First, consider using an already configured VPN tunnel to provide email access for your users instead of through OWA/IIS server. If you don't have VPN set up and must use a front-end IIS server, then make sure that IIS is configured with a digital certificate and requires 128-bit High Encryption. Enable TCP/IP filtering on IIS server and configure the server to listen on port 443 (https) only. Check out my security series, "Protecting your Web servers" for more tips on locking down IIS and remember to apply the latest service patches and security hotfixes.
Second, configure an Access Control List (ACL) on your border router(s) and restrict inbound access to your OWA server to port 443 only, blocking all other ports to IIS. While you're at it, make sure that your router is running the latest critical updates. This is a good time to also check your router configuration and make sure that built-in anti-Denial of Service (DoS) and anti-Spoofing settings are properly set.
Third, set embryonic limits (equivalent to the number of OWA users) in your static routes on the PIX firewall for your OWA server. Again, use this time as an opportunity to make sure that your firewall is also running the latest critical updates from CCO and to closely examine your security policy to identify any potential issues or "weak security links" with existing rules.
Fourth, avoid using unlimited values in OWA/IIS and Exchange. Make sure that you set expirations and limits to prevent browsers from being opened up again and automatically connecting to your mail server with cached information.
Finally, test your "layered" security, from browser to router to firewall to OWA/IIS to Exchange.
This was first published in May 2003