Home > Ask the Microsoft Exchange Experts > Richard Luckett: Spam and Security Questions & Answers > Securing Outlook Web Access
Ask The Exchange Expert: Questions & Answers
EMAIL THIS

Securing Outlook Web Access

Richard Luckett EXPERT RESPONSE FROM: Richard Luckett

Pose a Question
Other Exchange Categories
Meet all Exchange Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 18 July 2005
Is enabling Outlook Web Access a security risk on Exchange 2000?

>
The simple answer to this is yes. From a network security standpoint, enabling port 80 (HTTP/OWA) on any device is a security vulnerability. Of course, the bad news from a security standpoint is that every installation of Exchange 2000 and Exchange 2003 has Outlook Web Access installed and enabled by default.

When you get down to brass tacks, it is the fact that Internet Information Services (IIS) -- which includes the HTTP, NNTP, SMTP, IMAP4, POP3 and a number of other Internet protocols -- is the source of vulnerability. However, you can not install Exchange 2000/2003 without it running.

The real risk is not planning for it. Here is a short list of things you can do to secure Outlook Web Access.

  • Implement Secure Socket Layer (SSL) for secure HTTPS communications between the client (browser) and the server.

  • Use front-end servers for Internet clients to connect to. No data is stored on the front-end server and therefore it is a lower risk if compromised.

  • Implement IPsec between front-end and back-end servers. SSL can't be used between front-end and back-end servers, but IPsec can.

SSL is really the key to securing Outlook Web Access. You should not allow clients to connect to Outlook Web Access without using SSL.

Do you have comments on this Ask the Expert Q&A? Let us know.
Related information from SearchExchange.com:

  • Tip: Troubleshooting Outlook Web Access
  • Tip: OWA may malfunction with some firewalls
  • Tip: Troubleshooting OWA problems
  • Reference Center: Outlook Web Access


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Richard Luckett: Spam and Security
    How effective is tracking the IP address of an email hacker?
    Why can't I grant users permissions to an Exchange public folder?
    How can I configure Exchange IMF to allow an IP address or DNS?
    Tool helps identify inbound Exchange Server email flow issues
    Configure SMTP relay restrictions in Exchange Server 2003 to stop spam
    How to lock down an SMTP relay to prevent spam in Exchange Server 2003
    Connecting an Apple iPhone to Exchange Server on Windows SBS 2003
    Why does a security alert pop up when accessing Outlook Web Access?
    Exchange email sent to a domain using SPF authentication is returned
    Selectively set email permissions for Exchange groups

    Outlook Web Access
    OWA 2007 configuration tricks to boost performance
    Top 5 Exchange ActiveSync tips
    Lock down direct file access and protect OWA users
    Simplify an OWA URL on Windows Server 2008
    Windows Mobile 6.5 touts Internet Explorer, OWA improvements
    When OWA's default configurations aren't good enough
    Digging deeper into Exchange Server 2010
    Troubleshoot 'System Attendant' error messages in OWA
    Troubleshoot Microsoft Outlook Web Access problems
    Detecting update rollup and patch failures in OWA

    Exchange Server Security
    OWA 'Loading' problems with Internet Explorer security zones
    New Exchange Server tools named as Products of the Year
    Beware of bare linefeeds in Exchange Server email
    Top 10 Exchange Server administration tips of 2006
    Enabling protocol logging for Exchange Server
    Eliminate annoying Microsoft Outlook security warnings with ClickYes Pro
    Forefront beta secures SharePoint collaboration
    Dell, Symantec simplify Secure Exchange for SMBs
    Tutorial: How to determine which ports Exchange Server is using
    Unsecured devices worry IT professionals
    Exchange Server Security Research

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Outlook Web Access (OWA) Tips and Advice
    HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2004 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts