This is a simple solution for those of us wishing to use SSL whenever possible. Sites like Facebook, LinkedIn, The Pirate Bay, many more and hopefully soon to be many others offer an HTTPS as an option but only to those that try to use it.

HTTPS != Secure

I should probably say this because HTTPS/SSL is turning into a mindless buzzword.
Websites offering SSL do NOT...

• protect you from system attacks - a virus can be installed over SSL
• inherently hide the websites you're visiting - the browser URL will still be https://www.someweb2.0site.com/markmmanning
• mean that the website will always use HTTPS - Yahoo lets you connect using HTTPS and then automatically redirects you to HTTP after you've logged in

Websites offering SSL do...

• encrypt your web traffic from browser to web server
• protect you from attackers sniffing on your network

NoScript

NoScript R0ckz! I'm not even going to talk about them because you should know. Check them out here.

• Install NoScript
• Click on the the icon and go to options
• Click the Advanced tab and HTTPS
• In the "Force the following sites to use secure (HTTPS) connections:" add in all of your favorite websites
• Click ok and test it out

External Links

http://noscript.net/ - NoScript website
http://fscked.org/projects/cookiemonster - the reason why HTTPS doesn't mean you're secure. CookieMonster is a sidejacking tool with support for attacking SSL connections.

Nathan Evans did the last talk on the first night of Defcon called De-TOR-iorate Anonymity. It had a lot of people sweating on the Tor mailing list and even generated a huge debate about whether Tor should even be attempted to be used on a multi-purpose system versus a dedicated machine or virtual machine like JanusVM or AnonymOS. The information was pretty thick to process at the time, but a few minutes later, it finally sunk in. Here's how it works.

Overview of Tor

A quick review of how Tor works. Tor is a anonymity tool that creates a circuit of proxy servers to relay connections through. For instance, in the figure below we see Alice trying to connect to Bob. Alice sends traffic to node 1, node 1 relays that traffic to node 5, node 5 relays that traffic to node 8 and node 8 finally sends the request to Bob. If Bob replies, the data travels back the direction that it came. Simple enough?

Overview of Attack

Nathan's attack would fall under the "partitioning" label as the goal of the attack is to partition the Tor network smaller and smaller until it can find the entry node the user is coming from. Because this attack assumes you have control of the exit node, obtaining the entry node confirms the second node used as a relay thus showing every node in a user's circuit. This makes Tor as anonymous as a single proxy.

Circular Circuits

Nathan found that an attacker can create looped circuits. That is Node 1 relays to Node 2 and then relays to Node 3 but at Node 3 an EXTEND command is issued so the circuit length is increased infinitely. This causes the queue of traffic waiting to be relayed to fill up and the latency to increase by a large amount.

Why it works

Doing a DoS attack and measuring the latency is not new. It was actually talked about at last year's Defcon. The difference with this attack is the attacker actually creates circular circuits so nodes are actually looping traffic back to the beginning instead of relaying properly.

This is why the attack worked:

• Tor is hard coded to only uses 3 nodes in a circuit(debatable whether or not to change)
• Tor does not provide padding to keep latency at the same rate (and never will)
• Tor allows for infinite circuit lengths (to be fixed in proposal 110)

The Attack

To attack the network, he used the following environment

1. a "Bad Exit Node" owned by the attacker
2. Tor client used to generate circular circuits (Defined as "DoS Client")
3. Web server to act as the destination and to keep track of latency (Defined as "DoS Server")
4. Normal user that is using the Bad Exit Node ("Alice")

The attack is done by a denial-of-service attack on many nodes using circular circuits discussed above. If the user's latency stays low during a circular circuit creation, then the attacker knows that the entry node is NOT one of the DoS'd relays and tries different nodes. In this case, latency is measured by injecting a javascript command to ping a web server collecting stats. The process of generating circular circuits and recording the results is repeated until the user's latency increases substantially at which time the attacker knows that the entry node is one of the three nodes used in the last DoS attack.

Example

In this figure, you can see that Alice is trying to connect to Bob via nodes 1, 5, and the Bad Exit Node that is owned by the attacker. During this time the attacker is creating circular circuits between 1, 2, and 3 which generate large amounts of traffic causing a slow down.

