RPC over HTTP security

Hi all,

I have a general question in regards to the security of RPC over HTTP.
If a client is connected with Outlook via RPC over HTTP, are there any
possibilities of viruses/worms being transferred from the client
machine to the host machine?  I am not really talking about viruses
within Outlook or the Exchange store, but more with viruses that would
infect Windows on the client, and if it is possible for that to travel
to the Windows host machine (the Exchange server).

And, are there any products out there that will basically intercept
this traffic and clean it of viruses/worms or other vulnerabilities
that would be transferred from the client to the host?

Thanks in advance for all feedback on this issue!

--
Chris

0
chris1540 (24)
4/29/2005 6:42:40 PM
exchange.admin 57650 articles. 1 followers. Follow

4 Replies
209 Views

Similar Articles

[PageSpeed] 51

On 29 Apr 2005 11:42:40 -0700, chris@groupinfo.com wrote:

>Hi all,
>
>I have a general question in regards to the security of RPC over HTTP.
>If a client is connected with Outlook via RPC over HTTP, are there any
>possibilities of viruses/worms being transferred from the client
>machine to the host machine?  I am not really talking about viruses
>within Outlook or the Exchange store, but more with viruses that would
>infect Windows on the client, and if it is possible for that to travel
>to the Windows host machine (the Exchange server).
>
>And, are there any products out there that will basically intercept
>this traffic and clean it of viruses/worms or other vulnerabilities
>that would be transferred from the client to the host?
>
>Thanks in advance for all feedback on this issue!

No more than there would be from a PC on the LAN to the Server. It's
still Outlook and it's still RPCs, the difference is the HTTPS from
client to FE server. There are risks in anything, but I wouldn't worry
so long as all the devices are properly protected.
If the client isn't protected then I wouldn't let it go anywhere near
my network, over the Internet or any other means.
0
mark7219 (5667)
4/29/2005 6:51:26 PM
Try this article below. Having the server up to date with the latest patches
will also offer increased security.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_over_http_security.asp


<chris@groupinfo.com> wrote in message
news:1114800160.232807.72710@f14g2000cwb.googlegroups.com...
> Hi all,
>
> I have a general question in regards to the security of RPC over HTTP.
> If a client is connected with Outlook via RPC over HTTP, are there any
> possibilities of viruses/worms being transferred from the client
> machine to the host machine?  I am not really talking about viruses
> within Outlook or the Exchange store, but more with viruses that would
> infect Windows on the client, and if it is possible for that to travel
> to the Windows host machine (the Exchange server).
>
> And, are there any products out there that will basically intercept
> this traffic and clean it of viruses/worms or other vulnerabilities
> that would be transferred from the client to the host?
>
> Thanks in advance for all feedback on this issue!
>
> --
> Chris
>


0
exchange.mvp (559)
5/2/2005 10:13:14 AM
Thank you for this information.  That is a good article in regards to
securing the server as far as client connectivity is concerned.
However my main focus of this post was more in the lines of security
when a client is already connected to the server and traffic is being
passed between them.  Since the consensus of the first reply in this
thread was basically that RPC over HTTP has similar security risks of a
PC connected directly on the LAN using RPC, we would like to address
any possibilities of filtering RPC over HTTP for viruses, exploits,
etc.  We are currently looking for any products out there that will do
this.

I really appreciate all of the feedback!!

Thanks....
--
Chris

0
chris1540 (24)
5/2/2005 12:32:03 PM
<chris@groupinfo.com> wrote in message 
news:1115037123.190829.182860@z14g2000cwz.googlegroups.com...
> Thank you for this information.  That is a good article in regards to
> securing the server as far as client connectivity is concerned.
> However my main focus of this post was more in the lines of security
> when a client is already connected to the server and traffic is being
> passed between them.  Since the consensus of the first reply in this
> thread was basically that RPC over HTTP has similar security risks of a
> PC connected directly on the LAN using RPC, we would like to address
> any possibilities of filtering RPC over HTTP for viruses, exploits,
> etc.  We are currently looking for any products out there that will do
> this.
>
> I really appreciate all of the feedback!!
>
> Thanks....
> --
> Chris
>

