[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


SBS 2003 IIS security issue?

Posted on 2010-08-26
Medium Priority
Last Modified: 2013-11-05
I have an SBS 2003 server accessed, mostly, for RWW, from outside our office.  One of my partners has a Droid that used to sync to Exchange using a self-signed certificate.  The Droid 2.2 self-signed certificate problem is keeping him from accessing Exchange.  I can allow the connection by checking "Ignore Client Certificates" in IIS, but am not real comfortable with the possible security risks.  All outside users have a certificate installed from my Certification Authority that gets them to RWW, OWA, and Exchange and IIS has a web server certificate.  My network firewall is configured to allow only incoming HTTPS to pass to the server and IIS is configured to require 128-bit SSL.  Is that sufficient to protect my server and will "Ignore Client Certificates" cause any significant risk exposure?
Question by:rmjq2s
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33531518
If your default website has an SSL certificate configured on it then Activesync will also use the same certificate and you should not need to ignore the certificate for Activesync to work.
Visit https://testexchangeconnectivity.com, run the Exchange Activesync test - specify manual server settings and DO NOT tick the Ignore Trust for SSL check box. Run the test and if all comes back okay - then just tick the Ignore Box on the Droid as your server is configured properly.
In case it is useful - please have a read of my article:

Author Comment

ID: 33532659
My IIS preference would be to NOT "Ignore client certificates" since I have always used "Require Client Certificates". I can't run testexchangeconnectivity because the only access to my server is via IP address and testexchangeconnectivity won't take an IP address.  The server has always worked perfectly in the original configuration. The problem is the Droid and version 2.2, which won't use a self-signed certificate.  The only way I can find to allow the Droid to work is to set IIS to Ignore client certificates and that worries me.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33532778
Are you saying you don't have any URL (FQDN) that you can point to your server?
If you do - you can rename the certificate to work or buy a 3rd party SSL certificate.
With iPhones, they can work with the Self-Signed certificate quite happily, but Windows Mobiles and possibly Droids to (I don't own one) have to have the SSL certificate installed onto the device for the trust to be achieved.
Do you know if you can export the SSL cert from SBS and Import it onto the Droid?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 76

Expert Comment

by:Alan Hardisty
ID: 33532798
There is a suggestion in the following forum that suggests that you have to just select Accept All Certificates for it to work:

Author Comment

ID: 33532932
Yes, the server has an internal FQDN, but no .com/.net/.anything FQDN.

I have a certificate issued to the IP address, and Android 2.1 worked nicely with it, but the latest Android software, 2.2, doesn't support self-signed certificates. So, really what I am asking is: How secure is my IIS interface if I Ignore Client Certificates and simply use Digest authentication for Windows domain servers and SSL?
LVL 76

Accepted Solution

Alan Hardisty earned 2000 total points
ID: 33533183
Okay - if you ignore the certificate and you only have SSL opened, then if the phone does not work, then you are not at risk.  If it does work, then it has to be using SSL, so you should be fine.
If you ignore the certificate and have port 80 opened, then the username / password will be sent in plain text and could be easily intercepted.
Check if port 80 is open.  If not, Ignore the certificate and see if the Droid syncs.  If it does, you should be fine.  If not - you need to setup a domain name that you can point to your server and buy a 3rd party SSL cert for this domain from somewhere like GoDaddy that cost about $30 for a year.

Author Closing Comment

ID: 33533334
I had already verified that the Droid does sync with Ignore Client Certificates checked in IIS.  Port 80 is not open on my firewall and I don't allow Basic authentication, so plain text should not be an issue.  I guess, maybe, I worry too much about security.  Thanks for the input, time, and suggestions.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33533366
You are welcome.  It is better to err on the side of caution than to assume all is well and find you are wrong : )
Thanks for the points.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Often, people trade privacy and security for convenience. However in today's concrete jungle, this is an extremely foolish decision considering the vast amount of technologies being used against consumer interest. First off, I won't waste any time e…
Displaying an arrayList in a listView using the default adapter is rarely the best solution. To get full control of your display data, and to be able to refresh it after editing, requires the use of a custom adapter.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question