However, with the introduction of OWA in
Exchange 5.5, OWA has been an appealing option. It is fairly simple to deploy, and
for organizations already opening port 80 for other Web services, it does not require
exposing new protocols to the public. Many organizations began using OWA as an
easy way to fi x the functionality issue, allowing users to access their e-mail over a
service they already allow and monitor.
The Security Problem
As many of you know, Microsoft??™s OWA has some serious security issues that
hackers love to exploit. Exchange administrators worry daily over these possible
security breaks. One of the security issues dealt with the fact that an OWA user??™s
cached credentials can easily be used to gain unauthorized access to an Exchange
mailbox from the local Internet browser. Another problem was that because an OWA
session does not time out if the user forgets to logout and close the browser window,
an intruder can gain access to the Exchange mail system simply by browsing to
the open OWA session. Finally, OWA user ID??™s and passwords are stored in the
browser cache for subsequent use, and remain in the cache as long as a browser
session is active.
Most organizations know to use SSL to encrypt data transferred to and from the OWA
client and the Exchange server, thus making it impossible to ???sniff ??? the contents of a
user??™s e-mail. But what some organizations do not understand is that SSL will not
prevent an intruder from gaining access to the Exchange server via an OWA session.
Pages:
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339