Monday, August 18, 2008

OWA Security in SBS 2003

Happy Monday to u!

I am Harry Brelsford, the author Windows Small Business Server 2003 Best Practices and I am posting up a few pages per day to the Web (my blog) for your reading pleasure. This will continue until SBS 2008 ships!

So please enjoy a few pages today concerning OWA security in SBS 2003!

cheers…harrybbbb

Harry Brelsford

CEO at SMB Nation, www.smbnation.com, Microsoft Small Business Specialist (SBSC)

PS - I host a fantastic fall confernece in Seattle surrounding all this and more - everything SBS and Eseential Busienss Server (EBS)

###

OWA Security


There are a couple of security matters relating to OWA.


• Public vs. private computer. In Figure 8-18, you can see the OWA logon screen. A public or shared computer has a shorter time-out period (akin to the same setting in RWW). A private computer informs the Exchange server to tolerate a longer period of inactivity before enforcing a log off.

• HTTPS. I mentioned earlier but I need to mention again. When you configured SBS properly (that is, run the EICW and create the self-sign­ing certificate that is discussed in both Chapter 4 and 5), you’ll always




operate OWA under HTTPS. The translation for the BDM is that this is more secure and the data (in addition to the logon activity) is encrypted via PPTP. The port session related to this is shown in Figure 8-20.


Figure 8-20


Observe Port 443 making the OWA session operate under HTTPS.





Visit www.microsoft.com/technet for the latest updates for any Microsoft product.


• Challenging. When you log on the old fashioned way or the local host way, you must complete the OWA logon. In SBS 2000, a local host OWA session did not issue this logon challenge. When you access OWA via RWW, you are not challenged for an OWA-specific logon because RWW passes logon authentication to OWA.


BEST PRACTICE: Always have your SBS users properly log off OWA when they leave an OWA session. The logoff button is found on the far right of the upper OWA toolbar. Not logging off lays the foundation for sinister behavior, such as someone clicking Back several times in Internet Explorer to get to your mailbox! LOG OFF!

No comments: