On 12/23/05, Dan Jenkins <[EMAIL PROTECTED]> wrote: >> Security: I've never seen a properly administered Exchange server >> get "owned" or anything like that. The security issues are all on the >> client side. > > Actually I've had to repair several however, it is unclear to me that > they were "properly administered" since we were brought it to deal with > the problem that the in-house administrator for each couldn't.
Yah. "Windows can be administered by an idiot -- and usually is" is a big problem (for everybody, as the various big worms have demonstrated). I *have* met several Windows servers that were full of viruses. Some were running Exchange. They usually had no firewall, no patches, were running every service ever, and generally were just a big target on the 'net. I even encountered one place that used their server as a "shared" terminal for all the grunts without computers -- "that computer's just sitting in the corner not doing anything anyway". >> Exception: OWA (Outlook Web Access) is a big exposure > > Definitely isolate it from the rest. If you *could*, that would be nice. But OWA is a full-blown MAPI client, just like Outlook proper. It needs to be able to speak the MAPI wire protocol to the Exchange back-end server, just like Outlook on a desktop PC. In order to enable that, you have to open up all the Microsoft RPC that MAPI-wire uses. At that point, you've pretty much defeated the purpose of any kind of interior firewall or DMZ. This may have changed in Exchange 2003, but I don't think it has. -- Ben _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
