Just because I'm paranoid doesn't mean they're not out to get me. RPC is about the least secure thing on the planet, and you want to tunnel it, encrypted, directly into my network...
You ever play with SSH? I mean *really* play with ssh? This is about 1/2 step below that on the scary capability level.... -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Anthony Sollars [mailto:[EMAIL PROTECTED] > Sent: Friday, May 28, 2004 11:54 AM > To: Exchange Discussions > Subject: RE: Exchange 2003 SP1 is out > > Come on Roger, btw WAASSSUUUUPPP!, don't be so paranoid. RPC > over HTTPS is > not so bad. It's like anything else, it must be configured > correctly so it > enforces the SSL authentication. You should also publish it > through an ISA > server with two factor authentication like RSA. I foresee ISA > coming out > with a publishing rule that will allow ISA to inspect the > https traffic the > same way it does with OWA traffic now. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of Roger > Seielstad > Sent: Friday, May 28, 2004 5:08 AM > To: Exchange Discussions > Subject: RE: Exchange 2003 SP1 is out > > That's probably not far off, although the issue there is > theoretically, > you're running it over an SSL tunnel, so all the firewalls > have to go by is > IP and port on both ends. > > I think the concept of tunneling one protocol over another is > fairly scary > to begin with. Add to that the fact the tunnelled protocol is > RPC, and its > frankly insane to allow. > > For RPC to work in any context, there has to be a connection > to the RPC end > point mapper - which advertises EVERY RPC aware service > running on the box. > Funny enough, that includes most services in Windows. So, > you're willingly > exposing an insecure and very dangerous protocol (RPC) over a > well known and > generally trusted port/protocol. > > Tunnel that over an SSL connection and you can pretty much > kiss away any > benefit from firewalls and intrusion detection systems. Even then, > relatively few people look at HTTP for suspicious traffic. > > Roger > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: Ed Crowley [MVP] [mailto:[EMAIL PROTECTED] > > Sent: Thursday, May 27, 2004 6:48 PM > > To: Exchange Discussions > > Subject: RE: Exchange 2003 SP1 is out > > > > I'm wondering how long RPC over HTTP will be useful before > > firewall vendors > > and administrators pinch it off. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On > > Behalf Of Roger > > Seielstad > > Sent: Thursday, May 27, 2004 8:12 AM > > To: Exchange Discussions > > Subject: RE: Exchange 2003 SP1 is out > > > > Single, well known port, funneling a single, really, really insecure > > protocol (RPC) directly into your network.... > > > > Scares me silly.. Not quite as scary as what you can do with > > ssh, but darn > > close. > > > > -------------------------------------------------------------- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -----Original Message----- > > > From: Kevinm [CA] [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, May 27, 2004 10:32 AM > > > To: Exchange Discussions > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > Smaller attack surfaces.. you only have the universal fire > > hole bypass > > > port 80 open. And you are requiring mutual authentication on all > > > connections. I believe this will be the connection method for all > > > things in the future. No more firewalls at the edge, unless you > > > consider the edge the air and the Ethernet cable. > > > > > > > > > > > > --Kevinm WLKMMAS Exchange MVP > > > Http://www.wlkmmas.org > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On > Behalf Of > > > Roger Seielstad > > > Sent: Thursday, May 27, 2004 5:04 AM > > > To: Exchange Discussions > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > And provide infinitely larger attack surfaces for hackers > > and viruses. > > > > > > -------------------------------------------------------------- > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > Sr. Systems Administrator > > > Inovis Inc. > > > > > > > > > > -----Original Message----- > > > > From: Jason Clishe [mailto:[EMAIL PROTECTED] > > > > Sent: Wednesday, May 26, 2004 8:01 PM > > > > To: Exchange Discussions > > > > Cc: Jason Clishe > > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > > > Don't discount the new RPC over HTTP publisher tool in ESM. > > > This will > > > > make RPC over HTTP configurations infinitely simpler. > > > > > > > > Jason > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of > > > > Simon Butler > > > > Sent: Wednesday, May 26, 2004 11:44 AM > > > > To: Exchange Discussions > > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > > > The only extra thing I can see in System Manager is an > > > extra column in > > > > the server list to tell you if RPC over HTTP is enabled. > > > > Otherwise I totally agree with Roger's initial thoughts below. > > > > > > > > Simon. > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On > > Behalf Of > > > > Roger Seielstad > > > > Sent: 26 May 2004 14:39 > > > > To: Exchange Discussions > > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > > > My initial impressions: > > > > > > > > Documentation > > > > -Very light on the included fixes > > > > -Doesn't mention the OS hotfix requirement anywhere > > > > > > > > Install > > > > -Inconsistent reboot pattern (2 boxes installed, one required a > > > > reboot, the other didn't) -Doesn't want to install an ESM only > > > > upgrade on an XP > > > > SP2RC1 box > > > > > > > > Functionality > > > > -No noticable issues with normal test loads at this point > > > > > > > > > > > > I'm planning on moving it into my pilot deployment in the > > next few > > > > days to see what happens. > > > > > > > > -------------------------------------------------------------- > > > > Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator > > > > Inovis Inc. > > > > > > > > > > > > > -----Original Message----- > > > > > From: Atkinson, Miles [mailto:[EMAIL PROTECTED] > > > > > Sent: Wednesday, May 26, 2004 6:23 AM > > > > > To: Exchange Discussions > > > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > > > > > I found the MS information on included bug fixes and the > > > like was a > > > > > little on the light side. > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On > > > Behalf Of > > > > > Simon Butler > > > > > Sent: 26 May 2004 11:12 > > > > > To: Exchange Discussions > > > > > Subject: RE: Exchange 2003 SP1 is out > > > > > > > > > > > > > > > I have now done it twice - once on my office test system > > > > and once on > > > > > the home test system. > > > > > The office test system didn't ask for a reboot. The home > > > > system did. > > > > > > > > > > While I appreciate that it is an OS hotfix and not an > > > > application hot > > > > > fix, there wasn't a single mention of the requirement for > > > it, or a > > > > > link to the download in the release notes. I had to > > lookup the KB > > > > > article from the error, find the download, install it and > > > > then attempt > > > > > > > > > the install again. > > > > > > > > > > Simon. > > > > > > > > > > > > _________________________________________________________________ > > > > > List posting FAQ: > > http://www.swinc.com/resource/exch_faq.htm > > > > > Web Interface: > > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > > ext_mode=&lang=english > > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > To unsubscribe via postal mail, please contact us at: > > > > > Jupitermedia Corp. > > > > > Attn: Discussion List Management > > > > > 475 Park Avenue South > > > > > New York, NY 10016 > > > > > > > > > > Please include the email address which you have been > > > contacted with. > > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=& > > > > lang=english > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > Exchange List admin: [EMAIL PROTECTED] > > > > To unsubscribe via postal mail, please contact us at: > > > > Jupitermedia Corp. > > > > Attn: Discussion List Management > > > > 475 Park Avenue South > > > > New York, NY 10016 > > > > > > > > Please include the email address which you have been > > contacted with. > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=& > > > > lang=english > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > Exchange List admin: [EMAIL PROTECTED] > > > > To unsubscribe via postal mail, please contact us at: > > > > Jupitermedia Corp. > > > > Attn: Discussion List Management > > > > 475 Park Avenue South > > > > New York, NY 10016 > > > > > > > > Please include the email address which you have been > > contacted with. > > > > > > > > > > > > > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Web Interface: > > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=&lang=english > > > > To unsubscribe send a blank email to %%email.unsub%% > > > > Exchange List admin: [EMAIL PROTECTED] > > > > To unsubscribe via postal mail, please contact us at: > > > > Jupitermedia Corp. > > > > Attn: Discussion List Management > > > > 475 Park Avenue South > > > > New York, NY 10016 > > > > > > > > Please include the email address which you have been > > contacted with. > > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > > ext_mode=& > > > lang=english > > > To unsubscribe send a blank email to > > > %%email.unsub%% > > > Exchange List admin: [EMAIL PROTECTED] > > > To unsubscribe via postal mail, please contact us at: > > > Jupitermedia Corp. > > > Attn: Discussion List Management > > > 475 Park Avenue South > > > New York, NY 10016 > > > > > > Please include the email address which you have been > contacted with. > > > > > > > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Web Interface: > > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > > ext_mode=&lang=english > > > To unsubscribe send a blank email to > > > %%email.unsub%% > > > Exchange List admin: [EMAIL PROTECTED] > > > To unsubscribe via postal mail, please contact us at: > > > Jupitermedia Corp. > > > Attn: Discussion List Management > > > 475 Park Avenue South > > > New York, NY 10016 > > > > > > Please include the email address which you have been > contacted with. > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang > > =english > > To unsubscribe send a blank email to > > %%email.unsub%% > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Web Interface: > > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t > ext_mode=&lang=english > > To unsubscribe send a blank email to > > %%email.unsub%% > > Exchange List admin: [EMAIL PROTECTED] > > To unsubscribe via postal mail, please contact us at: > > Jupitermedia Corp. > > Attn: Discussion List Management > > 475 Park Avenue South > > New York, NY 10016 > > > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang > =english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english > To unsubscribe send a blank email to > %%email.unsub%% > Exchange List admin: [EMAIL PROTECTED] > To unsubscribe via postal mail, please contact us at: > Jupitermedia Corp. > Attn: Discussion List Management > 475 Park Avenue South > New York, NY 10016 > > Please include the email address which you have been contacted with. > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
