Home > IT Answers > Security > Certificates
Help

Question

  Asked: Jun 29 2005   11:45 AM GMT
  Asked by: TheVyrys

Certificates


Security management, Information risk management, Security, Intrusion management, Security Program Management, Compliance, Risk management, CRM, Policies, Disaster Recovery, VPN, Vulnerability Assessment & Audit, DataCenter

I am pretty new to the 2003 Microsoft world, but I am NT 4 MCSE.
My setup:
2 W2K3 DC's
1 Exchange 2K3 member server
1 W2K3 member server--web server
about 60 users--single domain

some of my users want to use Outlook Web Access to get their mail from home (approx. 10-15)

Everything is set up and running fine.
My question is, do I need Certificates to be secure? with this small amount of users it hardly seems necessary, but being new to the 2003 world, I just don't know.
If I do need certificates, can I do them myself without ANY other vendors involved?

Thanks to all of you for helping us and each other out...this is a great website.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Jun 29 2005  8:37 PM GMT  by sonyfreek




Yes, you need certificates if you are going to secure your password across the wire. However, you don't need to use a certificate through a well-known CA, such as Verisign for your purposes.

You can create and approve your own certificates locally using Certificate Services installed on Windows Server 2003. Inform the users that the certificate will issue a warning because it's not from one of the public CAs. Once they get the error and allow the certificate, they would log on encrypted over HTTPS.

You can also restrict the logon process only to use HTTPS or the entire site, if you desire.

Enjoy,
SF
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security, CRM and CIO.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

Whitecap  |   Jun 30 2005  5:23AM GMT

Giving direct access to OWA over the Internet is not a good security practice. While a certificate on the web server will provide you with transport security it does nothing to protect the web server itself and a standard firewall will pass all packets over expected ports. To solve this problem Microsoft has a recommended design which uses an ISA server in the DMZ acting as a bastion host in secure reverse proxy mode. The following link explains how it all hangs together:
<a href="http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx." rel="nofollow">http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx.</a>
MS ISA is a good product, in particular on a W2K2 platform. My deployment passed security pen tests with flying colours

 

Howard2nd  |   Jul 5 2005  9:59AM GMT

Yes - certificates are highly recommended (and easy).
Yes - you can self-certify.

A - Go through the AD entries and check that every user has their correct e-mail information.
B - Install certificate services on the webserver for AD authentication and either auto-issue or admin review and issue.
C - Show your users how to login to the webserver and obtain a certificate, Install to IE and Outlook. Enjoy.

Most important is to read the documentation MS actually did a good job.

Good luck.