Re: OWA - Change Password Security Risk?

  • From: "Abner Carvalho" <astronobaldo@xxxxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Fri, 04 Apr 2003 14:20:17 +0000

Hi Rob,

   Take a look in the following site:


It is to IIS 4.0 but I think that can help you.


Abner Carvalho

From: "Hemmings, Rob" <Rob.Hemmings@xxxxxxxxxxxxx>
Reply-To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
Subject: [exchangelist] OWA - Change Password Security Risk?
Date: Fri, 4 Apr 2003 15:09:34 +0100


I have an E2K Front-end Server in my DMZ. When running the IIS Lockdown
and various other security bits and bobs, the ability for OWA users to
change passwords was taken out (this was recommended to me by an E2K

I am now being asked by my client as to why the password change feature
was removed. The best reply I was able to give (from my initial chat
with the E2K guy) was "It's a security risk".

Now I can't get hold of the guy to ask him specifically 'why' it was
taken out. And I can't find any tech bulletins to back this argument

Does anyone know of any 'sound' technical reasons as to why the password
change feature should be taken out of an internet-visible OWA box? And
why it should stay out????


Rob Hemmings
Bexley Mail Administrator / Postmaster

rob.hemmings@xxxxxxxxxxxxx <mailto:rob.hemmings@xxxxxxxxxxxxx>


This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited.

If you have received this email in error please notify Bexley Council by telephone on +44 (0) 20 8303 7777.

Web Site:

MSN Hotmail, o maior webmail do Brasil.

Other related posts: