RE: Exchange/MAPI/RPC

Regardless of the security implications of opening MAPI/RPC to a public network, you should not do this. You will never know all the exploits available.

The most convincing argument in my mind is simply: if you don't need the general public accessing a particular service, don't make a connection to that service available to the general public. Use a VPN to control who can connect to the service in the first place.

-----Original Message-----
From: Joseph Burton [mailto:joseph_burton1970@hotmail.com] Sent: March 8, 2003 11:08 AM
To: focus-ms@securityfocus.com
Subject: Exchange/MAPI/RPC

Hello all,

I have a client that will soon start using Microsoft Exchange, and I have a question regarding the Outlook client. The Exchange client in Outlook uses the MAPI protocol which uses RPC to communicate with the Exchange server. I know it's not recommended to connect from the Internet using MAPI, without using any form av encryption like IPSec.

My question is simply, why? Why is it dangerous to use MAPI/RPC over Internet? Is the password sent in clear text or something? I need some good arguments to convince my client to use VPN for the roaming users.

Thanks in advance,

//Joe

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek