RE: OWA - Change Password Security Risk?
- From: "John Tolmachoff \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
- To: "'[ExchangeList]'" <exchangelist@xxxxxxxxxxxxx>
- Date: Fri, 4 Apr 2003 06:26:52 -0800
The password change process is sent in clear text across the Internet.
John Tolmachoff
MCSE, CSSA
Owner, Network Engineer/Consultant
eServices For You
City of Industry, CA
www.eservicesforyou.com
-----Original Message-----
From: Hemmings, Rob [mailto:Rob.Hemmings@xxxxxxxxxxxxx]
Sent: Friday, April 04, 2003 6:10 AM
To: [ExchangeList]
Subject: [exchangelist] OWA - Change Password Security Risk?
http://www.MSExchange.org/
http://www.MSExchange.org/
Hi,
I have an E2K Front-end Server in my DMZ. When running the IIS Lockdown and
various other security bits and bobs, the ability for OWA users to change
passwords was taken out (this was recommended to me by an E2K Guru).
I am now being asked by my client as to why the password change feature was
removed. The best reply I was able to give (from my initial chat with the
E2K guy) was ?It?s a security risk?.
Now I can?t get hold of the guy to ask him specifically ?why? it was taken
out. And I can?t find any tech bulletins to back this argument up?..
Does anyone know of any ?sound? technical reasons as to why the password
change feature should be taken out of an internet-visible OWA box? And why
it should stay out????
TIA.
Regards
Rob Hemmings
Bexley Mail Administrator / Postmaster
<mailto:rob.hemmings@xxxxxxxxxxxxx> rob.hemmings@xxxxxxxxxxxxx
----------------------------------------------------------------------------
-------------
This email is confidential and intended solely for the use of the individual
to whom it is addressed. If you are not the intended recipient, be advised
that you have received this email in error and that any use, dissemination,
forwarding, printing, or copying of this email is strictly prohibited.
If you have received this email in error please notify Bexley Council by
telephone on +44 (0) 20 8303 7777.
Web Site: http://www.bexley.gov.uk
Free Anti-Spam Download: Try Multi-layered, Accurate Spam Filtering with
SurfControl E-mail Filter
http://www.surfcontrol.com/go/zmsexdl1
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=changelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?typeúQ
------------------------------------------------------
ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') Free Anti-Spam Download: Try
Multi-layered, Accurate Spam Filtering with SurfControl E-mail Filter
http://www.surfcontrol.com/go/zmsexdl1
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=changelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?typeúQ
------------------------------------------------------
ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
Other related posts:
