|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Microsoft announces new ways to bypass security controls
For those not keeping up with Microsoft, because so many people have started blocking Netbios, RPC, SMB, etc; Microsoft announced yet another way to bypass security. On August 1, Microsoft introduced Exchange 2003. With Outlook 2003 this introduces an new implementation fo Exchange's MAPI protocol over HTTP allowing clients to natively connect to Exchange servers without using a virtual private network (VPN). Steve Conn, Microsoft's Product manager was quoted as "Since we have got a good implementation, we're going to keep supporting it." Microsoft will evangelise the new protocol, and developers of other mail clients and servers will be encouraged to implement it. http://www.microsoft.com/office/ork/xp/beta/three/ch8/OutC07.htm "Outlook 2003 now offers a better alternative to VPN connections -- RPC over HTTP. With this feature, users can have security-enhanced access to their Exchange Server accounts from the Internet when they are working outside your organization's firewall. Users do not need any special connections or hardware, such as smart cards and security tokens, and they can still get to their Exchange accounts even if the Exchange server and client computer behind the firewall are on different networks." By the way, Microsoft's RPC-Over-HTTP uses one of the ports in another Microsoft security advisory concerning RPC vulnerabilities. Extending the list of dangerous ports to include 593, RPC-over-HTTP. A suggested work around, use a virtual private network (VPN). Of course, Microsoft isn't the only one with mail protocol security weaknesses. POP3 is probably responsible for more cleartext passwords being transmitted over the Internet than any other network protocol.
|