OWA open ports on DMZ

Unanswered Question
Jun 24th, 2008
User Badges:

Hi, I have opened the following ports between our OWA server in the DMZ and our LAN (80, 691, 389, 3268, 88, 53, 135 and 1024 and above) as per this article http://www.msexchange.org/tutorials/owa_exchange_server_2003.html. My question is what security risk is posed by opening all ports above 1024? I know we can hack the registry on our DCs to limit this but this isn't something I want to do unless I absolutely have to. Any advice would be greatly appreciated. Thanks, Rex.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jon Marshall Tue, 06/24/2008 - 11:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


"what security risk is posed by opening all ports above 1024"

It is never a good idea to do this if you can avoid it. When you say between the OWA server and the LAN what do you mean by LAN - how many servers are involved on your LAN.

Think of it like this. If the OWA server is compromised then your rule allows communication to any port above 1024 on all the servers that you have included in the rule. (Hopefully you have narrowed the rule down to the servers only ?). Now there is a good chance that your servers will be running services on ports above 1024 and you have just allowed access to them.

It depends on how strict your rule in terms of destination IP addresses (and source, presumably just the OWA server ?), how secure your internal servers have been made.

Personally i would look into limiting the ports. I appreciate you may not want to do this but all ports above 1024 would worry me more. Others may have a different view.


Rex Biesty Wed, 06/25/2008 - 03:07
User Badges:

Thanks for the reply Jon. I take on board what you're saying and will look at limiting this.

trippi Mon, 06/30/2008 - 18:32
User Badges:

Put an ISA server in the DMZ, leave your OWA in the LAN... The ISA server can act as a reverse proxy for OWA. You can use ISA with just one interface.


This Discussion