OWA open ports on DMZ

Rex Biesty · ‎06-24-2008

Hi, I have opened the following ports between our OWA server in the DMZ and our LAN (80, 691, 389, 3268, 88, 53, 135 and 1024 and above) as per this article http://www.msexchange.org/tutorials/owa_exchange_server_2003.html. My question is what security risk is posed by opening all ports above 1024? I know we can hack the registry on our DCs to limit this but this isn't something I want to do unless I absolutely have to. Any advice would be greatly appreciated. Thanks, Rex.

Jon Marshall · ‎06-24-2008

Rex

"what security risk is posed by opening all ports above 1024"

It is never a good idea to do this if you can avoid it. When you say between the OWA server and the LAN what do you mean by LAN - how many servers are involved on your LAN.

Think of it like this. If the OWA server is compromised then your rule allows communication to any port above 1024 on all the servers that you have included in the rule. (Hopefully you have narrowed the rule down to the servers only ?). Now there is a good chance that your servers will be running services on ports above 1024 and you have just allowed access to them.

It depends on how strict your rule in terms of destination IP addresses (and source, presumably just the OWA server ?), how secure your internal servers have been made.

Personally i would look into limiting the ports. I appreciate you may not want to do this but all ports above 1024 would worry me more. Others may have a different view.

Jon

Rex Biesty · ‎06-25-2008

Thanks for the reply Jon. I take on board what you're saying and will look at limiting this.

trippi · ‎06-30-2008

Put an ISA server in the DMZ, leave your OWA in the LAN... The ISA server can act as a reverse proxy for OWA. You can use ISA with just one interface.