lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 26 Aug 2006 14:30:22 -0400
From: "Dude VanWinkle" <dudevanwinkle@...il.com>
To: "Adriel Desautels" <simon@...soft.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Secure OWA

On 8/26/06, Adriel Desautels <simon@...soft.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dude, which is more secure in your opinion. A base install of sendmail
> or a base install of OWA/exchange?


sorry, that was a bad comparison/joke. They are two different
products. One is a mailserver, the other a webpage. To answer your
question, leaving any SMTP server open to the web with only its base
install is asking for trouble. A secure messaging infrastructure has
layers just like any secure system. Firewall, SMTP Gateway, front end,
then back end server is my preference, in that order, with the SMTP
gateway being a different OS than your back end servers.

OWA is pretty nifty though, with almost every feature of the MAPI
client. The only real fault I know about is the fact that you can
guess passwords eternally without locking out user accounts. Also, as
with any web front end, you can access it from anywhere. This means
two things:

1: You cant control the security of the client machines. Whether it is
a home PC, internet kiosk, or wifi connection at starbucks, the
connection is going to be made from an infected machine sooner or
later.

2: Using two factor authentication has to be done with SecureID, as
most Kiosks and public use PC's dont have card readers.

If two factor authentication is not a possibility (due to cost or some
such) then make sure to watch your logs for massive amounts of
authentication attempts or even an unsusal amount of attempts for the
same account.

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