It doesn't stop key logging per se, but it renders it ineffective. The SecurID tokens use a three factor[1] authentication system, in which the third piece is a 6 digit, one time use code. That code is good for exactly 3 minutes, and once used cannot be used again.
Therefore, logging the authentication process is useless, as you'll only get 2 of the 3 factors, and for the third factor, you have a 1 in 1,000,000 chance, reset every three minutes, to guess that last part. Roger -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] They call it 2 factor, but you need a username, a PIN, and the securID token number to log in - that's either 3 or 11, depending on how much of a geek you are. > -----Original Message----- > From: Ed Crowley [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 18, 2003 4:40 PM > To: Exchange Discussions > Subject: RE: OWA front end server - licensing and security > > > I don't see how that would stop key-logging. > > Ed > > --- Greg Marr <[EMAIL PROTECTED]> wrote: > > We have set up our OWA to require two-factor > > authentication (SecurID) > > which eliminates any key-logging concerns but this > > system is not cheap > > at approx $300 AU ($160 US) per user. > > > > The upside is that you can use the same system to > > authenticate all of > > your remote access users (dial-up, VPN, etc) and > > this is the function > > that really allows me to sleep well at night. > > > > I guess that it all depends on how many people are > > going to require this > > functionality and of course, your budget..... > > > > Greg > > > > -----Original Message----- > > From: Erick Thompson [mailto:[EMAIL PROTECTED] > > Sent: Thursday, 18 September 2003 10:07 AM > > To: Exchange Discussions > > Subject: RE: OWA front end server - licensing and > > security > > > > We talked about this exact scenario. We decided that > > given how easy it > > is to install a key logger, and other malware, on > > public systems we > > decided it was too risky. We are planning on using > > public folders quite > > heavily with data that we can't risk getting out. > > Same with the address > > books. > > > > We are trying to figure out a way to give people > > access to email only > > from a public terminal. No public folders or address > > books. If you have > > any suggestions, that would be great. > > > > Erick > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] > > Behalf Of Ed Crowley > > > Sent: Wednesday, September 17, 2003 4:40 PM > > > To: Exchange Discussions > > > Subject: RE: OWA front end server - licensing and > > security > > > > > > > > > ISA is a better solution in a DMZ because it > > doesn't > > > require the plethora of holes in the internal > > > firewall. > > > > > > > > > http://www.microsoft.com/technet/treeview/default.asp?url=/tec > > hnet/prodtechnol/isa/deploy/isaexch.asp > > > > > > Requiring VPN (your other message) is a good idea, > > > however, you may be coming back to ISA or some > > other > > > idea when your users demand to be able to get > > e-mail > > > from a coffeehouse kiosk terminal. > > > > > > Ed > > > > > > --- Erick Thompson <[EMAIL PROTECTED]> wrote: > > > > I have to admit to being a little confused, how > > > > would ISA help, aside from being a proxy? Which > > > > isn't nothing, but I'm wondering if I'm missing > > > > something else. > > > > > > > > Thanks, > > > > Erick > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] > > > > Behalf Of Webb, Andy > > > > > Sent: Wednesday, September 17, 2003 7:04 AM > > > > > To: Exchange Discussions > > > > > Subject: RE: OWA front end server - licensing > > and > > > > security > > > > > > > > > > > > > > > Don't forget you also have to fully protect > > the > > > > front end server from > > > > > all the other servers on the DMZ from which it > > is > > > > not isolated. > > > > > > > > > > Those other systems may have been placed on > > the > > > > DMZ in an > > > > > insecure state > > > > > with the thought that if anyone broke them, > > they > > > > would be > > > > > isolated from > > > > > the internal LAN. What happens when you put > > the > > > > FE in the DMZ is you > > > > > break that theory. The DMZ is no longer > > isolated > > > > from the LAN. > > > > > > > > > > You definitely have to secure the FE, but once > > you > > > > have, why > > > > > not put it > > > > > inside where it is not at risk from > > questionable > > > > systems on the DMZ? > > > > > > > > > > Better to put an ISA server in the DMZ as was > > > > suggested earlier. > > > > > > > > > > Regarding IPSEC, Exchange 2003 explicitly > > states > > > > that IPSEC is now > > > > > supported between front end and back end. So > > if > > > > you upgrade, that's > > > > > perhaps an option. Though a lesser one than > > using > > > > ISA imho. > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] > > On > > > > Behalf Of Leeann > > > > > McCallum > > > > > Sent: Tuesday, September 16, 2003 6:32 PM > > > > > To: Exchange Discussions > > > > > Subject: RE: OWA front end server - licensing > > and > > > > security > > > > > > > > > > You could throw an OWA front end server in the > > > > DMZ, put certificate on > > > > > as Ed suggests, and then wrap everything up in > > an > > > > IPSEC > > > > > packet that goes > > > > > between the front end and backend. Between > > the > > > > client on the net and > > > > > the front end, you would use SSL, so just open > > > > 443. > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Erick Thompson > > [mailto:[EMAIL PROTECTED] > > > > > Sent: Wednesday, 17 September 2003 11:29 a.m. > > > > > To: Exchange Discussions > > > > > Subject: RE: OWA front end server - licensing > > and > > > > security > > > > > > > > > > > > > > > Ed, > > > > > > > > > > I'm a little confused. You're recommending > > that I > > > > put in a front end > > > > > server, but not in the DMZ? It seems to me > > that I > > > > might have to open a > > > > > bunch of ports, but if the front end server is > > in > > > > the LAN, > > > > > all ports are > > > > > by default open. > > > > > > > > > > Just to clarify, I have one Exchange server > > which > > > > lives on my LAN, and > > > > > there is an SMTP server in my DMZ that relays > > > > messages to the Exchange > > > > > server. At the moment, I don't have any other > > > > Exchange > > > > > servers running. > > > > > > > > > > Thanks, > > > > > Erick > > > > > > > > > > > -----Original Message----- > > > > > > From: [EMAIL PROTECTED] > > > > > > > > [mailto:[EMAIL PROTECTED] > > > > Behalf Of Ed Crowley > > > === message truncated === > > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Web Interface: > http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&t ext_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
