• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

POP3 AND THE RISK INVOLVED WITH ENABLING

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> General >> POP3 AND THE RISK INVOLVED WITH ENABLING Page: [1]
Login
Message << Older Topic   Newer Topic >>
POP3 AND THE RISK INVOLVED WITH ENABLING - 4.Feb.2008 2:44:13 PM   
jcard71

 

Posts: 90
Joined: 28.Mar.2004
From: V
Status: offline
Hi,

I'm trying to explain to my director why enabling POP3 is a big security risk on a network. Can someone post a link or an article explaining why it's a bad idea to use POP3 in the corporate world?
Post #: 1
RE: POP3 AND THE RISK INVOLVED WITH ENABLING - 4.Feb.2008 3:44:25 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
There are a number of reasons.

1. In the default configuration, it sends the username and password across in the clear. That is a security risk. It can be avoided by requiring SSL.
2. The major risk is the risk of content loss. POP3 is designed to REMOVE the content from the server and store it locally. It is too easy for a user to download the content and remove it from their mailbox. While there is a setting to leave the email on the server, it cannot be controlled server side, so you are reliant on the user setting the client in the correct way.
I have also seen it abused, as a way to get content out of the network - sales guys in particular want the feature and store a copy of everything at home.
3. Loss of control of access. Once POP3 is enabled, it can be used by any number of things, PDAs, phones, Blackberry etc, all not authorised for use.
4. Which brings us to storage of sent items and regulatory compliance. If the client is configured for POP3 and email is sent from that client, then there is no way it can get back in the store unless it is imported. If the user is sending email with something obscure, then that isn't going to happen.

You also lose the GAL, calendaring and everything else that Exchange offers.

There are probably more reasons, but that should keep you going for a while.

If I am asked for POP3 access to be enabled, my first question is WHY? There are very few legitimate reasons to enable it, if you are running a tight IT environment.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to jcard71)
Post #: 2
RE: POP3 AND THE RISK INVOLVED WITH ENABLING - 4.Feb.2008 3:54:31 PM   
jcard71

 

Posts: 90
Joined: 28.Mar.2004
From: V
Status: offline
quote:

ORIGINAL: Sembee

There are a number of reasons.

1. In the default configuration, it sends the username and password across in the clear. That is a security risk. It can be avoided by requiring SSL.
2. The major risk is the risk of content loss. POP3 is designed to REMOVE the content from the server and store it locally. It is too easy for a user to download the content and remove it from their mailbox. While there is a setting to leave the email on the server, it cannot be controlled server side, so you are reliant on the user setting the client in the correct way.
I have also seen it abused, as a way to get content out of the network - sales guys in particular want the feature and store a copy of everything at home.
3. Loss of control of access. Once POP3 is enabled, it can be used by any number of things, PDAs, phones, Blackberry etc, all not authorised for use.
4. Which brings us to storage of sent items and regulatory compliance. If the client is configured for POP3 and email is sent from that client, then there is no way it can get back in the store unless it is imported. If the user is sending email with something obscure, then that isn't going to happen.

You also lose the GAL, calendaring and everything else that Exchange offers.

There are probably more reasons, but that should keep you going for a while.

If I am asked for POP3 access to be enabled, my first question is WHY? There are very few legitimate reasons to enable it, if you are running a tight IT environment.

Simon.



This is perfect! Yeah, some dumb ass C2 tracking program needs it and I'm fighting it tooth and nail!

Thanks for your help!

(in reply to Sembee)
Post #: 3
RE: POP3 AND THE RISK INVOLVED WITH ENABLING - 4.Feb.2008 4:22:56 PM   
jcard71

 

Posts: 90
Joined: 28.Mar.2004
From: V
Status: offline
What if POP3 110 is not allowed through the firewall, is it still a security issue?

(in reply to Sembee)
Post #: 4
RE: POP3 AND THE RISK INVOLVED WITH ENABLING - 4.Feb.2008 5:48:50 PM   
Sembee

 

Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
One way to limit the exposure is by blocking port 110. If you are on Exchange 2003 then use admodify.net to disable POP3 on all user accounts. Remember to disable it on new accounts.

Simon.

_____________________________

Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/

(in reply to jcard71)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> General >> POP3 AND THE RISK INVOLVED WITH ENABLING Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter