Comments inline...
Sherman H. said:
I have the following Outlook 2000 security questions:
1. How can I verify if the OWA (Outlook 2000) has encryption or digital
signature? Is that true that Outlook 2000 does not have strong features
for
encryption through Internet?
Little confused here since you mention OWA and then put Outlook 2000 in
parens, so I'll cover both.
Outlook Web Access (OWA) is something that you access via a web browswer.
For sake of clarity, I will assume that you are using Internet Explorer 6
SP1 on Windows 2000 or Windows XP (SP1). When you access OWA and complete
your logon, you should see a lock in the lower right hand corner of the IE
window. If you double click on that lock, you will see the details of the
digital certificate that is securing the connection between you and the
internet information server.
Outlook 2000 can support digital certificates for encryption and/or signed
mail. If you are not certian if you have a personal certificate for such
activities, the easiest way to check is to open Internet Explorer and select
Tools | Internet Options | Content tab | Certificates button. Under the
personal tab are certificates that are assigned to the individual for use.
To see if the certificate can be used for encryption/digital signatures you
can highlight one and then look below in the certificate intended purposes.
If you see secure e-mail, then that certificate could be used to digitally
sign and/or encrypt e-mail.
When Outlook 2000 was released, export laws prohibited MS from distributing
a client that could support 128-bit security. This support could be added
by downloading a patch from Microsoft providing that you lived in the
"right" area. Laws have changed in regards to this since its release and
can be downloaded. See
http://www.microsoft.com/downloads/...AE-8B51-443B-9170-B0CA8482DC89&displaylang=en.
2. What would be the best way to verify if administrator accounts have
email
accounts? Would this be considered a security exposure?
The best way in an Exchange 5.5 world is to open Exchange system admistrator
and review the mailboxes of accounts of person(s) you know that are
designated the role of "administrators". For Exchange 2000/2003, you would
use Active Directory and Users to retrieve this information.
Is it a security risk for a domain administrator to have an e-mail account?
I would say that depends on the policies and regulations for your site since
u could easily put two security minded individuals and have each argue the
pros and cons until blue in the face. For example, I manage two sites. In
both I have network god rights and each site practices different behaviors.
In one, I logon with domain administrator previliges but have reconfigured
my workstation to where I only have user rights (e.g. removed domain
administrators from the workstations local administrators group). This
helps secure my workstation because I've have taken away some of things that
exploits want to do when taking over a machine (e.g. no writing to specific
areas in the registry or swaping out of keys files in program files or
system32). While I'm anal about this, the next person may not be and say
hell no, I need local administrator rights to do these tasks and not even
consider thinking outside the box so to speak.
In the other I'm issued two accounts. One is a domain administrator account
that is to be used for administering the domain via a remote
desktop/terminal server session to a designated management server. The
other is my domain user account that is used for everyday activities.
As yo can see, the two examples above are just two possibilities and leaves
a world of gray in-between. One site might decide that I can be a domain
user and delegate the necessary tasks I need to do (e.g. say I only need the
right to manage user and computer accounts. This can be delegated in Active
Directory w/out having to grant domain administrator rights.) So as you can
see, it really does boil down to what the site deems correct behavior from
its staff.
3. I saw Microsoft has provided a free download scanner for Outlook. Is
this a good tool to verify Outlook security settings?
Any tools that lets you quickly gather settings so you can make an informed
decision on what changes can be made w/out effecting usability is a good
thing. Just keep in mind that security vendors don't know your site and/or
how the system is used. This is where you step in and have to make informed
decisions about the data provided and what changes are appropriate for you
environment.
Just my $.02
/neo