Chris,
    Take a look at Microsoft ISA Server.  By 'publishing' Exchange to the 
clients, instead of permitting the direct RPC over HTTP connection for 
Outlook clients, ISA server permits the filtering that traffic.  Of course, 
you need to use 3rd party tools like Symantec Antivirus for ISA Server, etc, 
for the filtering,  (http://www.isaserver.org/software/ISA/Anti-Virus/), but 
then you gain the ability to scan that traffic.
    Another part of the puzzle is to 'harden' the clients in the standard 
way to include desktop AV, antispyware, etc.  Then ensure those components 
are working by using something like Cisco's NAC 
http://www.cisco.com/en/US/netsol/ns466/networking_solutions_sub_solution_home.html 
or another policy enforcement tool to ensure your 'hardened' clients truly 
remain current, and protected.
    Holistic protection of clients, servers, and networks usually includes a 
multiple layered defense.  Build enough layers to protect your networks, but 
not too many to become unmanageable.  Sometimes too many layers, unmanaged, 
become just as vulnerable as no protection.
Solar 


0
solar3654 (11)
5/2/2005 1:30:14 PM
Reply:

Similar Artilces:

RPC over HTTP problem
I am running an exchange 2003 server in a mixed mode environment (both Exchange and domain environments) and one of the DCs is a windows 2003 DC. I follow the instructions from Microsoft web site to set it up and could not make it to work as it connects only to TCP/IP instead of HTTPS. The only things I could think of probably because I am running in a mixed mode windows 2000 ? or is it because I havenot converted my Exchange 2003 to native mode? Regards Steven Are all of your DC/GCs Windows 2003? (This is a must.) Are you using a certificate from an internal CA or 3rd party to secure...

Outlook 2002--HTTP Server Type greyed out
I would like to configure Outlook 2002 to work with my Hotmail account. I am running Win Xp Pro SP1. Using this for reference: http://support.microsoft.com/?kbid=287424 Upon selecting Tools>>>E-mail Accounts>>>Add a new E-mail Account>>>Server Type I find that the HTTP option is greyed out and unselectable. Any ideas? Thank You Yes it is a corporate network. I'll look into the admin-set policies on Monday. Thank you, Diane. >-----Original Message----- >are you using this on a corporate network? You administrator may have >disabled the ability...

Smartlist Security #2
OK, I have a client that wants to restrict A/P transaction info on certain vendors (by vendor class) to logins that are part of a specific user class. This is not a terribly difficult problem to solve with VBA, but what I was wondering about was Smartlist (for the PM transactions). They do have Smartlist Builder. Is the shortest answer to disable security to the normal PM transaction smartlist for all users and then use Smartlist Builder to build a modified PM transaction smartlist and give all of the users security to that? Or, is there a way to apply VBA to Smartlist and manage ...

Outlook 2007 via RPC
Hi, I have a XP workstation with Office 2007 working fine. If the computer is not a member of any domain, i can connect Outlook to an external RPC, this works fine, the install goes through fine too. If i then make that computer a member of a local Domain(not a member of the Domain that holds the RPC) and then log into that local domain with full supervisor rights I have connection problems.... "Cannot Open your Default e-mail Folders, You must connect to microsoft exchange with the current user profile before you can synchronize your folders with your offline folder file&q...

RPC over HTTP setup help. RPC DIag returns no results.
I have been trying for several weeks to get RPC over HTTP workign in our environment. I refuse to put an ISA in place and am currently behing a Pix 520 ( which is not the issue, all logs show no denied traffic) I also see no error logs in either of my Exchange servers. Please any help is appreciated. From my Front end Server I see the followign when running RPCDIAG ** Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\Windows Resource Kits\Tools>rpcdump /p ncacn_http Querying Endpoint Mapper Database... RpcMgmtEpEltInqNext:(Access is denied....

Security
We are trying to create some very restricted users classes, with access to a handful of Windows. Using regular security, we have not been able to turn the Tools menu off. How do we accomplish this? -- Pete Power Do you have Advanced Security. "Pete_Power" wrote: > We are trying to create some very restricted users classes, with access to a > handful of Windows. Using regular security, we have not been able to turn > the Tools menu off. How do we accomplish this? > -- > Pete Power In Advanced Security, you can look at the Tools part of the tree to control ...

Dynamics Security Console - Policies
I am getting this system exception in our test environment when loading the policies section of the Security Console. Server execution failed (Exception from HRESULT: 0x80080005 (CO_E_SERVER_EXEC_FAILURE)) at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo) at System.EnterpriseServices.Thunk.Proxy.CoCreateObject(Type serverType, Boolean bQuerySCInfo, Boolean& bIsAnotherProcess, String& uri) at System.EnterpriseServices.ServicedComponentProxyAttribute.CreateInstance(Type serverType) at System.Runtime.Remoting.Activat...

