[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: IIS4/5 Directory Security and OWA
From:       dumbwabbit <dumbwabbit () yahoo ! com>
Date:       2001-11-28 15:57:44
[Download RAW message or body]

I have OWA running on an IIS4/Exchange 5.5 box, using
URLScan. Let me know if you want my urlscan.ini file.

One addition to isapi mappings - you will want to
remove ALL mappings except for the following:
.asa
.asp
.cer
.crt

I also strongly recommend completely removing the
"change password" functionality, you can do this by:
a) Removing .htr and .htx script mappings from isapi
b) Deleting the .htr and .htx files (default
installation in c:\winnt\system32\inetsrv\iisadmpwd)
Then, edit the set.asp page which contains the "Change
Password" button/function and disable/remove the code
in question.

If you require additional security, you can create and
assign certificates which are mapped to individual NT
User accounts. This way, everyone gets their own
separate certificate, and you can manage this with a
bit more granularity. However, the overhead involved
in maintaining the different certificates can be a
pain...

I would also recommend COMPLETELY removing ALL
Front-Page components - they are NOT needed for OWA.
What you might want to do is install Front Page Server
Extensions on a FRESH server, using an Installation
Monitoring tool (PC Magazine has a great free one
called In Control 5, Microsoft has a free one too,
forget what it's called though) to see exactly which
files Front-Page installs on a machine. Then, after
you remove Front-Page from the OWA server, you can use
the report generated by the Installation Monitor
application to manually remove any leftover files
(never trust an uninstall feature to completely remove
all traces of an app/component...). At the very least,
make sure you remove all instances of imagemap.exe and
htimage.exe

I would also recommend disabling Parent Paths calls,
but you will need to edit some of the default OWA
pages to get OWA to work properly should you do this.
I, in fact, have gone this far.

--- "Morrow, Jason" <jmorrow@aegonusa.com> wrote:
> 1) Yes, but it isn't recomended to use straight NT
> Challenge/Response. That
> would require opening up netbios to the internet and
> would also bring
> sniffable usernames/hashes over the internet to your
> owa box. Use anonymous
> access and make sure the entire web runs through SSL
> encryption so your
> basic clear text authentication is protected.
> 
> 2) The web root of OWA for a default install is
> C:\exchsrvr\webdata. A
> couple of knowledgebase articles will be useful in
> pointing out the required
> permissions etc:
>
http://support.microsoft.com/support/kb/articles/Q246/2/03.ASP
>
http://support.microsoft.com/support/kb/articles/Q236/8/11.ASP
> Uncheck NT Challenge/Response and get rid of the
> Frontpage extensions.
> 
> 3) Running OWA on a box that isn't an exchange
> server is a great idea. Go a
> couple steps more for greater security.. Put the owa
> box within a nt domain
> by itself which only has a 'one-way' trust to your
> user domains. If your owa
> box is comprimised, it would be harder to attack the
> user domains. Once
> you've gotten the trust taken care of, consider only
> allowing access to the
> OWA server through a reverse proxy.  You can use
> Proxy 2.0, ISA Server,
> Apache, and Squid to name a few. This way you can
> completely block direct
> access to your OWA server and only allow port 80 and
> 443 between the proxy
> and OWA box.
> 
> IIS Lockdown and URLScan can cause some problems
> with OWA so check on this
> article:
>
http://support.microsoft.com/support/kb/articles/Q309/5/08.ASP
> You may remove all isapi mappings except for .asp
> maybe .asa and if you
> allow the change password functionality .htr. Remove
> all default web virtual
> directories you do not use etc.
> There is a ton of IIS lockdown info out there.
> 
> Stay up with patches/fixes
> 
> 
>  
> -----Original Message-----
> From: Evan Mann [mailto:emann@questinc.org]
> Sent: Monday, November 26, 2001 2:32 PM
> To: focus-ms@securityfocus.com
> Subject: IIS4/5 Directory Security and OWA
> 
> 
> Two parts:
> 
> 1) IIS4 has a directory security option for Windows
> NT Challenge/Response
> option for use when Anonymous access is disabled
> which uses NTFS ACLs for
> security and requires a username and password.  Is
> this the same as
> "Integrated Windows Authentication" in IIS5?
> 
> 2) My existing Exchange IIS with OWA was not setup
> by me.  I can tell you
> the directory where the OWA components lies is set
> security wise to
> Everone/Full Control.  Directory security for the
> website has allow anon
> checked using the IUSR account and the Windows NT
> Challenge/Response box
> checked.  Allow executables including scripts is
> enabled as are FrontPage
> extensions.
> 
> I have a 2nd machine in my Exchange Site which I am
> transition to which runs
> 2000 and IIS5 and I know that there are much better
> ways to secure OWA with
> reguards to NTFS ACLs and the IIS security settings.
>  Could someone guide me
> as to the best ways to set these IIS5 and NTFS
> permissions?
> 
> BTW - This IIS box is behind a firewall which is
> accessed via an SMTP proxy
> and the .IDA and .IDQ ISAPI filters have been
> removed.  The 2000 server is
> patched appropriately, as is my exchange/owa
> install.
> 
> I am using Exchange 5.5 SP4 


__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

[prev in list] [next in list] [prev in thread] [next in thread]