Solved

SBS 2003 IIS security issue?

Posted on 2010-08-26
8
401 Views
Last Modified: 2013-11-05
I have an SBS 2003 server accessed, mostly, for RWW, from outside our office.  One of my partners has a Droid that used to sync to Exchange using a self-signed certificate.  The Droid 2.2 self-signed certificate problem is keeping him from accessing Exchange.  I can allow the connection by checking "Ignore Client Certificates" in IIS, but am not real comfortable with the possible security risks.  All outside users have a certificate installed from my Certification Authority that gets them to RWW, OWA, and Exchange and IIS has a web server certificate.  My network firewall is configured to allow only incoming HTTPS to pass to the server and IIS is configured to require 128-bit SSL.  Is that sufficient to protect my server and will "Ignore Client Certificates" cause any significant risk exposure?
0
Comment
Question by:rmjq2s
  • 5
  • 3
8 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33531518
If your default website has an SSL certificate configured on it then Activesync will also use the same certificate and you should not need to ignore the certificate for Activesync to work.
Visit https://testexchangeconnectivity.com, run the Exchange Activesync test - specify manual server settings and DO NOT tick the Ignore Trust for SSL check box. Run the test and if all comes back okay - then just tick the Ignore Box on the Droid as your server is configured properly.
In case it is useful - please have a read of my article:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html
0
 

Author Comment

by:rmjq2s
ID: 33532659
My IIS preference would be to NOT "Ignore client certificates" since I have always used "Require Client Certificates". I can't run testexchangeconnectivity because the only access to my server is via IP address and testexchangeconnectivity won't take an IP address.  The server has always worked perfectly in the original configuration. The problem is the Droid and version 2.2, which won't use a self-signed certificate.  The only way I can find to allow the Droid to work is to set IIS to Ignore client certificates and that worries me.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33532778
Are you saying you don't have any URL (FQDN) that you can point to your server?
If you do - you can rename the certificate to work or buy a 3rd party SSL certificate.
With iPhones, they can work with the Self-Signed certificate quite happily, but Windows Mobiles and possibly Droids to (I don't own one) have to have the SSL certificate installed onto the device for the trust to be achieved.
Do you know if you can export the SSL cert from SBS and Import it onto the Droid?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33532798
There is a suggestion in the following forum that suggests that you have to just select Accept All Certificates for it to work:
https://supportforums.motorola.com/message/68541
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:rmjq2s
ID: 33532932
Yes, the server has an internal FQDN, but no .com/.net/.anything FQDN.

I have a certificate issued to the IP address, and Android 2.1 worked nicely with it, but the latest Android software, 2.2, doesn't support self-signed certificates. So, really what I am asking is: How secure is my IIS interface if I Ignore Client Certificates and simply use Digest authentication for Windows domain servers and SSL?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 33533183
Okay - if you ignore the certificate and you only have SSL opened, then if the phone does not work, then you are not at risk.  If it does work, then it has to be using SSL, so you should be fine.
If you ignore the certificate and have port 80 opened, then the username / password will be sent in plain text and could be easily intercepted.
Check if port 80 is open.  If not, Ignore the certificate and see if the Droid syncs.  If it does, you should be fine.  If not - you need to setup a domain name that you can point to your server and buy a 3rd party SSL cert for this domain from somewhere like GoDaddy that cost about $30 for a year.
0
 

Author Closing Comment

by:rmjq2s
ID: 33533334
I had already verified that the Droid does sync with Ignore Client Certificates checked in IIS.  Port 80 is not open on my firewall and I don't allow Basic authentication, so plain text should not be an issue.  I guess, maybe, I worry too much about security.  Thanks for the input, time, and suggestions.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33533366
You are welcome.  It is better to err on the side of caution than to assume all is well and find you are wrong : )
Thanks for the points.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agaiā€¦
Displaying an arrayList in a listView using the default adapter is rarely the best solution. To get full control of your display data, and to be able to refresh it after editing, requires the use of a custom adapter.
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now