The Fix

Tor has been been updated at least 3 times since writing this blog. Among many other bug fixes and feature additions are the changes related to Proposal 110. This is the proposal to change Tor to handle circular circuits. The proposal splits up relay requests into "Relay" and "Relay_Early." Relay requests do not have the ability to issue the EXTEND command that is used to generate the circular circuits and Relay_Early can as these would be the beginning of the circuits.

The 0.2.0.30 version also makes an addition to block "risky" extend cells.

Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv.

The fix is not complete. They are still implementing parts of proposal 110. They have to maintain backwards compatibility in case a version 1 circuit is created.

External Links

http://www.torproject.org - Tor Project Website
https://www.torproject.org/svn/trunk/doc/spec/proposals/110-avoid-infinite-circuits.txt - Details of the proposal for the fix
http://archives.seul.org/or/talk/Aug-2008/msg00148.html - just for accuracy's sake, Roger Dingledine's follow up to my explanation on the or-talk list
http://web.cs.du.edu/~natevans/ - Nathan Evan's website. Nothing there really
https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-evans-grothoff.pdf - Original powerpoint presentation called De-Tor-iorate Anonymity
https://www.torproject.org/svn/trunk/ChangeLog - the always updating changelog of Tor

I was kind of excited about this years Tor talks because it was almost skipping over the details of what is Tor and going strait to some more advanced subjects. Roger Dingledine made a great presentation about the vulnerabilities of Tor where he went through each major security bug that was ever discovered. He is very honest about some of the future attacks like Latency Tables, SSL Website Fingerprinting, automatic control port authentication problems, attackers buying old certificate authorities so that SSL MITM attacks would be available anytime, and even how governments are starting to make laws forcing Tor admins to have an real time access to current Tor nodes.

Latency Tables

This was actually pretty interesting to me. Roger made a comment about how an attack would be easier if the attacker had access to a latency table which would keep track of the latency between one point to another on a global scale. This is a theoretical attack as no one has been able to do this effectively.

SSL Website Fingerprinting

This is the theory that it would be possible to document the size of an SSL encrypted web site request so that although an attacker cannot see the data going over the connection, it is possible to see what website the user is visiting. It could even be taken one step further where the table could not only have the initial website size but the first page, and then the redirected page after login. For instance, if someone visits their bank, they first get an initial login, and then a secondary authentication screen, and finally their actual online banking information. Each of those pages have a size that when put together, makes a pretty unusual fingerprint. If you tie this fact together with Mike Perry's SSL cookie exploit, one can imagine a situtuation where an attacker finds the website the user is visiting, inject an <img src="http://www.visitedwebsite.com"> where the cookie is sent in clear text and then a session hijack occurs.

Automatic Control Port Authentication

There has been an addressed issue that shows how an attacker could gain control of a Tor client's control port (which is what's used to generate tunnels) thereby granting the ability to redirect the tunnel or something even more malicious. The work around for this was to provide authentication done either by a password or by a session cookie. Clients like Vidalia now support the authentication mechanism but the problem currently is how is the authentication done at the boot time when a user installs Tor as a Windows Service. Roger didn't have an answer yet to this issue besides that it was currently being worked on.

Purchasing Old CA's

If you look in Firefox or IE or Opera or whatever, you'll see a pretty long list of pre-trusted certificate authorities that come when you install the browser. These are some of the most popular ones that have been trusted for years and come with the browser itself. It just so happens that a lot of these CA's are not even in business anymore but they're still in the browsers in case someone has purchased a certificate that extends through 2020. So what? Well the issue is what if an attacker purchased one of those old CA's, if they wanted to do a MITM attack with SSL, they could and the browser would have no problem with it. There was even a comment about how China is interested in purchasing one to help out with deep packet inspection even on SSL connections.

Governments and Law Enforcement

The last big issue that I thought was interesting to bring up was how some governments (see Germany and others) are pressuring Tor to provide "real time access to law enforcement." Whatever real time and law enforcement really ends up being. Roger makes the point that if it becomes this hard and this illegal, it may not be possible to run a Tor server in that country and it may be difficult to do so in the future.

