Re: Non-secure Exchange Page

[PiSquared]

Hi all,

My company has recently changed IT providers (we do not rely on internal expertise, much to my frustration), and I noticed that our Microsoft Exchange web site is no longer secure. I brought this up with one of the owners of the new IT company and he said, "Microsoft wouldn't let people sign in if it wasn't secure. If it's good enough for Microsoft, it's good enough for us."

I was hoping some people could chime in to either verify or refute the accuracy of his statement. After having a secure login for so long, I am puzzled as to why we suddenly no longer need one.

To clarify, I mean that we sign in at a regular http:// web site, with no indication of any security at all (e.g. https://).

Thank you very much for reading, and for your input!

Tim

EDIT: spelling

 

[Dr.Evil]

What version of Exchange? As far as I know 2003 and 2k7 should have no problem. Can not comment on 2k since I have no experience with it.

 

[PiSquared]

What version of Exchange? As far as I know 2003 and 2k7 should have no problem. Can not comment on 2k since I have no experience with it.

Given that I see (c)2007 on there, I'm gonna go with 2007.

For more clarification, the page is the Outlook Web Access page.

 

[Dr.Evil]

maybe not, take a sceenshot of the login page

 

[supermen]

You'll want it secured using ssl. You are passing credentials over the internet in plain text if it is not set to https. If anyone were sniffing the network they would be able to capture these logins.

 

[PiSquared]

maybe not, take a sceenshot of the login page

Here is a link:


supermen, that's why I was asking about this on here. I am concerned that there could be a security issue now that it appears SSL may not be used. I'm trying to get the facts before approaching management, though.

Thanks.

 

[Dr.Evil]

that is 2K7 and by default when you install 2k7 a self cert is installed and setup for SSL by default. I would be a very good idea to get it backup and running

 

[PiSquared]

that is 2K7 and by default when you install 2k7 a self cert is installed and setup for SSL by default. I would be a very good idea to get it backup and running

Do you mean that when it was initially set up, it should have defaulted to using SSL, but that the setting was turned off at some point?

 

[Dr.Evil]

Do you mean that when it was initially set up, it should have defaulted to using SSL, but that the setting was turned off at some point?

correct, or it was set not to require SSL. So you can try https://<servername>/owa

 

[PiSquared]

correct, or it was set not to require SSL. So you can try https://<servername>/owa

Using the https causes it not to work. In the past, it was https://mail.orgnizationname.org. Now we are told to use http://mail.organizationname/owa. Hope that helps.

 

[Dr.Evil]

Then more than likely SSL was turned off completely

http://www.microsoft.com/exchange/evaluation/features/default.mspx

SSL Certificates Automatically Installed


*


SSL certificates are installed by default in Exchange Server 2007, enabling broad use of SSL and TLS encryption from clients such as Outlook Web Access and other SMTP servers.

 

[PiSquared]

Then more than likely SSL was turned off completely

Please note I edited the above a few times for inaccuracy because I was distracted at the moment. Is there any possible reason SSL should be off? We have multiple sites with multiple people at each site checking email.

 

[PiSquared]

Then more than likely SSL was turned off completely

http://www.microsoft.com/exchange/evaluation/features/default.mspx

Hmmm, the link you included seems to corroborate your statement that SSL was most likely turned off. As I asked above, is there any practical reason to turn off SSL? I ask in case I'm missing part of a larger picture that the IT company would know about.

Also, thanks very much for being patient enough to keep replying. It is very much appreciated.

 

[gigabyte1024]

There's no good reason to turn off SSL.
The only thing I can of is if they were using a 3rd party certificate it may have expired and they don't know or don't want to renew it.

someone else indicated it was a self signed cert so that should be free.

 

[PiSquared]

There's no good reason to turn off SSL.
The only thing I can of is if they were using a 3rd party certificate it may have expired and they don't know or don't want to renew it.

someone else indicated it was a self signed cert so that should be free.

Would it be reasonable, then, to demand that SSL be turned back on? We deal with a huge volume of information that identity thieves would die happy if they got ahold of, and from what people say, this is what I'm leaning towards.

Thanks again.

 

[da sponge]

Yes, absolutely.

If they complain about the cost - you don't need a public SSL cert from one of the trusted roots. You can generate self signed cets with any 2003 CA. It's a free component with 2003 Server (assuming your domain doesn't have any existing PKI).

 

[supergper]

Would it be reasonable, then, to demand that SSL be turned back on? We deal with a huge volume of information that identity thieves would die happy if they got ahold of, and from what people say, this is what I'm leaning towards.

Thanks again.

I would demand it be turned back on. If that company refuses or gives ANY fuss about it, I'd drop them like a bad habbit...there's plenty of other IT Consulting firms out there that would love to have your business.

 

[supergper]

Yes, absolutely.

If they complain about the cost - you don't need a public SSL cert from one of the trusted roots. You can generate self signed cets with any 2003 CA. It's a free component with 2003 Server (assuming your domain doesn't have any existing PKI).

