AW: Exchange/MAPI/RPC

Hi,

the password and the data can be encrypted, so this is not the issue. But to ensure communications, you have to open the RPC-Endpoint-Mapper and two or three additional high ports to the Exchange Server and it could be possible to DoS or hack the Exchange Server using these ports. For one of the high ports is used to connect to the Information Store even corrupting/deleting data could be accomplished. So the reason for using a VPN is to protect the Exchange server from a direct connection to the internet. For you can often implement an IPSec or PPTP VPN without any additional licensing costs this should be done and I do not even see the need to have arguments on this.

Gruß,

Jens Mickerts  

-----Ursprüngliche Nachricht-----
Von: Joseph Burton [mailto:joseph_burton1970@hotmail.com] Gesendet: Samstag, 8. März 2003 17:08
An: focus-ms@securityfocus.com
Betreff: Exchange/MAPI/RPC

Hello all,

I have a client that will soon start using Microsoft Exchange, and I have a question regarding the Outlook client. The Exchange client in Outlook uses the MAPI protocol which uses RPC to communicate with the Exchange server. I know it's not recommended to connect from the Internet using MAPI, without using any form av encryption like IPSec.

My question is simply, why? Why is it dangerous to use MAPI/RPC over Internet? Is the password sent in clear text or something? I need some good arguments to convince my client to use VPN for the roaming users.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Thanks in advance,

//Joe