Jamie
Fri Aug 01 04:39:45 CDT 2003
Thank you all for your excellent help and info. I have
closed all unessary ports and am proceeding with OWA over
SSL (as staff require access from our clients pc's whilst
working on remote projects). I will also use VPN but only
for trusted PC's -staff laptops & home PC's.
Thanks again for potentially averting a security disaster.
Jamie Gilmour
>-----Original Message-----
>Thanks for the info Les... excellent as usual.
>
>-Javier.
>
>"Les Connor [SBS MVP]" <les.connor@cfiveDEL.ca> wrote in
message
>news:OXSY4h4VDHA.3220@tk2msftngp13.phx.gbl...
>> Javier,
>>
>> That discussion is the one that caught my attention.
>>
>> VPN from trusted client computers is fine. The problems
are:
>>
>> a) how do we *know* we can trust the client computer? A
mistake here could
>> spell disaster. Client computers on the lan are not
difficult to keep an
>eye
>> on, but once they're remote then our level of trust
obviously has to go
>> down. Sure, the owner *says* he's got A/V software, and
it's up to date,
>> yada yada yada. But how does one know. And, conditions
could change at any
>> time.
>>
>> b) one of the most desirable features is the ability to
access your
>exchange
>> from any computer, trusted or not. Kiosk for example.
Your sisters'
>computer
>> (while you visit her in another city/country etc.) is
another example.
>>
>> You may not have permission to create a VPN connection,
and even if you
>did,
>> you may not want to. The way OWA/SSL is implemented in
SBS2k3 looks like a
>> really good solution. So easy to configure and use.
Public vs. Trusted
>> modes. Access to *only* OWA.
>>
>> If you travel with your laptop, it's yours to keep
secure. I don't see a
>> problem with VPN here - hey we know where the blame
lies if there ever is
>a
>> problem.
>>
>> With SBS2k3 there is just so much more that can be
done, easily - and
>> securely. <a lot of this can be done in SBS2k as well,
but requires
>> substantial manual configuration>.
>>
>> VPN is an option for trusted computers, and a good one.
But it's not a
>> requirement, and isn't really an option for public or
untrusted
>computers -
>> and so far I think OWA/SSL is.
>>
>> I'm also putting a good measure of faith in recent MS
initiatives, and
>more
>> importantly the SBS development team. Their initiatives
are not small in
>> this area.
>>
>> --
>> Les Connor
>> ------------------
>> [SBS MVP]
>>
>>
>>
>> "Javier Gomez" <javier_gomez@REMOVE.THIS.engineer.com>
wrote in message
>> news:#cQlGG4VDHA.612@TK2MSFTNGP10.phx.gbl...
>> > Les,
>> >
>> > Was that discussion on the SBS2003 NG? I'm asking
because if there's
>> another
>> > one (apart from that)... I would like to see it. Do
you have a link for
>> > other similar discussions?
>> >
>> > My concern is something like a worm attacking IIS on
port 80/443... were
>> you
>> > can have a vulnerability that allows elevation of
privileges vs. the
>same
>> > thing happening on a VPN port. What are your thoughts
on this?
>> >
>> > I mean... one usually use a VPN link between
a "trusted/safe" computer
>> (such
>> > as a home computer) and the server.
>> >
>> > Thanks,
>> >
>> > Javier
>> >
>> >
>> > "Les Connor [SBS MVP]" <les.connor@cfiveDEL.ca> wrote
in message
>> > news:uVURa33VDHA.2272@TK2MSFTNGP11.phx.gbl...
>> > > Actually, a good case has been made for OWA over
SSL, versus
>> <everything>
>> > > over VPN.
>> > >
>> > > When you expose OWA over SSL, then only OWA is
exposed. When you allow
>> VPN
>> > > connections, by default you put the client on the
lan and if the
>client
>> > box
>> > > is infected then that could spell disaster.
>> > >
>> > > --
>> > > Les Connor
>> > > ------------------
>> > > [SBS MVP]
>> > >
>> > >
>> > >
>> > > "Javier Gomez"
<javier_gomez@REMOVE.THIS.engineer.com> wrote in
>message
>> > > news:exC$tf3VDHA.1280@tk2msftngp13.phx.gbl...
>> > > > I agree with Keith...
>> > > >
>> > > > You can run OWA using VPN (best way) or using SSL
(not as secure...