External Links

http://www.torproject.org - Tor Project Website
http://www.kreativrauschen.com/blog/2007/11/09/german-bundestag-decides-to-implement-data-retention/ - Blog about the new German data retention logs
http://en.wikipedia.org /wiki/Data_retention - Wikipedia entry about data retention laws in other countries

I arrived Thursday morning to Las Vegas in an attempt to do some of the pre-Defcon social events this year. We posted our room availability on the Defcon forums and picked up two roomates to help with the costs; Riot and Matt.

I reserved the "deluxe" room at the Riveria which although being nicer, doesn't have any more space than the non-deluxe. It does look much more romantic but filling it with 4 guys takes care of that feeling pretty quickly.

Badges this year include an IR port, an SD slot, and supposedly a way to shut off all TV's in a certain radius, and a transmit mode that may allow you to talk to other badges as you walk around the floor.

Ethical Hackers

Ethical Hackers was doing a get together at Hofbrauhaus, a German brew house at 8:00pm. Dan who runs the site was putting it all together and had a $500 tab for us to use. The whole event was a lot of fun and had a lot of interesting people. Timmy of Red Rock Security, Brian of Cisco, Ed of Intel Guardians, David an extreme baby sitter, Collin of Training Camp, Mike the Military Vet, Naps, and a bunch of others of whom I may have forgotten their names. Check out ChicagoCon for anyone that will be in the area. Sounds like a very worthwhile event. I think the whole get together was a success.

EFF Summit

We also grabbed a few of the guys to make it back to the EFF Summit at the top of the Monaco tower back at the Riveria. Donations were $40 to get in and included a one year membership. Once the sound system was working at around 10:30 or 11:00, some of the EFF guys went up to talk about some of the cases that were won and some of good things that the EFF does. I think it was kind of preaching to the choir but the event went pretty well.

External Links

http://www.ethicalhackers.net
Red Rock Security
ChicagoCon
Intel Guardians

This weekend, my company threw their annual trip to the mountains which included a team building scavenger hunt through the small town community, a boat trip to the lake, and some after hour pranks. One such prank involved a picture being taken of my friend in an unfortunate position while he was sleeping downstairs. He had left his laptop on the table and we agreed that it would be perfect to surprise him by changing the desktop background of his computer to the photo we took that night. At 4am I wasn't interested in live CD's or slaving hard drives but luckily I was able to boot into his Ubuntu partition in minutes with root access.

And why am I telling you this? Because the reason I was able to access it so easily was because Grub was not password protected and I booted it into rescue mode which gave me root access to his entire hard drive. Although I thought it was hilarious, it was a good reminder to always lock it down. So this is how to password protect some or all of the entries in Grub.

Password Protect Grub Entries

This shows you how to password protect individual Grub entries

1. Generate your Grub password with the following command
> grub-md5-crypt Password: Retype password: $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
2. Copy the last string because this is what you'll use inside the Grub configuration file
3. Using your editor of choice, edit /boot/grub/menu.lst
4. Find the part that shows the different boot options at the bottom of the page where you'll see something like this:
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic
There are some options which are not an issue to boot but the recovery mode ones would be
5. Edit the section for the recovery mode so that it looks like this
title Ubuntu 8.04.1, kernel 2.6.22-14-generic root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro quiet splash initrd /boot/initrd.img-2.6.22-14-generic quiet title Ubuntu 8.04.1, kernel 2.6.22-14-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.22-14-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.22-14-generic password --md5 $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30
This will force a password if a user attempts to boot into recovery mode but automatically boot into the default installation without one.
6. Save the menu.lst file and reboot to see if you were successful

Password Protect Editing Grub Entries

This is how to password protect all of Grub so that you cannot run your own commands. This is a big one because an attacker could edit the Grub entries to do something like print out your /etc/password file

1. Edit the menu.lst file
2. Find the section below and remove the '#' and replace the hash with your Grub hash you created earlier
# e.g. password topsecret password $1$Yozqb$OIKAYGPKQJfi2U9y/yDG30 # password topsecret

3. Go through each entry that you want to lock out from editing by adding the word "lock" right after the title

Load Alternative Menu On Password

This is a way of loading a separate boot menu when the user presses 'P' and enters a password.

