Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Is IMAP on exchange really a HUGE security risk??
- Thread starter lom8104
- Start date
- Sort by reaction score
Exchange most certainly supports encrypted POP and IMAP
Exchange server supports POP and IMAP over SSL like any good standards compliant mail server should. Contrary to what was posted earlier, implementing IMAP does not include a need to publish the internal mail servers as it is implemented on the Front End servers, just like the OWA web interface. It actually uses the SAME SSL certificate as the OWA web interface does.
There's plenty of information on how to set up IMAP on exchange here:
http://www.microsoft.com/exchange
here
http://www.msexchange.org
and here:
http://www.msexchangeteam.com
Exchange server supports POP and IMAP over SSL like any good standards compliant mail server should. Contrary to what was posted earlier, implementing IMAP does not include a need to publish the internal mail servers as it is implemented on the Front End servers, just like the OWA web interface. It actually uses the SAME SSL certificate as the OWA web interface does.
There's plenty of information on how to set up IMAP on exchange here:
http://www.microsoft.com/exchange
here
http://www.msexchange.org
and here:
http://www.msexchangeteam.com
Weeeelll... not quite true.
There are, indeed, security implications arising from using Windows based PCs, but not nearly as much from XP SP2 or Vista. In fact, it's Macs that represent a bigger hole. The security on Windows Server 2003 (and above) has to be turned DOWN to allow Macs to communicate as OSX does not understand the level of encryption required. XP and above automatically encrypt every conversation between themselves and the W2k3 server. By default, Windows Server 2003 will not talk to anything on the LAN unless the conversation is encrypted. You have to allow unencrypted traffic to allow Macs to talk to them. Of course, XP etc. will happily encrypt the traffic. Thus, you should not use a Mac for anything which requires security. Unless, of course this being Apple, you pay extra for Samba 3.
There are, indeed, security implications arising from using Windows based PCs, but not nearly as much from XP SP2 or Vista. In fact, it's Macs that represent a bigger hole. The security on Windows Server 2003 (and above) has to be turned DOWN to allow Macs to communicate as OSX does not understand the level of encryption required. XP and above automatically encrypt every conversation between themselves and the W2k3 server. By default, Windows Server 2003 will not talk to anything on the LAN unless the conversation is encrypted. You have to allow unencrypted traffic to allow Macs to talk to them. Of course, XP etc. will happily encrypt the traffic. Thus, you should not use a Mac for anything which requires security. Unless, of course this being Apple, you pay extra for Samba 3.
Old thread, but that isn't totally true. The security thing you speak of is NTLM & LM. Windows uses NTLMv2 by default for shares and it refuses NTLM & LM. Sadly no non-MS OS understands NTLMv2 (AFAIK) so you have to at least enable NTLM. The traffic is still encrypted.
Yeah, I seem to be mistaken. Not sure what the OP was talking about (encryption wise). If NTLMv2 works (as far as authentication is concerned) the systems should talk just fine. IMAP has a SSL port (993) so even that traffic should be encryptable.
EDIT: Actually it would be nice to know which setting the OP was talking about, because none of the settings I can find (in group policy) should affect the security level of Exchange Communications over IMAP.
Actually, I was talking about SMB traffic used for file shares. In order for OSx to talk to Windows Server 2003 file shares, you have to change a Windows registry setting to allow unencrypted traffic. There is a second setting which should remain set to allow encrypted traffic if requested, ie by XP.
Sorry, this was a tad off topic, just pointing out that Macs can have security problems as well. Windows is pretty damn secure these days. I know a lot of viruses are around, but that is only because there are not enough Macs around to make it worthwhile to write them for OSx (approx 7% of desktop/laptop computers).
The reason I was looking at the thread was because we have some Mac users who want, apparently because it "looks better", to use IMAP and Apple Mail. I am trying to find reasons why they should continue with Entourage and full Exchange and aesthetics should have no bearing on security. They'll be buying a Mac because it comes in pink next. So far , lack of security and accessibility from outside the LAN seem to be reasons to deny the request as there is no way I am exposing IMAP protocols to the Internet. OWA/OMA works fine and Entourage can use it to pick up email.
By the way, I am not anti-mac per se, as I have one myself as well as PCs and a box running Ubuntu. I do not, however, have any truck with Mac-Fundamentalists for whom it is almost a point of faith that Mac is Good, Windows is bad.
FWIW, Mac OS 10.5 (Leopard) supports SMB packet signing.
Are you sure they're not summing up "overall usability" with "aesthetics"? Although Entourage gives the same full Exchange support as Outlook, the difference in usability between the two is huge.
If you don't want to securely enable IMAP, then tell the Mac users to hold off until Mac OX 10.6 comes out later this year. The native email and calendar programs will have full Exchange support.
Ah yes, the market share theory. Sounds plausible, but it's not true.