>> but
>> > > > better than IIS in port 80).
>> > > >
>> > > > For OWA tru SSL read Chad's excellent tutorial at:
>> > > >
>> >
>
http://www.smallbizserver.net/sbs2000/How_do_I_configure_O
WA_with_SSL.aspx
>> > > >
>> > > > For VPN access you can read:
>> > > >
>> > >
>> >
>>
>
http://www.smallbizserver.net/sbs2000/How_do_I_connect_cli
ents_to_the_server
>> > > _using_VPN.aspx
>> > > >
>> > > > By the way... you should close all those packet
filters that you
>left
>> > > > (unless you are really using them). And remember
that since you have
>
>> > > another
>> > > > firewall in front of ISA... you need to configure
this one as well
>> when
>> > > you
>> > > > are opening/closing ports.
>> > > >
>> > > > My $0.02,
>> > > >
>> > > > Javier
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > "Jamie" <mail@jamiegilmour.com> wrote in message
>> > > > news:5bfb01c35774$9a249f20$a001280a@phx.gbl...
>> > > > > Thanks for the advice I have re-reun ICW and
closed FTP
>> > > > > but I would like to retain Outlook Web Access
over the
>> > > > > internet. So I was wondering what I need to
leave open to
>> > > > > allow this and whether this can be done
securely.
>> > > > >
>> > > > > Thank you very much for your assistance.
>> > > > >
>> > > > > Jamie
>> > > > >
>> > > > >
>> > > > > >-----Original Message-----
>> > > > > >I'm pretty sure others will jump in quickly
here, but you
>> > > > > >have some serious security issues here,
because:
>> > > > > >1. You are running a web server, eg you have
port 80 wide
>> > > > > >open, hope you are fully patched etc.
>> > > > > >2. You are also running an FTP server, this
has some very
>> > > > > >serious implications, I would think it won't
be too long
>> > > > > >before you see some idiot dumping files
(probably porn)
>> > > > > >onto your server.
>> > > > > >
>> > > > > >I STRONGLY suggest you re-run the ICW and
close the web
>> > > > > >server, FTP, and Web based mail server down,
unless you
>> > > > > >really need them.
>> > > > > >
>> > > > > >IMHO I would think most people on this
newsgroup would
>> > > > > say
>> > > > > >don't host a web server on an SBS box, even
though you
>> > > > > >can.
>> > > > > >
>> > > > > >Keith
>> > > > > >
>> > > > > >
>> > > > > >>-----Original Message-----
>> > > > > >>currently I have the following setup in place:
>> > > > > >>
>> > > > > >>sbserver with 1 internal nic and 1 external
nic.
>> > > > > >>
>> > > > > >>netgear dg814 ADSL router connected to server
only via
>> > > > > >>external nic.
>> > > > > >>
>> > > > > >>internal ip range: 192.168.16.xx
>> > > > > >>server: 192.168.16.2
>> > > > > >>external nic: static internet ip
xxx.xxx.xxx.70(assigned
>> > > > > >>by isp)
>> > > > > >>router: static internet ip xxx.xxx.xxx.69
(assigned by
>> > > > > isp)
>> > > > > >>
>> > > > > >>Under the internet connection wizard I have
allowed isa
>> > > > > >>packet filtering allowing access to:
>> > > > > >>mail server
>> > > > > >>web server
>> > > > > >>web based mail server
>> > > > > >>pop3
>> > > > > >>ftp
>> > > > > >>
>> > > > > >>SB server box is only server in office and is
the file
>> > > > > >and
>> > > > > >>mail server and therefore contains all
critical
>> > > > > >>information for business.
>> > > > > >>
>> > > > > >>everything is working well including internet
sharing
>> > > > > via
>> > > > > >>proxy server and outlook web access, but I am
concerned
>> > > > > >>that the server is open to internet security
threats. I
>> > > > > >>have only the standard ISA filters inplace
that the
>> > > > > >>internet connection wizard sets up by
default. Any
>> > > > > >advice
>> > > > > >>as to the security of this setup would be
greatly
>> > > > > >>apreciated.
>> > > > > >>
>> > > > > >>Thank you
>> > > > > >>
>> > > > > >>.
>> > > > > >>
>> > > > > >.
>> > > > > >
>> > > >
>> > > >
>> > >
>> > >
>> >
>> >
>>
>>
>
>
>.
>