How Secure is RPC over HTTP? (MS Exchange)

I am using Outlook 2007 to communicate to an Exchange server via "RPC over HTTP". Is that going to be encrypted in any way? I'm thinking of the case of the Outlook client being on a laptop using public WiFi and I want to be able to do a regular MAPI connection rather than using the Outlook Web Access.

If it is seriously insecure than that I'll probably use a VPN-tunnelled web browser to get to my Exchange mail via the web access. I don't think I can do VPN for the MAPI stuff though.

 

It will be encrypted (using HTTPS) if that is the way the Exchange server is set up (that's how it should be configured).

To check if yours is using HTTPS, open the account settings in Outlook 2007 for your Exchange account. Click on "More settings", go to the "Connection" page and click on "Exchange proxy settings". If the "Connect using SSL only" option is ticked then you are OK.

If it isn't ticked, tick it and OK your way out. If you can still send/receive via Exchange then all is OK, otherwise you'll need to (a) go back and untick the option and (b) give your Exchange admin a rocket.

 

spm,

First off, thanks so much for your advise. I'm new to the Exchange world and darned near new to modern security technology so your help is much needed and much appreciated.

Anyways, that SSL option is greyed out in my Outlook. After poking around a bit it seems to not be available when "Basic Authentication" is selected. So I changed that to "NTLM Authentication" which in turn allowed me to select "SSL Only". Closed Outlook and reopened it...

...everything seems to work as before. So it would seem that my provider has the setup for running with SSL but doesn't enable it by default. According to the Outlook help file, that "Basic Authentication" results in passwords being sent in clear text. That's a big no-no in my book so good thing it lets me use the SSL option, right?

Riddle me this. On the "Security" tab there's a box "Encryption Communication Between Outlook and Exchange". It is checked. Under what circumstances does that apply to my connection? It would seem that that's for situations where "Outlook Anywhere" is not being used, presumably that's plain MAPI over a local network (i.e. no firewalls between the Exchange server and the Outlook client). Would that situation ever arise given that I'm using a purchased (shared) Exchange Hosting account at a commercial provider?

 

Ah, yes, SSL is only supported if you use NTLM authentication to the Exchange proxy server. Sorry, should have said.

To be honest I'm not 100% sure about this one. I think the "Encrypt data..." option works independently of (and in addition to) the SSL option ... while you are working remotely to a hosted Exchange server, that is not the only supported scenario and Outlook can operate with Exchange via other means (e.g., using TCP over a LAN to a local Exchange server, without SSL), and then this option becomes important. Just leave both options checked and you'll be fine.

 

My goal is to get my setup tied down well enough to operate with Outlook/Exchange from my laptop even over an unsecured WiFi point. Of course I keep an up-to-date NIS 2008 running (Norton AntiBot as well) and try not to use weak passwords or leave the machine unattended. Do you think the underlying structure of this stuff is sufficient to keep me reasonably safe in that sort of environment (having tied down the encryption/SSL/authentication loose ends)?

 

Ah, now you're talking about an entirely different subject. My concern would not be how secure the Outlook/Exchange communication is (it's fine with SSL), but how secure your computer is in an unsecured WiFi environment.

Personally, I wouldn't use an unsecured WiFi net under any circumstances - irrespective of whether you're using NIS or any other suite or collection of firewall, AV, AS, etc. - and I tell our customers the same.

If you must use a public WiFi hotspot, then I'd recommend you look at one of the 'personal VPN' services that are around. Take a look at WiTopia personalVPN and HotSpotVPN.

 

OK, now. This is turning into a singularly productive discussion. I've used one of those ad-supported freebies (AnchorVPN) and I run my browser under Sandboxie when I'm on an unsecure network but so far I had not researched any real, subscriber VPN solutions that are intended to work beyond the browser. So your two pointers are a good start.

My employer has a Cisco IPSec concentrator setup but to the best of my understanding the Cisco client they provide (and require) is configured to only route traffic to/from our IP addresses through the tunnel. If such a thing is possible then they are probably really doing that although it seems odd to me. So far I've not gotten their client running correctly on my laptop but I'm assuming for now it leaves me exposed for anything I do not directed back here.

So just as I've subscribed to an Exchange Hosting service (because the university's E-mail infrastructure is abysmal) I'm willing to spend a modest amount for a VPN solution that is comprehensive and not limited by their conception of how little they can get by with. A quick look at the WiTopia link makes that one seem very attractive for basically three bucks a month. Assuming their SSL-based VPN is good enough (BTW, that's all I'm looking for as I won't be handing any really sensitive or valuable info) that seems worth a try.

 

While I haven't used WiTopia's personalVPN, I have used other services of theirs over time and have always been pleased with their offerings and their customer support. Their personalVPN is based on the open source OpenVPN product, and this I have used extensively (previously on our own network, and currently on a number of our customers' networks) - it's an excellent product.

 

Well, for what it's worth I'm posting this through the tunnel so to speak. Signed up for WiTopia's PrivateVPN service. Their installation process was a lot of steps but went smoothly using their directions. I especially like the fact that they give you a real public key string rather than just sharing a passphrase or whatever.

It survived the first real-world test. I connected to my own wireless router, hooked up with WiTopia and used it for a few minutes. Then I closed the lid on the laptop for an hour. When I resumed the system and reconnected to the network the open PrivateVPN session immediately reestablished without my having to do anything.

I really like this setup of paying a tiny fee (40 bucks a year) for a pretty thoroughly secured link (as secure as 128-bit SSL can be, anyway) and not worrying so much about the wireless environment I'm in at any point in time. Should I still put my browser in Sandboxie when I'm on a public WiFi spot? My head is spinning with all the permutations but it seems to me there's still an opening for browser hijacking or whatever.

Thanks, spm, for the pointers to VPN providers and especially for the sanity check on the Exchange/Outlook scheme. This is a great forum with a pretty knowledgable core of participants.

P.S. Let me add one caveat about using WiTopia's PersonalVPN (OpenVPN). It does not like running under Vista and they have not as yet really invested the necessary effort to make it so. In particular, for trouble-free by the book operation OpenVPN needs UIC turned off. My workaround was to turn off UIC (and my firewall BTW) during the installation process and to remove the OpenVPNGui application from system startup. You have to set that application to run with Admin privilege and that's a no-no. So it doesn't run at startup, I run it manually (from the Start Menu) and acknowledge to UIC that I want to run it with elevation.