possibility of disabling IIS and OWA on the Exchange server to minimize attacks. I have all the latest NT4 security patches (that I know of) but the hackers are still attempting to do mischief. There are two things I'd like to know: - 1. Is there a means of making IIS bullet proof with a patch or 3rd party tool? 2. Is it possible to install the OWA component on a server that is running IIS but not Exchange? The reason I ask this is because we have a web server that's running IIS. I thought it may reduce the risk of attack if I remove IIS from the Exchange server and use our web server for OWA? I know this is probably a dumb question but I thought I'd ask it anyway. I've checked out the FAQ but couldn't find anything on this particular scenario. The Exchange server in question is running Exchange 5.5 and Nt4 (SP6). The web server is running W2K (SP2). I'd greatly appreciate feedback re this. Regards Tony Tony McCarthy Systems Engineer OSI Software Ltd Auckland New Zealand Ph:64 09 522 5909 Fax:64 09 522 5901 Mob: 021 703035 _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]