http://companyweb/_layouts/3082/ows.js
We have SBS 2003 and windows 7 on clients. All works fine except a computer that since 2 month ago after a Microsoft update, when we go to companyweb and wants to edit fax list entrance, when we pick to edit appears this error (we are spanish): Mensaje: Se esperaba un objeto Línea: 12128 Carácter: 5 Código: 0 URI: http://companyweb/_layouts/3082/ows.js I try to translate: Missage: an object was expect line: 12128 Character: 5 Code: 0 URI: http://companyweb/_layouts/3082/ows.js Only with this computer and only when we try to edit our fax inbox, I put th...

security 02-23-06
Hi, I am having a problem whereby a user can see more than they should. I have created a role and set user level read access. I have assigned this role to a user, but when I log in as that user they can see their accounts, but also a sub section of my accounts. I tried re-assigning my accounts to someone else that this user can't see, but the exact same accounts were still viewable by the user, just now with a different owner. There are no shares on these accounts and they are in a different business unit and territory to that of my problem user. Any help will be greatly appreciate...

Exchange 2003 over HTTP RDP Issue
Hello everyone! A problem with Exchange 2003 over HTTP/RDP SERVER SIDE: I have a single Windows 2003 Server running IIS with Active Directory installed. The Server also has Exchange 2003 Installed and it is working perfectly. There are NO other Servers in the domain, this is a stand alone Server. I have purchased a Certificate and installed it on the Server from Verisign. The FQDN on the internet for this Server is www.domain.com, and the certificate is assigned to www.domain.com The Server is called computer.domain.com, and the windows firewall is turned on. The only ports that are ...

RPC
Since having to repair my windows installation i am now getting these error messages when i try to connect to my Exchange server: A system component, RPC required by outlook to connect to the e-mail server is not configured properly. for more information contact your system administrator. What can i do the resolve this. Do you have these registry keys? REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\ClientProtocols] "ncacn_np"="rpcrt4.dll" "ncacn_ip_tcp"="rpcrt4.dll" "ncadg_ip_udp"="rpcrt4.dll" "ncacn_http"="...

RPC
I was asked the following question from one of our developers. "Do we have RPC (remote procedure calls) setup with Exchange 2003 and Outlook?" I am running Exchange 2003 SP1. How do I verify this? Thanks, Tyson If you have to ask your answer is probably no. See: http://support.microsoft.com/kb/833401/en-us hth DDS W 2k MVP MCSE "Tyson" <Tyson@discussions.microsoft.com> wrote in message news:447DD05E-FD4A-47E0-88CD-983A1374497A@microsoft.com... >I was asked the following question from one of our developers. > > "Do we have RPC (remote proce...

Install the security pack from the M$
--suqivgjhbwetza Content-Type: multipart/related; boundary="bnxeiqenlnxok"; type="multipart/alternative" --bnxeiqenlnxok Content-Type: multipart/alternative; boundary="fixqlmwzgbrgn" --fixqlmwzgbrgn Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Microsoft Customer this is the latest version of security update, the "November 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities. Install...

Exchange 2003 on Windows Server 2000 / RPC over HTTP
Howdy all! Just wanted to verify that Exchange Server 2003 SP2 is indeed supported on Windows Server 2000 SP3 and above! Additionally, want to verify that in order to use RPC over HTTP you need to be running Windows Server 2003 and Exchange Server 2003 (read: that it will not work on a WIN2000/EXCH2003 setup). Thank you! -- Cary W. Shultz Roanoke, VA 24012 Correct. http://www.microsoft.com/exchange/evaluation/sysreqs/2003.mspx System Requirements for RPC over HTTP on Exchange Server 2003 http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3RPCHTTPDep/91dc76e8-e60f-4f9...

OWA Security Port 80 or 443?
I have been having this discussion at work about what is the best way to secure our clients Exchange servers. We all agree to use SSL, but they insist on having both port 80 and 443 open. I say to close port 80 and only allow port 443 to the exchange server for OWA. I am trying to find some documenation to back up what I am saying if indeeed what I am saying is best practice. Can someone help guide me and possibly give me some ammuntion to go back to them with. Thanks in advance. Hi Cabal, Microsoft technet has this information in their webcast: http://msevents.microsoft.com/c...

RPC over HTTP #7
I have an Outlook 2003 client that is connecting to exchange server via RPC over HTTP. Whenever Oultook is launched or an active sync is attempted with the client, the user is prompted to enter a username and password. Is there a way to turn this authentication off? Other systems on the network configured for RPC over HTTP access are not prompting for authentication. I'm puzzled by what is causing this. Thanks, Mike Do you have the authentication set to Simple or NTLM? --� Milly Staples [MVP - Outlook] Post all replies to the group to keep the discussion intact. All unsolic...

