RE: Outlook session sharing disable
How is this a critical hole from a security point of view exactly? -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 10:07 AM To: Exchange Discussions Subject: Outlook session sharing disable An Outlook session to the Exchange Server is normally shareable, so any other program can use it, having an open access to the user's mailbox. Since this is a critical hole from a security point of view, is there any way to disable this feature ? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
Cuz you can share holes silly! -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 2:56 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable How is this a critical hole from a security point of view exactly? -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 10:07 AM To: Exchange Discussions Subject: Outlook session sharing disable An Outlook session to the Exchange Server is normally shareable, so any other program can use it, having an open access to the user's mailbox. Since this is a critical hole from a security point of view, is there any way to disable this feature ? _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] -- The information contained in this email message is privileged and confidential information intended only for the use of the individual or entity to whom it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this message is strictly prohibited. If you have received this email in error, please immediately notify Veronis Suhler Stevenson by telephone (212)935-4990, fax (212)381-8168, or email ([EMAIL PROTECTED]) and delete the message. Thank you. == _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
It is easy to develop some sort of trojan, that once installed and running at a particular machine, can use an active connection from the user's Outlook to the Exchange Server, to have free access to the user's mailbox. So, any form of strong authentication that could be used to enforce the security of access to the Exchange Server is useless, because an authenticated Outlook-Exchange session can be largely used by whatever process running on that machine. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
-Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: 17 January 2002 20:22 To: Exchange Discussions Subject: RE: Outlook session sharing disable It is easy to develop some sort of trojan, that once installed and running at a particular machine, can use an active connection from the user's Outlook to the Exchange Server, to have free access to the user's mailbox. So, any form of strong authentication that could be used to enforce the security of access to the Exchange Server is useless, because an authenticated Outlook-Exchange session can be largely used by whatever process running on that machine. Ok. I'm logged on at my machine and I'm stupid enough to run click here to see britney spears naked, really, not a virus honest.exe.jpg.pif.htm.bat.com It uses your elite security hole to send lots of emails via notepad. It sends email via the VBA scripting interface It installs it's own SMTP engine (like Happy99/SKA did) and sends it's damn email it's damn self. What's the difference? What's the point? -- This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organisations is strictly prohibited. The contents of this email do not necessarily represent the views or policies of Luton Sixth Form College, its employees or students. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
In your scenario there is certainly a security issue, but I don't see that issue as Outlook. Not that there aren't a number of security issues with Outlook, the scenario as described simply does not seem to be one of them. A trojan has access to the contents of my inbox. So what? It could also have access to the contents of my hard drive and any file shares to which I might have permissions. What is the Outlook specific security issue? -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 2:22 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable It is easy to develop some sort of trojan, that once installed and running at a particular machine, can use an active connection from the user's Outlook to the Exchange Server, to have free access to the user's mailbox. So, any form of strong authentication that could be used to enforce the security of access to the Exchange Server is useless, because an authenticated Outlook-Exchange session can be largely used by whatever process running on that machine. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
The obvious difference is that I'm talking about the access to my own mail stuff, not the spreading of new messages from my place. But, as I understood, the answer is to be smart enough to avoid Britney Spears pictures ... _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
Having in mind that my terminal has a reasonable degree of vulnerability, I could think of leaving my restricted mail and stuff at the Exchange Server, considering the use of a robust authentication policy to access it. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
Rogerio, If you've got users that are able to open e-mails containing trojans, transported by various attachment types, then you have a bigger problem. You either have: 1. No firewall/AV software or 2. Bad firewall/AV software or 3. Poorly configured firewall/AV software. Plug your security holes from this end first, and you won't have to worry about the multiple connections issue. Jim Blunt -Original Message- From: Chris Scharff [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 12:23 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable In your scenario there is certainly a security issue, but I don't see that issue as Outlook. Not that there aren't a number of security issues with Outlook, the scenario as described simply does not seem to be one of them. A trojan has access to the contents of my inbox. So what? It could also have access to the contents of my hard drive and any file shares to which I might have permissions. What is the Outlook specific security issue? -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 2:22 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable It is easy to develop some sort of trojan, that once installed and running at a particular machine, can use an active connection from the user's Outlook to the Exchange Server, to have free access to the user's mailbox. So, any form of strong authentication that could be used to enforce the security of access to the Exchange Server is useless, because an authenticated Outlook-Exchange session can be largely used by whatever process running on that machine. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
What robust authentication policy would that be? Exchange and Outlook use NTLM authentication, I'm not aware of an optional authentication policy available for Outlook which is more robust than that Unless there's a 3rd party product out there I don't know about. I can write a trojan which accesses your inbox without you even having Outlook installed on the machine, all you need to do is be logged in as you. I guess if you want to be really secure, you could VNC into one box and then inside of that session open a terminal services session to another box and then from within that window open Outlook. Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 2:51 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable Having in mind that my terminal has a reasonable degree of vulnerability, I could think of leaving my restricted mail and stuff at the Exchange Server, considering the use of a robust authentication policy to access it. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: Outlook session sharing disable
To be clear, by I can write, I mean I could design the spec on a napkin and pass it off to one of a dozen friends who could whip up the code in under a day. I personally couldn't write the code, even if I wanted to. Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Chris Scharff Sent: Thursday, January 17, 2002 3:26 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable What robust authentication policy would that be? Exchange and Outlook use NTLM authentication, I'm not aware of an optional authentication policy available for Outlook which is more robust than that Unless there's a 3rd party product out there I don't know about. I can write a trojan which accesses your inbox without you even having Outlook installed on the machine, all you need to do is be logged in as you. I guess if you want to be really secure, you could VNC into one box and then inside of that session open a terminal services session to another box and then from within that window open Outlook. Chris -- Chris Scharff Senior Sales Engineer MessageOne If you can't measure, you can't manage! -Original Message- From: Rogerio Silva [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 2:51 PM To: Exchange Discussions Subject: RE: Outlook session sharing disable Having in mind that my terminal has a reasonable degree of vulnerability, I could think of leaving my restricted mail and stuff at the Exchange Server, considering the use of a robust authentication policy to access it. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
