Q

Securing Outlook Web Access

Is enabling Outlook Web Access a security risk on Exchange 2000?

Is enabling Outlook Web Access a security risk on Exchange 2000?
The simple answer to this is yes. From a network security standpoint, enabling port 80 (HTTP/OWA) on any device is a security vulnerability. Of course, the bad news from a security standpoint is that every installation of Exchange 2000 and Exchange 2003 has Outlook Web Access installed and enabled by default.

When you get down to brass tacks, it is the fact that Internet Information Services (IIS) -- which includes the HTTP, NNTP, SMTP, IMAP4, POP3 and a number of other Internet protocols -- is the source of vulnerability. However, you can not install Exchange 2000/2003 without it running.

The real risk is not planning for it. Here is a short list of things you can do to secure Outlook Web Access.

  • Implement Secure Socket Layer (SSL) for secure HTTPS communications between the client (browser) and the server.

  • Use front-end servers for Internet clients to connect to. No data is stored on the front-end server and therefore it is a lower risk if compromised.

  • Implement IPsec between front-end and back-end servers. SSL can't be used between front-end and back-end servers, but IPsec can.

SSL is really the key to securing Outlook Web Access. You should not allow clients to connect to Outlook Web Access without using SSL.


Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Troubleshooting Outlook Web Access
  • Tip: OWA may malfunction with some firewalls
  • Tip: Troubleshooting OWA problems
  • Reference Center: Outlook Web Access


  • This was first published in July 2005
    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchWindowsServer

    SearchEnterpriseDesktop

    SearchCloudComputing

    SearchSQLServer

    Close