Let me ask you this - are they accessing OWA over an SSL connection? Not that it matters - since you're encapsulating the username and password as part of the URL, its not secure. IIRC, the URL is NEVER encrypted via SSL. So, you're passing username and password in clear text.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 11, 2004 4:38 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] MS04-004 > > > Until we can do it another way it is a huge deal here at my > company with > over hundreds of people accessing Outlook Web Access this way > from home or > remote locations. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 11, 2004 4:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] MS04-004 > > I concur. And frankly, those aren't all that secure to begin > with, so I > don't see it as a huge deal. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Coleman, Hunter [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 11, 2004 4:04 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] MS04-004 > > > > > > It should only affect URLs that embed user names and > > passwords. Otherwise, I > > don't see anything that would bugger up basic authentication. > > But let us > > know what you find on your test bench... > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 11, 2004 1:49 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] MS04-004 > > > > Is there anyway to permit the basic authentication after it > > is installed? > > > > -----Original Message----- > > From: Coleman, Hunter [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 11, 2004 3:47 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] MS04-004 > > > > According to KB834489 > > (http://support.microsoft.com/default.aspx?scid=kb;en-us;83448 > > 9), it only > > applies to HTTP/HTTPS > > > > Hunter > > > > ________________________________ > > > > From: Celone, Mike [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 11, 2004 1:36 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] MS04-004 > > > > > > > > Anyone know if this also applies to ftp connections too. On > > the SMS list > > one guy says it does and others say it doesn't? I haven't > > deployed the > > patch yet but plan on doing it soon. > > > > Mike > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, February 11, 2004 3:24 PM > > To: Exchange2000 (E-mail); ActiveDir (E-mail) > > Subject: [ActiveDir] MS04-004 > > > > If any of you use Basic Authentication over HTTP or HTTPS you > > need to read > > this. > > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/ Bulletin/MS04-004.asp <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security /Bulletin/MS04-004.asp> The cumulative patch for IE no longer supports http://username:[EMAIL PROTECTED]/resource Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
