Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

SBS 2003 IIS security issue?

I have an SBS 2003 server accessed, mostly, for RWW, from outside our office.  One of my partners has a Droid that used to sync to Exchange using a self-signed certificate.  The Droid 2.2 self-signed certificate problem is keeping him from accessing Exchange.  I can allow the connection by checking "Ignore Client Certificates" in IIS, but am not real comfortable with the possible security risks.  All outside users have a certificate installed from my Certification Authority that gets them to RWW, OWA, and Exchange and IIS has a web server certificate.  My network firewall is configured to allow only incoming HTTPS to pass to the server and IIS is configured to require 128-bit SSL.  Is that sufficient to protect my server and will "Ignore Client Certificates" cause any significant risk exposure?
0
rmjq2s
Asked:
rmjq2s
  • 5
  • 3
1 Solution
 
Alan HardistyCo-OwnerCommented:
If your default website has an SSL certificate configured on it then Activesync will also use the same certificate and you should not need to ignore the certificate for Activesync to work.
Visit https://testexchangeconnectivity.com, run the Exchange Activesync test - specify manual server settings and DO NOT tick the Ignore Trust for SSL check box. Run the test and if all comes back okay - then just tick the Ignore Box on the Droid as your server is configured properly.
In case it is useful - please have a read of my article:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html 
0
 
rmjq2sAuthor Commented:
My IIS preference would be to NOT "Ignore client certificates" since I have always used "Require Client Certificates". I can't run testexchangeconnectivity because the only access to my server is via IP address and testexchangeconnectivity won't take an IP address.  The server has always worked perfectly in the original configuration. The problem is the Droid and version 2.2, which won't use a self-signed certificate.  The only way I can find to allow the Droid to work is to set IIS to Ignore client certificates and that worries me.
0
 
Alan HardistyCo-OwnerCommented:
Are you saying you don't have any URL (FQDN) that you can point to your server?
If you do - you can rename the certificate to work or buy a 3rd party SSL certificate.
With iPhones, they can work with the Self-Signed certificate quite happily, but Windows Mobiles and possibly Droids to (I don't own one) have to have the SSL certificate installed onto the device for the trust to be achieved.
Do you know if you can export the SSL cert from SBS and Import it onto the Droid?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Alan HardistyCo-OwnerCommented:
There is a suggestion in the following forum that suggests that you have to just select Accept All Certificates for it to work:
https://supportforums.motorola.com/message/68541
0
 
rmjq2sAuthor Commented:
Yes, the server has an internal FQDN, but no .com/.net/.anything FQDN.

I have a certificate issued to the IP address, and Android 2.1 worked nicely with it, but the latest Android software, 2.2, doesn't support self-signed certificates. So, really what I am asking is: How secure is my IIS interface if I Ignore Client Certificates and simply use Digest authentication for Windows domain servers and SSL?
0
 
Alan HardistyCo-OwnerCommented:
Okay - if you ignore the certificate and you only have SSL opened, then if the phone does not work, then you are not at risk.  If it does work, then it has to be using SSL, so you should be fine.
If you ignore the certificate and have port 80 opened, then the username / password will be sent in plain text and could be easily intercepted.
Check if port 80 is open.  If not, Ignore the certificate and see if the Droid syncs.  If it does, you should be fine.  If not - you need to setup a domain name that you can point to your server and buy a 3rd party SSL cert for this domain from somewhere like GoDaddy that cost about $30 for a year.
0
 
rmjq2sAuthor Commented:
I had already verified that the Droid does sync with Ignore Client Certificates checked in IIS.  Port 80 is not open on my firewall and I don't allow Basic authentication, so plain text should not be an issue.  I guess, maybe, I worry too much about security.  Thanks for the input, time, and suggestions.
0
 
Alan HardistyCo-OwnerCommented:
You are welcome.  It is better to err on the side of caution than to assume all is well and find you are wrong : )
Thanks for the points.
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now