By all standards, Linux servers are the best target for viruses. Most mid-high end Linux servers have several fast cores, a gig or more of RAM, plenty of disk space, and fat, fat pipes -- anything with that much CPU power and bandwidth makes an amazingly good spam box. Forget sending out spam over some crappy home DSL connection -- owned servers are where it's at.
Assuming that the marketshare/appeal theory is correct, we'd see tons of viruses for Linux, since it's typically installed on machines that are, for all intents and purposes, perfect for sending spam and/or participating in a botnet.
Only we don't. There are millions of Linux servers out there -- it's the most popular server OS -- and yet there aren't really any Linux viruses in the wild. Any guesses why that is?
Windows doesn't have virus problems just because it's popular: it has virus problems because Microsoft has (prior to Vista) shipped several operating systems that were comically insecure, indirectly encouraged poor security practices, and insisted on sacrificing user security in order to strengthen their grip on the market.
You guys are retards!
I still cant believe to this day how stupid mac users need to be to justify their argument of which they have none!
You ask why businesses dont use imap? You want to ask administrators why, yet you dont like the answers?!?!
ok
1: IMAP and POP transfer public name and passwords in plain text.
2: IMAP ports can be set against DNA
3: OWA is secure as imap but does not transmit name and password in plain text across the internet when logging in.
4: Security? First OSX is ALWAYS the first to be hacked in any security competion, so not sure where the superiority complex comes from?!?!
5: when using an exchange server, it acts at the only smtp sender and receiver and you can lock down the smtp to a filter service. a POP and imap wants to be a client that also wants to use the SMTP service. This allows for possible SPAM abuse if they get a virus. As well as denial of service attack by allowing other IP addresses to connect to the SMTP rather than your spam service. As well as other spam sending that can connect and bypass your MX records and directly hit your SMTP port on that IP address.
But thats just spam, liability and business connectivity but thats not security.
Allowing an ip address to your network for anyone to hit from the outside world is a BAD BAD BAD BAD.. did I mention BAD practice?!?!?!
Now in saying that, security is usually broken in through the applications and not the OS. Outlook is one of the most common applications out there, so many viruses are created to run through it.
Before outlook used to be like many applications allow scripts and weblinks to be opened through it, but have locked those down. Its a bit annoying but it worls, and many other client software is suceptible because they still do allow this ( as a default).
OWA is NEVER a solution for businesses but just an option. It works fairly well and we can time out a session fairly quickly, so it closes quickly if a goober gets up and walks away from the screen.
Someone mentioned VPN, and yes this is the correct way for businesses to allow POP or IMAP connections but again, those allow names and passwords to be sent in plain text. Most hacking of companies is done internally. The outlook syncing to the Exchange server is still the most secure method. So many corporations simply use VPN and allow users to do the normal outlook connection to their exchange servers. Not to mention as again, the SMTP port is businesses is locked down so that only the spam service can connect to it, and no one else. With imap and POP, you have to allow EVERY IP address use it ( if authenticated user) because users need that service to send out messages.
Ok mactards are we done?
THAT is why businesses dont use IMAP or POP regardless if you have a macbook or PC !!
I still cant believe to this day how stupid mac users need to be to justify their argument of which they have none!
You ask why businesses dont use imap? You want to ask administrators why, yet you dont like the answers?!?!
ok
1: IMAP and POP transfer public name and passwords in plain text.
2: IMAP ports can be set against DNA
3: OWA is secure as imap but does not transmit name and password in plain text across the internet when logging in.
4: Security? First OSX is ALWAYS the first to be hacked in any security competion, so not sure where the superiority complex comes from?!?!
5: when using an exchange server, it acts at the only smtp sender and receiver and you can lock down the smtp to a filter service. a POP and imap wants to be a client that also wants to use the SMTP service. This allows for possible SPAM abuse if they get a virus. As well as denial of service attack by allowing other IP addresses to connect to the SMTP rather than your spam service. As well as other spam sending that can connect and bypass your MX records and directly hit your SMTP port on that IP address.
But thats just spam, liability and business connectivity but thats not security.
Allowing an ip address to your network for anyone to hit from the outside world is a BAD BAD BAD BAD.. did I mention BAD practice?!?!?!
Now in saying that, security is usually broken in through the applications and not the OS. Outlook is one of the most common applications out there, so many viruses are created to run through it.
Before outlook used to be like many applications allow scripts and weblinks to be opened through it, but have locked those down. Its a bit annoying but it worls, and many other client software is suceptible because they still do allow this ( as a default).
OWA is NEVER a solution for businesses but just an option. It works fairly well and we can time out a session fairly quickly, so it closes quickly if a goober gets up and walks away from the screen.
Someone mentioned VPN, and yes this is the correct way for businesses to allow POP or IMAP connections but again, those allow names and passwords to be sent in plain text. Most hacking of companies is done internally. The outlook syncing to the Exchange server is still the most secure method. So many corporations simply use VPN and allow users to do the normal outlook connection to their exchange servers. Not to mention as again, the SMTP port is businesses is locked down so that only the spam service can connect to it, and no one else. With imap and POP, you have to allow EVERY IP address use it ( if authenticated user) because users need that service to send out messages.