A couple of security questions related to the actual machine the POS is on.
Hello everyone. I have a few questions relating to security on the actual machines that RMS POS is running on. Is there a way so that people cannot ctrl-esc or press the windows function key to open the start menu? I believe their is a registry hack to disable the windows key as well as the ctrl-esc, but where i saw that information escapes me. I know you can prevent the user from exiting the program or acessing the windows task bar in one of the settings in RMS itself but thats rather useless when the person can just as easily open the windows start menu with a keyboard shortcut. I guess...

RPC over HTTP and internal RPC access?
If I implement RPC over HTTP on an Exchange 2003 server do all the clients have to be configured to use this option or will the clients that connect through VPN or internally using previous versions of Outlook still be able to connect? In other words, is the server still backward compatible once the change is made on the server? Thanks, Mike They will still be able to connect. RPC over HTTP requires client side configs to get it to work right as well... "Mike G." <wet@dog.com> wrote in message news:K9ydndVGTcIrNdDfRVn-iA@pghconnect.com... > If I implement RP...

OWA security question #2
All, I am currently working with a company that accesses their mail via a larger companies Exchange 2000 server. Each site has a VPN connection in to the Head Office allowing web access to their mail. For security reasons the Head Office want to remove all VPN's to align with their company policy of using Citrix Secure Gateway. All I want to do is prove to this bigger company that we don't need to spend the money on 200 citrix/ts licenses and security keyfobs as we only want OWA. Is their any documentation to support my thoughts on the following: As I am only going to be con...

RPC over HTTP #8
I use Outlook 2003 with SP2 on a windows XP SP2 laptop. I need to configure it so that I can connect to a Small Business Server 2003 that has 15 other users already using Exchange with RPC over HTTP. I configure the Exchange over Internet settings the same as another laptop user but it always gives me the response "Outlook could not logon.....Outlook must be online or connected to complete this action". Any help is appreciated ! ...

rpc over https and Invalid name of server
i hope someone can help.. first I want to use rpc over https for a couple of users that all have 1 main server and that is it. They are running windows 2003 server and exchange2003/sp1 along w/office 2003/sp3. went thru hole process of all steps to get rpc over http working. Also I created a internal standalone version of certificate server. Create certificate with fqdn of exchange server. When i http if fails and will only let me do https which is great. I also do the rpc test and it show correct. I have followed all the steps and it listens on correct ports 6001,6002,6004...My certi...

RPC vs. RPC Out for Linked Servers
When configuring a Linked Server the Server Options tab has check boxes for RPC and RPC OUT. Can someone explain why you would or wouldn't need to enable either of these options? Thanks! Tom Ashby - Panam (Tom Ashby - Panam@discussions.microsoft.com) writes: > When configuring a Linked Server the Server Options tab has check boxes > for RPC and RPC OUT. Can someone explain why you would or wouldn't need > to enable either of these options? One of them, has no function at all, as far as I know. The other controls whether you are permitted to make Remote Proce...

RPC over HTTP Failing
This is a multi-part message in MIME format. ------=_NextPart_000_002A_01C3AD08.DB501CB0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have a Win2003/Exchange 2003 (both standard edition) box behind our = Netscreen firewall which I'd like to use for RPC over HTTP. I've = followed the directions in the Exchange Server 2003 Deployment Guide but = can't get Outlook to progress past the login screen. I keep giving it = my credentials and it keeps prompting me for credentials. a.. Server is single Exchange server, so there&...

RPC Connections
I have been using exchange 2003 for a year with no problems. I just setup a new server with SBS 2003. All is working well email and OWA. However we wanted to give outside access to sync our smart phones and outlook on our Laptops so I implemented the settings in the article “Implementing RPC over HTTPS in a single ES2003 environment” from msexchange.org (SBS had done most of them.) I can not get the 2003 outlook on my xp pro workstation to connect it gives me: Action could not be completed connection unavailable outlook must be online or connected. I think my issue is DNS My web doma...

RPC over HTTP
I am trying to set up RPC over HTTP. My configuration is fully compliant with the prerequisites. Only one server running as a DC and Exchange Server (proxy AND back-end): Win2K3 server SP1 Exchange 2003 Server SP2 Windows XP Pro SP2 fully patched Microsoft Outlook 2003 SP2 fully patched Certificate Server installed in the server I did all the steps you can find on Microsoft Web Site and (in the great Jim McBee book...). I made some test from another location on the Internet (in order to be sure not to be using the LAN), but I can't either establish any proper connection. Moreover, in...