Ask the Expert

What can we do to minimize our risk implementing Outlook Web Access?

We are currently implementing Outlook Web Access with great trepidation. We currently use a PIX Firewall and are planning on putting the IIS server on the DMZ and multi homing it and allowing outside traffic on one NIC and LAN traffic on the other. Locking the firewall down at port level with logging enabled. Can you think of anything else that we could do to minimize our risk?

    Requires Free Membership to View

Yes.

First, consider using an already configured VPN tunnel to provide email access for your users instead of through OWA/IIS server. If you don't have VPN set up and must use a front-end IIS server, then make sure that IIS is configured with a digital certificate and requires 128-bit High Encryption. Enable TCP/IP filtering on IIS server and configure the server to listen on port 443 (https) only. Check out my security series, "Protecting your Web servers" for more tips on locking down IIS and remember to apply the latest service patches and security hotfixes.

Second, configure an Access Control List (ACL) on your border router(s) and restrict inbound access to your OWA server to port 443 only, blocking all other ports to IIS. While you're at it, make sure that your router is running the latest critical updates. This is a good time to also check your router configuration and make sure that built-in anti-Denial of Service (DoS) and anti-Spoofing settings are properly set.

Third, set embryonic limits (equivalent to the number of OWA users) in your static routes on the PIX firewall for your OWA server. Again, use this time as an opportunity to make sure that your firewall is also running the latest critical updates from CCO and to closely examine your security policy to identify any potential issues or "weak security links" with existing rules.

Fourth, avoid using unlimited values in OWA/IIS and Exchange. Make sure that you set expirations and limits to prevent browsers from being opened up again and automatically connecting to your mail server with cached information.

Finally, test your "layered" security, from browser to router to firewall to OWA/IIS to Exchange.

This was first published in May 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: