The password change process is sent in clear text across the Internet. John Tolmachoff MCSE, CSSA Owner, Network Engineer/Consultant eServices For You City of Industry, CA www.eservicesforyou.com -----Original Message----- From: Hemmings, Rob [mailto:Rob.Hemmings@xxxxxxxxxxxxx] Sent: Friday, April 04, 2003 6:10 AM To: [ExchangeList] Subject: [exchangelist] OWA - Change Password Security Risk? http://www.MSExchange.org/ http://www.MSExchange.org/ Hi, I have an E2K Front-end Server in my DMZ. When running the IIS Lockdown and various other security bits and bobs, the ability for OWA users to change passwords was taken out (this was recommended to me by an E2K Guru). I am now being asked by my client as to why the password change feature was removed. The best reply I was able to give (from my initial chat with the E2K guy) was ?It?s a security risk?. Now I can?t get hold of the guy to ask him specifically ?why? it was taken out. And I can?t find any tech bulletins to back this argument up?.. Does anyone know of any ?sound? technical reasons as to why the password change feature should be taken out of an internet-visible OWA box? And why it should stay out???? TIA. Regards Rob Hemmings Bexley Mail Administrator / Postmaster <mailto:rob.hemmings@xxxxxxxxxxxxx> rob.hemmings@xxxxxxxxxxxxx ---------------------------------------------------------------------------- ------------- This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify Bexley Council by telephone on +44 (0) 20 8303 7777. Web Site: http://www.bexley.gov.uk Free Anti-Spam Download: Try Multi-layered, Accurate Spam Filtering with SurfControl E-mail Filter http://www.surfcontrol.com/go/zmsexdl1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=changelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?typeúQ ------------------------------------------------------ ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') Free Anti-Spam Download: Try Multi-layered, Accurate Spam Filtering with SurfControl E-mail Filter http://www.surfcontrol.com/go/zmsexdl1 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=changelist Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?typeúQ ------------------------------------------------------ ISA Server Resource Site: http://www.isaserver.org Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this MSExchange.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')