Ok mactards are we done?
THAT is why businesses dont use IMAP or POP regardless if you have a macbook or PC !!
Yipes! Are you not aware that IMAP can use SSL (just like OWA does) so NOTHING is sent in clear text?
Personally, I'd call it naivete instead of superiority complex, but IMO, it mostly comes from the fact that pretty much none of the hacks shown at the security complex ever go public. So people that have only grown up using OS X have never had to deal with a virus outbreak, or a major security issue. As the last hacker that hacked OS X at a security competition sums it up, "I'd say that Macs are less secure for the reasons we've discussed herelack of anti-exploitation technologiesbut are more safe because there simply isn't much malware out there".
When setting up IMAP on a client, you can specify any outgoing SMTP server that you want. It does not have to be the Exchange Server's SMTP service. You can point your clients to your externally-hosted SMTP virus scanning service if you want. You know, the one that HAS to accept IP connections from anyone to allow external mail into the network?
Um, ... OWA requires that.
Really? Cisco and Checkpoint clients authenticate via clear text?
The gist of your post was that IMAP is insecure, which I don't agree with in the slightest. I will agree with the fact that to properly setup ANYTHING that has clients on a public network takes a fair amount of effort, and if a business only has a small amount of clients that would make use of IMAP, the investment isn't worth it.
And since the next version of OS X supports native Exchange support, Mac users will shortly be able to connect directly to Exchange servers the same as PCs with Outlook, so the chances of admins wanting to setup IMAP for Mac users now is even slimmer.
Exchange allows remote deletion of the entire device if it is lost or stolen. Additionally, you can limit which AD users have remote access to the Exchange server with mobile devices (we do this at my job to limit mobile email users and VPN users to those who actually need the functionality). As far as I know you can't do that with IMAP.
i work in IT for a huge government contractor and we officially only allow IMAP to those that have alternative OS's like linux and are SSL enabled. 
but per our security policy pushed from our server, our blackberries (standard equipment) are password enabled and also encrypted. our blackberries are also setup, so if you put in the password incorrect 10x the thing reboots and wipes all memory.
the biggest security risk is if your iPhone gets lost or stolen. it's so much easier for a foreign government to mug someone and steal their blackberry than to try hacking into their account over the internet. most people typically don't use a password to secure their phones and even if they are password enabled, they can usually be hacked into.
but per our security policy pushed from our server, our blackberries (standard equipment) are password enabled and also encrypted. our blackberries are also setup, so if you put in the password incorrect 10x the thing reboots and wipes all memory.
the biggest security risk is if your iPhone gets lost or stolen. it's so much easier for a foreign government to mug someone and steal their blackberry than to try hacking into their account over the internet. most people typically don't use a password to secure their phones and even if they are password enabled, they can usually be hacked into.
Coming from someone who sets it up
As someone who works in IT, iPhones support the same ActiveSync as any other device that has licensed this technology. This includes almost all new *Smartphones* as Exchange support is key.
If you have an implementation similar to Windows Mobile and iPhone devices, these should support security policies AND remote wipe abilities.
Anytime you open a service that is accessible from the outside world, it of course, exposed you to more security risks.
IMAP w/ SSL can be opened. Most Windows server environements running Exchange (even SBS) should have an ISA firewall. You can limit the traffic that is allowed.
Mail.app will work fine w/ IMAP over SSL. From my understanding, you are STILL going to need to be able to send e-mail utilizing a SMTP server (which can also work with SSL).
To limit the amount of exposure, disable IMAP access in Exchange to ONLY the 3rd party client accounts that need it. Mac users can have it enabled, but all Windows users should be fine using OWA.
All mobile clients utilizing ActiveSync (inc. iPhone) will also be fine w/ only OWA accessibility.
/me anxiously awaits Snow Leopard though. Need some Exchange support OOTB.
As someone who works in IT, iPhones support the same ActiveSync as any other device that has licensed this technology. This includes almost all new *Smartphones* as Exchange support is key.
If you have an implementation similar to Windows Mobile and iPhone devices, these should support security policies AND remote wipe abilities.
Anytime you open a service that is accessible from the outside world, it of course, exposed you to more security risks.
IMAP w/ SSL can be opened. Most Windows server environements running Exchange (even SBS) should have an ISA firewall. You can limit the traffic that is allowed.
Mail.app will work fine w/ IMAP over SSL. From my understanding, you are STILL going to need to be able to send e-mail utilizing a SMTP server (which can also work with SSL).
To limit the amount of exposure, disable IMAP access in Exchange to ONLY the 3rd party client accounts that need it. Mac users can have it enabled, but all Windows users should be fine using OWA.
All mobile clients utilizing ActiveSync (inc. iPhone) will also be fine w/ only OWA accessibility.
/me anxiously awaits Snow Leopard though. Need some Exchange support OOTB.