Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IIS and OWA (Outlook Web Access)

1 view
Skip to first unread message

Nicholas Biron

unread,
Mar 25, 2003, 3:32:16 PM3/25/03
to
What is the best way to secure a server running IIS for
OWA use?

Thank You

Keith W. McCammon

unread,
Mar 25, 2003, 3:53:12 PM3/25/03
to
> What is the best way to secure a server running IIS for
> OWA use?

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/ChkList/wsrvSec.asp

x y, mvp

unread,
Mar 25, 2003, 3:57:08 PM3/25/03
to
The usual ways:

http://securityadmin.info/faq.htm#harden
http://securityadmin.info

Be sure to harden Windows, IIS and everything else installed on that server.

Also, use HTTPS / SSL certificate to encrypt everything starting with the
password:

www.iisfaq.com/ssl

... assuming you probably want to use Basic Authentication here.

Install OWA onto a dedicated server not running anything else, if you can
afford it. Definitely use a firewall [or better yet, a DMZ] to isolate your
OWA server from both the internet and your internal network. You could even
require VPN instead of making OWA visible from the internet.

If your exchange server is visible from the internet, disable unused email
protocols within Exchange. Be sure Exchange is configured to block
relaying.

There are some articles on securing OWA at:

www.microsoft.com/technet/security
www.microsoft.com/technet/exchange

Personally, I would say that not running OWA is more secure than running it.
This might be even more true if you're running Exchange 5.5 instead of 2000


"Nicholas Biron" <nbi...@entegra-solutions.com> wrote in message
news:384701c2f30d$a04499d0$a601...@phx.gbl...

Fred Baumhardt [MSFT]

unread,
Mar 26, 2003, 4:11:39 AM3/26/03
to
If you can - use ISA server with the feature pack. It was pretty much built
around securing OWA and layer 7 HTTP


--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Nicholas Biron" <nbi...@entegra-solutions.com> wrote in message
news:384701c2f30d$a04499d0$a601...@phx.gbl...

Jeff

unread,
Mar 27, 2003, 4:30:56 AM3/27/03
to
>-----Original Message-----
>
>Install OWA onto a dedicated server not running anything
else, if you can
>afford it. Definitely use a firewall [or better yet, a
DMZ] to isolate your
>OWA server from both the internet and your internal
network. You could even
>require VPN instead of making OWA visible from the
internet.
>
Could you please tell me where to get the info to do what
you mentioned above.
Thanks

x y, mvp

unread,
Mar 27, 2003, 8:34:19 AM3/27/03
to

"Jeff" <je...@softwhere-it.com> wrote in message
news:421b01c2f443$91b04630$a201...@phx.gbl...

> >
> Could you please tell me where to get the info to do what
> you mentioned above.
> Thanks

> >-----Original Message-----


> >
> >Install OWA onto a dedicated server not running anything
> else, if you can

Should be self explanatory. Don't install OWA onto a server running
Exchange or anything else, if you have the resources.

> >afford it. Definitely use a firewall [or better yet, a
> DMZ] to isolate your
> >OWA server from both the internet and your internal

Firewalls you might use [including some respectable free ones!] are listed
here:

http://securityadmin.info/faq.htm#firewall

If you've never set up a firewall before, hiring a consultant or otherwise
getting help is highly advised or else you may leave a hole on your firewall
that would let someone get through. For best security, you should probably
be prepared to 1) monitor the firewall logs, 2) update patches and
configuration settings on the firewall and 3) become confident at
understanding TCP/IP and how to recognize acceptable and abnormal behavior.

A typical DMZ might include a firewall with three network interfaces with
the DMZ network off of one of the interfaces, or two firewalls with the DMZ
network in between the two firewalls, or a combination of both. There are
other options, but this is a start. Getting any further into details would
probably involve hiring a consultant or reading a book such as Building
Internet Firewalls by Zwicky et al There are numerous web sites with some
introductory information for free, try searching www.google.com for
something like "firewall faq dmz" or go to
http://securityadmin.info/resource.asp?category=Firewalls


> network. You could even
> >require VPN instead of making OWA visible from the
> internet.

One typical way to do this is by using a firewall that includes VPN
functionality and then install VPN client software for anyone needing to
connect from home. I believe even some of the free *nix firewalls may let
you do VPN, though this might take some learning. www.netscreen.com 5XP
starts around $550 US and is a pretty affordable and respected VPN solution.
Cisco and possibly even Netgear might be other low-end solutions. If you
choose to have two firewalls to create a DMZ, I might recommend using the
internal firewall as the VPN endpoint and/or get a security consultant to
assist.


0 new messages