Solved

Is it desirable (and unproblematic) to make Internet access to the OWA and RWW sites more 'cryptic' than "/exchange" and "/remote" ?

Posted on 2008-06-11
6
249 Views
Last Modified: 2010-04-21
Hello experts.  Acknowledging that SBS has been well designed in the area of security, given the fact that public DNS info is so...public and the standard format of the URLs for web access to Exchange and the RWW is generally well known, I was curious if substituting something more cryptic for the familiar "/exchange" and "/remote" has any value in adding another bit of security by making it harder for the would-be hacker to find the respective web pages?  Or does anybody out there make changes just to simplify the addresses?  If so, does it simply come down to changing the site settings in IIS and/or adding pointers in the internal DNS?  Are there any negative ramifications to the overall configuration of SBS, as I DO appreciate such a change would be a non-wizard based alteration?  Thanks for educating me on this.
0
Comment
Question by:mrpierce2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Assisted Solution

by:Jason Watkins
Jason Watkins earned 50 total points
ID: 21765078
Hello,

I would use secure https for these sites, and not mess with the virtual directory names.  ADSIEdit may need to be involved in the process of doing so, and that is a tricky environment.

/F
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 450 total points
ID: 21765520
Customizing SBS is never a good idea. You may find an update or a seemingly unrelated change may 'break' the configuration at a latter date. It is always best to try to stick with the defaults and wizards with SBS.
To give you a bit of comfort though, understand basic hacking. If a user wanted to guess your full DNS name (granted there are ways to locate it), they have to know server name (difficult to get) and domain name, as well as have the assumption you have SBS. The next option would be to use the IP address. Assuming you have a registered domain name the SSL certificate will not validate for the IP address. Finally most hackers do port scans. When they find an open port such as 3389 for remote desktop they try to hack using the related service, in this case remote desktop. SBS uses RWW which not only uses port 4125 which is less common, but it does not reply to a port scan, telnet or any other utility. The port is only opened to a user who first establishes a secure SSL connection on port 443.

It's pretty secure.
0
 

Author Comment

by:mrpierce2
ID: 21779907
Ok.  I've rarely seen any talk about this so I figured the general recommendation would be not to mess with it, but I needed to ask.  I came to appreciate the sanctity of the wizards a while back (thanks to TechSoEasy)  and not "breaking" the SBS so their importance is understood.

Firebar:
Thanks .  I did have the opportunity to use ADSIEdit for cleaning up when I did a swing migration from SBS 2K to 2K3 and understand its capability to address special situations or do serious damage if misused, but as per above, I'll leave things as they are.  I AM curious to know a bit more about S-HTTP.  Just did a quick look up on it.  Guess I've been aware of it but have kind of taken its application for granted.  I've been more focused on SSL in regards to certificates etc. in relation to SBS, but I do understand they're not the same.  If for no other reason than my edification, any recommendations on a site(s)/source for the best primer?

RobWill:

Thanks for the explanation of the security underpinnings of RWW.  You know, I did my due diligence in ensuring the necessary ports opened by the CEICW were opened on the firewall as well, aware of what needed which port, but not really appreciating HOW the ports were being used.  So, thanks for clarifying that.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 27

Expert Comment

by:Jason Watkins
ID: 21780103
Hi,

The SBS Security Site might be a good place to start:  http://tinyurl.com/2v7scq
0
 

Author Closing Comment

by:mrpierce2
ID: 31466349
Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21869855
Thanks mrpierce2.
Cheers !
--Rob
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Small Business Server 2011. NOTE: This guide has been written using the preview version of SBS2011 therefore some of the screens may …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question