The organization I work for is closely affiliated with a much larger company (B). We have our own email service, but for some reason some of our employees have Exchange email accounts from company B. Some of our employees were accessing company B's email through Exchange OWA. Then back in April or so, we were no longer able to access it. They shut it down citing security problems.
We received notice they would have it fixed and up in 3 weeks. Fast forward 8 weeks later, still nothing, we contact them and find out they have all accounts disabled and a new system where you must fill out a form, and have the specific accounts authorized by an executive from each organization, so they can be re-activated for webmail access. Fast forward 2 more weeks, and they've changed the URL for webmail (we had to find this out on our own), and installed a Forefront ActiveX virus scanner. This scanner ensures you are fully patched and running an up-to-date virus scanner.
My question is.. what does this all have to do with secure webmail? I can't understand where having a virus scanner has anything to do with ensuring secure webmail access (other than trying to check for a keylogger). Also, I dont really get the point of having executives approve access to webmail either (other than wasting time). Does OWA use some kind of vulnerable ActiveX control that could allow a virus into the IIS web server? Is OWA and IIS vulnerable to known exploits that only happen when someone logs in? Don't these user accounts have very limited access?
We received notice they would have it fixed and up in 3 weeks. Fast forward 8 weeks later, still nothing, we contact them and find out they have all accounts disabled and a new system where you must fill out a form, and have the specific accounts authorized by an executive from each organization, so they can be re-activated for webmail access. Fast forward 2 more weeks, and they've changed the URL for webmail (we had to find this out on our own), and installed a Forefront ActiveX virus scanner. This scanner ensures you are fully patched and running an up-to-date virus scanner.
My question is.. what does this all have to do with secure webmail? I can't understand where having a virus scanner has anything to do with ensuring secure webmail access (other than trying to check for a keylogger). Also, I dont really get the point of having executives approve access to webmail either (other than wasting time). Does OWA use some kind of vulnerable ActiveX control that could allow a virus into the IIS web server? Is OWA and IIS vulnerable to known exploits that only happen when someone logs in? Don't these user accounts have very limited access?
Facebook
Twitter