I felt naked….

On November 30, 2009, in Security, by

And now I’m not …..

Now protecting the RWW access (especially for the administrator account)…

And the cool thing is that I can now use iPhones and Windows mobile phones to be portable softtokens

I’ve also added the protection to the RDP access to the server so that it’s not open.  Mind you I already limited the RDP access to certain IP addresses, but this tightens up security that much more.

And you can extend the password policy and let people change them LESS often to then ensure that they choose better passwords.

 

5 Responses to I felt naked….

  1. Peter says:

    Could you please post about how to limit the RDP access to certain IP addresses. Thank you!

  2. Pauly says:

    Looks great on the surface but what stops a blackhat from just browsing directly to:
    https://remote.domainname.com/owa/
    https://remote.domainname.com:987/

    or attempting to RDP using the gateway
    remote.domainname.com

    Then you have Outlook Anywhere / OMA … how are any of the above protected by AuthAnvil?

    Does AA really add protection from someone trying to break in, or does it just appear to?

  3. William says:

    OWA you can hide behind RWW, the bigger concern would OMA.

    AA integrates into windows by replacing the GINA so you get a modified logon prompt. It’s still vulnerable to physical access attacks, but it’s been designed for remote protection. This shows up in RDP connections so that’s not an issue.

    AA would be a lot nicer if it worked like SecureID’s, being appended to the existing password, as opposed to being a separate password and pin.

    I’ve used AA before, to protect and manage multiple sites, it works quite well. OMA is till an issue however.

  4. bradley says:

    There’s no OMA in Exchange 2007 remember.

  5. Dana Epp says:

    Hey Pauly,

    The choice is your to how detailed of an AuthAnvil protection scope you want to do. For things like OWA, you can use the RWWGuard Sentry module (http://www.scorpionsoft.com/support/rwwguardsentry/) to redirect direct OWA THROUGH RWWGuard, forcing two-factor authentication (2FA) at the Remote Web Workplace login as Susan screenshotted there. Alternatively, you can use the AuthAnvil Web Logon agent and force 2FA directly when going to /owa. In either case, it allows you to enforce a check before they can get to the underlying service on SBS or EBS.

    As for RDPing through TS Gateway, you can deploy the AuthAnvil Credential Provider on the server, preventing someone from getting in until they have proven their identity with an AuthAnvil credential. If you have ISA or the Forefront TMG in play, you can also use the built in RADIUS authentication policies to provide 2FA at the TS Gateway itself. We are currently working to make that work natively on SBS WITHOUT needing ISA/TMG.

    If you have any questions about any of this, feel free to talk to someone at Scorpion Software. You can open a dialog at http://www.scorpionsoft.com/lets-talk/.