Skip to content
BOL Conferences
Thread Options
#1119464 - 01/29/09 09:04 PM remote e-mail
Baker Offline
Platinum Poster
Joined: Nov 2005
Posts: 792
Washington State
The bank just began offering access to e-mail from any computer for employees. The login display was originally the generic one provided by microsoft office. Our IT person wants to personalize it to identify the bank but another IT staff memeber is arguing that we shouldn't because it increases our risks if outsiders are able to see the login page belongs to a bank.

I am not too concerned as long as we have adequate controls in place to protect against unauthorized access. Does any one know something I don't or can you share your practices and reasons behind them?

I am just looking for some input. Thanks

Return to Top
eBanking / Technology
#1131520 - 02/18/09 02:43 PM Re: remote e-mail Baker
lbuckley Offline
New Poster
lbuckley
Joined: Jun 2003
Posts: 16
The controls should begin from within and your IT department has probably covered all the bases like putting the web email server in a DMZ and securing it with a certificate. Also you might think about making the URL for the webmail something that is not too obvious, like ABCBankmail.com. Another thought is to put a warning on the page that this website is for bank employee use only, etc. We also do not allow attachments to go through webmail as security measure and only give this access out to employees who have a business need.

Return to Top
#1131832 - 02/18/09 07:05 PM Re: remote e-mail Baker
Nicholas Offline
Junior Member
Joined: Dec 2003
Posts: 27
MA
It's hard to defend the argument for not customizing the logon page. If the site and digital certificate for the site are under the bank's domain name then isn't that a bit of a give-away already.

In our case we don't customize our page, it's setup for SSL/TLS, we have a robots.txt file at the root to keep the "nice" search engines from indexing the page, the server is in a DMZ with IPS protecting the interface, logging is turned on and reviewed, etc. All the public server hardening techniques should be applied.

One thing I would worry about with customization is the possibility that a vulnerability is actually introduced into the webmail application. That could easily happen if the code is tweaked for any reason, i.e. debugging, work-arounds, etc.

Return to Top
#1131918 - 02/18/09 08:04 PM Re: remote e-mail Nicholas
bcook Offline
New Poster
bcook
Joined: Jan 2009
Posts: 24
Missouri
If your mail server is appropriately "hardened" and either placed in a DMZ or behind the firewall with some form of port forwarding scheme, you shouldn't have much to worry about.

In conducting penetration tests I have run across many attempts to hide or obfuscate an email server but there is always a telltalle for those who know what to look for and have the appropriate tools.

Once I find an email server, there are many exploits/abuses that I try with varying degrees of success. The best thing to do would be to make sure any penetration testing/external vulnerability assessment you have done by an outside firm includes assessment of your mail server.
_________________________
“Life is tough, but it's tougher when you're stupid.”
-John Wayne

Return to Top

Moderator:  Andy_Z