Help me avoid Exchange
Ben Scott
dragonhawk at gmail.com
Fri Dec 23 12:56:00 EST 2005
On 12/23/05, Dan Jenkins <dan at rastech.com> wrote:
>> Security: I've never seen a properly administered Exchange server
>> get "owned" or anything like that. The security issues are all on the
>> client side.
>
> Actually I've had to repair several however, it is unclear to me that
> they were "properly administered" since we were brought it to deal with
> the problem that the in-house administrator for each couldn't.
Yah. "Windows can be administered by an idiot -- and usually is" is
a big problem (for everybody, as the various big worms have
demonstrated). I *have* met several Windows servers that were full of
viruses. Some were running Exchange. They usually had no firewall,
no patches, were running every service ever, and generally were just a
big target on the 'net. I even encountered one place that used their
server as a "shared" terminal for all the grunts without computers --
"that computer's just sitting in the corner not doing anything
anyway".
>> Exception: OWA (Outlook Web Access) is a big exposure
>
> Definitely isolate it from the rest.
If you *could*, that would be nice. But OWA is a full-blown MAPI
client, just like Outlook proper. It needs to be able to speak the
MAPI wire protocol to the Exchange back-end server, just like Outlook
on a desktop PC. In order to enable that, you have to open up all the
Microsoft RPC that MAPI-wire uses. At that point, you've pretty much
defeated the purpose of any kind of interior firewall or DMZ.
This may have changed in Exchange 2003, but I don't think it has.
-- Ben
More information about the gnhlug-discuss
mailing list