[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000501c652ae$4463b4d0$0200a8c0@kpllaptop>
Date: Tue Mar 28 22:26:42 2006
From: lyal.collins at key2it.com.au (Lyal Collins)
Subject: S/Mime Exchange 2003 how secure how to secure
it?
Do you want data recovery?
Just forget the password to a certificate/private key, and the company has
lost access to any comany records 'protected' by S/MIME, generally in
conventional S/MIME setups. And forget virus/spam scanning too.
Lyal
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Daniel
Sichel
Sent: Wednesday, 29 March 2006 3:54 AM
To: full-disclosure@...ts.grok.org.uk
Subject: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?
Directive has just come down from on high, we WILL use email on our Cell
Phones/PDAs and non VPN'd laptops. I am not a messaging guy but at a small
telco you wear lots of hats so I could use some real help here. We are
upgrading shortly to Exchange 2003 on Windows Server 2003 and want secure
email to and from our cell phones etc. So here are my questions
How secure is the built in S/Mime in Exchange 2003 assuming we are using a
certificate for session encryption ? Don't laugh and hoot, I am looking for
real data not speculation. Are there exploits, and if so what is needed to
carry them out, physical access, just need the phone number, or what? Can
this be brute forced?
I would like two factor authentication using the users password and
something inherently in the cell phone like a burned in serial number or the
DN or something. Is there any support for such a thing that will work on
cell phones and/or PDAs ?
I know OWA sucks on Exchange 5.5 and 2000, how about 2003? Same questions as
above, is it exploitable, and if so how? Can we require a machine accessing
the OWA site to flush its cache when done? Hopefully this can be forced
without requiring an OK click, I just want to do it, no user intervention
required (or allowed).
Any help would be welcomed, any Microsoft bashing would be a waste of time
since the higher powers have spoken and you know how that goes, So it is
written, so shall it be done.
Thanks
Daniel Sichel, MCSE, CCNP
Network Engineer
Ponderosa Telephone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060329/44da6246/attachment.html
Powered by blists - more mailing lists