1. Make a duplicate of menu.lst named menu-admin.lst. This will be the alternative menu
2. Edit the menu-admin.lst file so that you only have the entries you want. This is the only menu that will show so you may want to duplicate some of the original ones too.
title Ubuntu 8.04.1, kernel 2.6.24-19-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-19-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-19-generic title Ubuntu 8.04.1, kernel 2.6.24-18-generic (recovery mode) root (hd0,0) kernel /boot/vmlinuz-2.6.24-18-generic root=UUID=43ad544e-1e1a-4511-99de-fc1c8a9fea7c ro single initrd /boot/initrd.img-2.6.24-18-generic

Disclaimer

This is NOT by any means, a very good security measure. It's just a way to stop a lazy attacker or your little brother. The rule still applies that if you have physical access to the box, you can do what whatever you want. If you want to be serious about protecting a system from physical attacks, you'll need to look at encrypting the entire hard drive.

External Links

http://www.gnu.org/software/grub/manual/grub.html#Security

I've been using the SonicWall devices for a little while now. I started getting into them after a recommendation from a friend and the TZ series has proven to be a good solution for small to medium sized businesses.

You can find more information about SonicWalls and the TZ series here but I'm going to go over how to setup an IPSEC VPN between two tz180's using the Standard SonicOS firmware. If you have the enhanced SonicOS, the steps are almost the same.

Overview:

• set the unique names of each device
• configure subnet, dhcp, etc
• create a VPN policy to connect to the other

NOTE: I'm not talking about setting passwords or security here - it's assumed that you've already setup the environment.

Set the Unique Name on each device:

1. log into the first device's web interface
2. click on VPN on the left side
3. under "Unique Firewall Identifier" create a name logical name like "USNY1"
4. log into the second device's web interface
5. click on VPN
6. under "Unique Firewall Identifier" create another name like "USNY2"

Configure Subnets for DHCP:

1. log into the first device's web interface
2. click Network > LAN
3. set the SonicWall LAN IP to something like 10.0.1.1
4. set the subnet mask to whatever is appropriate for your network like 255.255.255.0
5. repeat the sames steps for device 2 except make the ip and subnet different like 10.0.2.1 and 10.0.2.0/255.255.255.0

Setup VPN Policy:

Assuming you have the following configuration we can create the VPN policy:

Site 1
Device Name: USNY1
Subnet: 10.0.1.0/24

Site 2
Device Name: USNY2
Subnet: 10.0.2.0/24

Setup Device 1

1. On device 1 click on VPN > Settings
2. click Add under VPN Policies
3. Fill out the information as shown below:
   IPSec Keyring Mode: IKE using Shared Secret
   Name: USNY2 [name of your device 2]
   IPSec Primary Gateway Name or Address: the public IP address of device 2
   IPSec Secondary Gateway or Name or Address: left blank in most cases
   Shared Secret: Since you will only be typing it in twice and this is the basis of the tunnel's security, you should set it to be very strong. [https://www.grc.com/passwords.htm] Write it down!
4. click the Specify destination networks below and click Add
5. type in the subnet that device 2 is controlling - in this example 10.0.2.0/24
6. click OK

Setup Device 2 [Almost same as above]

1. On device 1 click on VPN > Settings
2. click Add under VPN Policies
3. Fill out the information as shown below:
   IPSec Keyring Mode: IKE using Shared Secret
   Name: USNY1 [name of your device 1]
   IPSec Primary Gateway Name or Address: the public IP address of device 1
   IPSec Secondary Gateway or Name or Address: left blank in most cases
   Shared Secret: same as the password you generated above
   - click the Specify destination networks below and click Add
   - type in the subnet that device 1 is controlling - in this example http://10.0.1.0/24
   - click OK
   
   

Check The logs:

If you've configured everything correctly, you should be able to watch the VPN tunnel negotiation process from the event logs.

1. click on Log > Categories
2. check "Log all categories" - this will record VPN functions
3. under Log click "View"
4. review the logs for the following events:
   SENDING>>>> ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x26D85F88) *(HASH, NOTIFY:DPD_ACK)
   RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x69c45089cc845af4, MsgID: 0x3AAF690F) *(HASH, NOTIFY:DPD_REQUEST)
   
   

Troubleshooting:

Phase 2 or Algorithm's Don't Match
If you see a log with this kind of message it is most likely caused by different encryption under the Phase 2 settings. Go back and make sure they match exactly.

