Certificates
Compliance, CRM, DataCenter, Disaster Recovery, Information risk management, Intrusion management, Policies, Risk management, Security, Security management, Security Program Management, VPN, Vulnerability Assessment & Audit
I am pretty new to the 2003 Microsoft world, but I am NT 4 MCSE.
My setup:
2 W2K3 DC's
1 Exchange 2K3 member server
1 W2K3 member server--web server
about 60 users--single domain
some of my users want to use Outlook Web Access to get their mail from home (approx. 10-15)
Everything is set up and running fine.
My question is, do I need Certificates to be secure? with this small amount of users it hardly seems necessary, but being new to the 2003 world, I just don't know.
If I do need certificates, can I do them myself without ANY other vendors involved?
Thanks to all of you for helping us and each other out...this is a great website.
Software/Hardware used:
Software/Hardware used:
ASKED:
June 29, 2005 11:45 AM
UPDATED:
July 5, 2005 9:59 AM
Answer Wiki:
Yes, you need certificates if you are going to secure your password across the wire. However, you don't need to use a certificate through a well-known CA, such as Verisign for your purposes.
You can create and approve your own certificates locally using Certificate Services installed on Windows Server 2003. Inform the users that the certificate will issue a warning because it's not from one of the public CAs. Once they get the error and allow the certificate, they would log on encrypted over HTTPS.
You can also restrict the logon process only to use HTTPS or the entire site, if you desire.
Enjoy,
SF
To see all answers submitted to the Answer Wiki: View Answer History.
Giving direct access to OWA over the Internet is not a good security practice. While a certificate on the web server will provide you with transport security it does nothing to protect the web server itself and a standard firewall will pass all packets over expected ports. To solve this problem Microsoft has a recommended design which uses an ISA server in the DMZ acting as a bastion host in secure reverse proxy mode. The following link explains how it all hangs together:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx.
MS ISA is a good product, in particular on a W2K2 platform. My deployment passed security pen tests with flying colours
Yes – certificates are highly recommended (and easy).
Yes – you can self-certify.
A – Go through the AD entries and check that every user has their correct e-mail information.
B – Install certificate services on the webserver for AD authentication and either auto-issue or admin review and issue.
C – Show your users how to login to the webserver and obtain a certificate, Install to IE and Outlook. Enjoy.
Most important is to read the documentation MS actually did a good job.
Good luck.