Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG

A Microsoft disponibilizou recentemente o documento Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG.

Brief Description
This white paper provides detailed information about publishing Microsoft Exchange Server 2010 using Forefront TMG or Forefront UAG to secure access for Outlook Anywhere when using NTLM Authentication.

Overview
When you publish Exchange, Microsoft offers two software-based options: Microsoft Forefront Threat Management Gateway 2010 and Microsoft Forefront Unified Access Gateway 2010. Both options offer publishing wizards and security features to provide secure access to Exchange when it's accessed from outside the safety of the corporate network. This white paper provides detailed information about publishing Microsoft Exchange Server 2010 using Forefront TMG or Forefront UAG, including how to choose between them for different scenarios, and provides specific steps you can take to configure Forefront TMG and Forefront UAG to publish Exchange 2010 while using NTLM authentication for Outlook Anywhere access.

Como a vulnerabilidade do IIS (Security Advisory 971492) afecta o Exchange 2003

A Microsoft publicou recentemente o Security Advisory 971492, que alerta para uma vulnerabilidade nos Internet Information Services (IIS) 6.0, 5.1 e 5.0 (7.0 não é afectado), que pode permitir elevação de privilégios.

Esta vulnerabilidade apenas ocorre quando o WebDAV está activado. Como os servidores Exchange Server 2003 utilizam WebDAV para permitir o acesso às mailboxes, estes servidores estão potencialmente em risco.

Para saber se o WebDAV está ou não a ser utilizado por um servidor, podem utilizar o método descrito pela Jane Lewis no seu blog.

Para mitigar o risco, sigam os procedimentos descritos no Microsoft Security Advisory 971492.

Links Relacionados:

• Microsoft Security Advisory (971492)
• Microsoft Issues Security Alert on IIS Web Server
• Microsoft confirms serious IIS bug, downplays threat

[UPDATE]

De acordo com o Security Research and Defense blog, o OWA não é afectado:

Question: Is Outlook Web Access (OWA) vulnerable to the authentication bypass?
Answer: No, OWA is not vulnerable to this vulnerability. Exchange 2007 and earlier supported the WebDAV protocol but they did so with an Exchange implementation of WebDAV which only reads/write to/from the Exchange store. It does not interact with the filesystem directly.