Cost??? They can get a turbo cert from GoDaddy for $20 a year. I can't imagine anyone complaining about $20...especially when they've already obviously purchased Exchange.

 

[supermen]

I would demand it be turned back on. If that company refuses or gives ANY fuss about it, I'd drop them like a bad habbit...there's plenty of other IT Consulting firms out there that would love to have your business.

I'd honestly already be considering that. Do you really want to trust critical information with a company that is cutting corners with security? There is no legitimate reason for them to have disabled SSL in this fashion; either they are incompetent or cheap. Neither is something I'd be happy with.

 

[calebb]

Cost??? They can get a turbo cert from GoDaddy for $20 a year. I can't imagine anyone complaining about $20...especially when they've already obviously purchased Exchange.

You can't use $20 SSL certs with Exchange 2007. In fact, if you do this, your local clients will no longer be able to access Exchange with Outlook - which is probably why your IT folks decided to turn off SSL. This is a very bad idea - anyone can run a packet sniffer + ARP poisoning (or just throw a Hub in your server room in place of a switch) and get everyone's username/password.

It's even worse if your Exchange server is co-located!

You need an SSLv3 cert with subject alternative name support (i.e., multiple domains on the same certificate).
Best practices dictate that the URLs you should include for your Client Access Server cert:
Local or NetBIOS name of the server, for example, owa1
All the accepted domain names for the organization, for example, contoso.com
The fully qualified domain name for the server, for example, owa1.contoso.com
The Autodiscover domain name for the domain, for example, Autodiscover.contoso.com
(The load-balance identity of the server if you are using one, for example, owa.contoso.com)

There are (afaik) only 3 companies that sell them: Entrust ($600), Comodo ($200), and godaddy recently started selling them for $80.

A "quick and dirty" way to set this up is to use a wildcard certificate - *.yourdomain.com - this will be a nightmare to support for mobile access - especially if you want to support iPhones, WM5 devices, Blackberries, Newer PalmOS phones - each has its own unique set of problems with wildcard certs.

A cheaper alternative is to setup your own Server 2003/2008 certificate authority. This is pretty quick - then you can issue your own SSLv3 certs. IE/Firefox will warn you that the mailserver's cert's root cert is not known - so you'll need to hand out the root.cer from your new Cert Authority Server if you do this.

It's hard to believe how naive the owners of that company are! Scary!

 

[supergper]

You can't use $20 SSL certs with Exchange 2007. In fact, if you do this, your local clients will no longer be able to access Exchange with Outlook - which is probably why your IT folks decided to turn off SSL. This is a very bad idea - anyone can run a packet sniffer + ARP poisoning (or just throw a Hub in your server room in place of a switch) and get everyone's username/password.

It's even worse if your Exchange server is co-located!

You need an SSLv3 cert with subject alternative name support (i.e., multiple domains on the same certificate).
Best practices dictate that the URLs you should include for your Client Access Server cert:
Local or NetBIOS name of the server, for example, owa1
All the accepted domain names for the organization, for example, contoso.com
The fully qualified domain name for the server, for example, owa1.contoso.com
The Autodiscover domain name for the domain, for example, Autodiscover.contoso.com
(The load-balance identity of the server if you are using one, for example, owa.contoso.com)

There are (afaik) only 3 companies that sell them: Entrust ($600), Comodo ($200), and godaddy recently started selling them for $80.

A "quick and dirty" way to set this up is to use a wildcard certificate - *.yourdomain.com - this will be a nightmare to support for mobile access - especially if you want to support iPhones, WM5 devices, Blackberries, Newer PalmOS phones - each has its own unique set of problems with wildcard certs.

A cheaper alternative is to setup your own Server 2003/2008 certificate authority. This is pretty quick - then you can issue your own SSLv3 certs. IE/Firefox will warn you that the mailserver's cert's root cert is not known - so you'll need to hand out the root.cer from your new Cert Authority Server if you do this.

It's hard to believe how naive the owners of that company are! Scary!

ah, didn't know the turbo certs wouldn't work. I've never setup Exchange (that'll be changing tonight ) That's good info to have.

 

[PiSquared]

I'd like to thank everyone very, very much for taking the time to reply. I will be bringing this up to our management's attention tomorrow morning, and will probably quote some replies.

Sorry, but no royalties.


If there is anything else that you think it would helpful I know, please feel free to reply - it is very much appreciated!

Tim

 

[calebb]

If there is anything else that you think it would helpful I know, please feel free to reply - it is very much appreciated!

One other thing (as you've already found out) : In my experience, competent Exchange 2007 admins are either relatively expensive or relatively incompetent.

 

[Captain Colonoscopy]

In my experience, competent Exchange 2007 admins are either relatively expensive or relatively incompetent.

QFT!!!

 

[Bean Dip]

You can use GoDaddy for your cert. You need a UCC Multiple Domain certificate that runs around $90 annually.

This is what I used to for my OWA and Activesync on our smartphones.