IKE Initiator: Proposed IKE ID mismatch
This message is most likely caused by the firewall names being mismatched.  Make sure that under VPN settings, the name is set to something unique and the VPN policy on each device has each other's appropriate name.

Dynamic IP's
If you're connecting two sites with dynamic IP addresses, I've read that you need to check the "Aggressive Mode" type of VPN but maybe someone can confirm that.

1. click VPN and click configure on the tunnel you created
2. under proposals change "Exchange" to Aggressive mode
3. click the Advanced tab
4. click Enable Keep Alive and Try to bring up all possible Tunnels
5. click OK

Other
If you're getting anything else check out the log events reference guide here -
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf.

External Links:

Sonicwall.com - Had to put a link to this
http://www.sonicwall.com/downloads/Log_Event_Reference_Guide.pdf - great guide for easy event log decoding
https://www.grc.com/passwords.htm - a good strong online password generator for one time passwords

Clearing out the last logged on user from the login screen is is a very simple task that I like to set on my domains and as the local policies for workgroup computers. It helps out in two different ways: first as a matter of security because an attacker walking up to the computer doesn't necessarily know a user name to log in with and second it helps to teach the user what their user name is because we all know if we don't type it in every day, we forget it. [see saved passwords]

Overview

For those of you that know mostly what you're doing and just need a reminder, here it is. The policy setting you need to change is located under:

• Computer Configuration > Windows Settings > and Security Settings > Local Policies >Security Options
• Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

On a Windows Domain Controller

1. Under Administrative Tools open the Group Policy Management
2. Find the group policy you want to change select it, right click, and choose "Edit".
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."
6. The setting will take affect on the next time the clients reboots. As a reminder, it can take varying amounts of time for group policies to be applied.

On a Local Vista Machine

1. In the Control Panel, click System and Maintenance and open the Administrative Tools
2. Open the Local Security Policy .
3. Expand Computer Configuration, Windows Settings, and Security Settings
4. Expand Local Policies node, and then click Security Options.
5. Edit the "Interactive Logon: Do not display last user name in logon screen" entry and check "define this setting" and "enabled."

External Links:

http://support.microsoft.com/kb/310125 - Link to the MS KB article

I was having dinner with some of the IT guys from a client I work for and I brought up the suggestion that they do MAC filtering for all of their network devices as an added security measure. The only problem was they were using Windows Server 2003 for the DHCP server which, natively, does not support MAC filtering. That's where the DHCP Server Callout DLL comes in.

This is a DLL that was created by the Microsoft DHCP team to allow access to certain parts of DHCP that were not before. In this case, MAC filtering.

Why filter MAC addresses

The idea of DHCP MAC filtering is that when a foreign system tries to connect to your network, they are not given an IP address unless their network card is on the list of allowed systems. In order for them to get on the network, they have to see a member of the IT department.

This protects a guest from accidentally spreading infections of spyware, viruses, or trojans not to mention it helps the IT department keep track of who and what goes on the network. [Please notice how I say accidentally because MAC spoofing would easily circumvent this security measure]

Install The Callout DLL

Overview:

• Install the DLL
• Create the necessary registry keys
• Populate the list of allowed or denied MAC addresses
• Restart the DHCP

Download and Install

1. Download and install the files: Download
   The MACFilterCallout.dll was installed to %SystemRoot%\system32 along with a file named SetupDHCPMacFilter.rtf.This includes very basic instructions.
2. Run the MacFilterCallout.msi and go through the steps to install it. All this does is extract the two files to your %systemroot%\system32\ folder.

Create the registry keys:

Choose one of two ways:
Option 1: Manually create the following registry keys:

Key Name	Key Type	Description
CalloutDlls	REG_MULTI_SZ	The location of the MacFilterCallout.dll
CalloutEnabled	DWORD	0 = Disable MacFilterCallout 1 = Enable MacFilterCallout
CalloutErrorLogFile	REG_MULTI_SZ	Log path. If this registry key is not specified, callout dll will output errors %WINDIR%\System32\Log.txt
CalloutInfoLogFile	REG_MULTI_SZ	Info log path. If this key is not present, no information messages will be logged.
CalloutMACAddressListFile	REG_MULTI_SZ	This is the name and location of the MAC filtering list you're going to be creating next.

Option 2: Merge the keys that I've made for you: Download

Download the file above, extract the contents, and merge the registry file that I created for you.

Here are the values the .REG file contains. Make sure they match up to your environment.

Key Name	Value
CalloutDlls	C:\windows\system32\MacFilterCallout.dll
CalloutEnabled	1
CalloutErrorLogFile	C:\windows\system32\MacFilterCallout.log
CalloutInfoLogFile	C:\windows\system32\MacFilterCalloutInfo.log
CalloutMACAddressListFile	C:\windows\system32\MAClist.txt

NOTE: If you are not using C:\windows as your windows directory, you will have to edit the registry to fit your system.

Create the MAC list

As I showed above, the key CalloutMACAddressListFile points to a location where you need to create a specially formatted text file that contacts which MAC addresses to filter.You can only choose to allow a certain set of MAC's or DENY them. Here is the format of that file:

MAC_ACTION = {ALLOW / DENY} 0cdc1c6d1266 05dc2de01023 ...

Note: You must include the { }'s around either the ALLOW or DENY action

Help Populating the MAC list

If you are going to use the ALLOW action you're most likely going to want to find all of the valid MAC addresses on the network. Here are some suggestions for ways you can do this:

• Nmap + ARP- with the command nmap -PR 192.168.0.0/24 or whatever your network is, it will do an arp scan of the network. Then doing an "arp -a > arptable.txt" gives you tab delimited file perfect for opening as a spread sheet and extracting the list of MAC addresses you need to use
• DHCP logs - use your existing DHCP server logs [usually under c:\windows\system32\dhcp\] to find all the MAC addresses in the last week.
• Switch logs - if you have a good enough switch, it will keep track of which MAC addresses are using the devices.

Note: Obviously be careful how you create this list. If the CEO of the company has a laptop that you happened to forget to put onto the allow list, he may not be happy with your new security measure.

Want to know what the MSI Installer REALLY does?

One major pet peeve of mine is when you download a program and it installs without telling you what it did. That's how this MSI works. Here's what it does:

• copies the dll to %system%/system32/
• copies the rtf to %system%/system32/
• registers BOTH the dll and the rtf as shared DLL's
• adds some interesting registry keys like on named "CompleteMacLevel" that I don't know what it does.
  

I know that may not help anything but it makes me feel a little better.

External Links

http://blogs.technet.com/teamdhcp/archive/2007/10/03/dhcp-server-callout-dll-for-mac-address-based-filtering.aspx - DHCP server team's blog with the original article

I just learned today that you cannot force the user of SSL on any part of an Exchange enabled website in IIS. You can still use SSL but apparently turning on the "Require Secure Channel(SSL)" option makes OMA not work. Here was the error I was getting:

If you have recently changed your password, the system may not yet have completed the change. Please wait a short time and try again. If this is not the case, your Exchange server mailbox has not been created. Please access your account via Microsoft Outlook or Microsoft Outlook Web Access to create your user mailbox. Please contact your system administrator for additional assistance.

I have to admit I've only set up the OMA site a half dozen times so there may be something out there that explains this issue better than I but I've found a bunch of websites that support this claim. One site makes a reference to a KB article that no longer exists.

The Steps

1. Open the IIS Management Console on the back-end Exchange 2003 server.
2. Right click the Exchweb virtual directory under the default Web site, and then click Properties.
3. Click the Directory Security tab.
4. Click Edit in the Secure Communications area.
5. Click to clear the "Require secure channel (SSL)" check box, and then click OK for all windows.

But I To Force SSL

The problem remains "What if you actually want to force SSL?" I had a hard enough time trying to have 50 users understand what the "S" in HTTPS meant. What I did was create a second site that was Exchange enabled. This site I forced SSL while the first site I left it optional. I sent an update to the end users explaining that there was a new mail website "https://www.website.com/mail" and made a few minor modifications [adding company logo] so that they could tell the difference in the hopes that they would think that new = upgrade. This way, if they used http instead of https, I could redirect them automatically.

External Links

http://www.petri.co.il/forums/showthread.php?t=10208 - Daniel Petri's website forum http://www.webservertalk.com/archive128-2004-3-166297.html - Forum article that makes a reference to the problem.