Thanks for the info. I'll have a go at installing OWA on the web server I think. I see IIS as a necessary evil. We're basically a Microsoft environment here so since I have to use IIS for the web server I may as well install OWA on it as well. Do I just install the OWA component from SP4? Any other Exchange components required?
Regards Tony -----Original Message----- From: Smith, Ronni [mailto:[EMAIL PROTECTED]] Sent: Tuesday, 9 July 2002 8:49 a.m. To: Exchange Discussions Subject: RE: OWA and IIS Security 1) I think you can't really make anything bulletproof but Microsoft has a security tool that sets perms for an IIS server running OWA to minimize risk. Search for the "IIS security tool" or something like that. 2) Yes you can run OWA on a different server. I do that. I have a cheapo ex-desktop that runs IIS and OWA and that is it. But I don't have very many users on it either. Be aware that if you have the IIS server in a DMZ then you may have to open more holes in your firewall than you would like. Some folks recommend keeping the OWA server inside the firewall so you don't have to open more than 2 ports to it. This has been discussed on the list in the past. People can get somewhat passionate about their view on the subject. You might want to check the archives although I don't know how well the search feature is working right now. > -----Original Message----- > From: Tony McCarthy [mailto:[EMAIL PROTECTED]] > Sent: Monday, July 08, 2002 1:30 PM > To: Exchange Discussions > Subject: OWA and IIS Security > > > Hi Everyone, > > Lately I've been noticing a number of attempts to hack one of > our Exchange > Servers. Our network is behind a Pix firewall and I've closed all > unnecessary ports and have it fairly tightly locked down. > However I have > Port 80, 25 and 110 open for Exchange. My main concern is IIS. I am > considering the possibility of disabling IIS and OWA on the > Exchange server > to minimize attacks. I have all the latest NT4 security > patches (that I know > of) but the hackers are still attempting to do mischief. There are two > things I'd like to know: - > > 1. Is there a means of making IIS bullet proof with a patch > or 3rd party > tool? > > 2. Is it possible to install the OWA component on a server > that is running > IIS but not Exchange? The reason I ask this is because we > have a web server > that's running IIS. I thought it may reduce the risk of > attack if I remove > IIS from the Exchange server and use our web server for OWA? > I know this is > probably a dumb question but I thought I'd ask it anyway. > I've checked out > the FAQ but couldn't find anything on this particular > scenario. The Exchange > server in question is running Exchange 5.5 and Nt4 (SP6). The > web server is > running W2K (SP2). > > I'd greatly appreciate feedback re this. > > Regards > Tony > > Tony McCarthy > Systems Engineer > OSI Software Ltd > Auckland > New Zealand > Ph:64 09 522 5909 > Fax:64 09 522 5901 > Mob: 021 703035 > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]