securing exchange 2000
Download
Skip this Video
Download Presentation
Securing Exchange 2000

Loading in 2 Seconds...

play fullscreen
1 / 29

Securing Exchange - PowerPoint PPT Presentation


  • 249 Views
  • Uploaded on

Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber [email protected] http://www.foundstone.com http://www.privacydefended.com Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing Exchange' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing exchange 2000

Securing Exchange 2000

Trustworthy Exchanges and the Art of doing it yourself

Chris Weber

[email protected]

http://www.foundstone.com

http://www.privacydefended.com

synopsis
Synopsis
  • Focused on single backend Exchange Server with front-end OWA server
  • Hacking Exchange
    • Scanning
    • Enumerating
    • Attacking
  • The Exchange Application
    • Secure Administration
    • System Policies
    • Malware
    • OWA
    • Known Vulnerabilities
  • Other Fundamental Considerations
    • IIS 5.0
    • Windows OS
    • Network

Securing Microsoft Exchange 2000 [email protected]

what is not covered
What is not covered
  • A lot!
    • Connectors and Replication
    • Internet POP3/SMTP clients like Outlook Express
    • Backups
    • Monitoring and status notifications
    • PKI

Securing Microsoft Exchange 2000 [email protected]

security policy
Security Policy
  • Organizational security policies should be in place to guide daily actions.
  • Never start configuring without having a “management supported” plan in place.

Securing Microsoft Exchange 2000 [email protected]

secure network diagram
Secure Network Diagram

Securing Microsoft Exchange 2000 [email protected]

hacking exchange 2000
Hacking Exchange 2000
  • Why Hack Exchange?
    • Learn host configuration information
    • Learn of hidden Public Folders
    • Glean User account names and email addresses
  • Information Gathering
    • Network port scan
    • Server enumeration
      • NetBIOS
      • LDAP
      • RPC
    • User and configuration enumeration
      • LDAP with Null session
      • NetBIOS will Null session
    • Pilfering shares
      • Tracking logs
  • Launching an attack
    • Aiming for admin access

Securing Microsoft Exchange 2000 [email protected]

hacking exchange 20007
Hacking Exchange 2000

LDAP exposes Users and Public Folders hidden from the Exchange Address Lists

Securing Microsoft Exchange 2000 [email protected]

port scan
172.16.2.10 995/tcp - POP/SSL

172.16.2.10 1048/tcp

172.16.2.10 1049/tcp

172.16.2.10 1053/tcp

172.16.2.10 1055/tcp

172.16.2.10 1089/tcp

172.16.2.10 1104/tcp

172.16.2.10 1107/tcp

172.16.2.10 1198/tcp

172.16.2.10 1200/tcp

172.16.2.10 1247/tcp

172.16.2.10 1249/tcp

172.16.2.10 3372/tcp

172.16.2.10 3389/tcp - MS Terminal Server

172.16.2.10 4277/tcp

Scan finished at Fri Feb 22 00:55:48 2002

Time taken: 65535 ports in 318.138 secs (206.00 ports/sec)

D:\tools>fscan -p 1-65535 -z 128 exchange

FScan v1.12 - Command line port scanner.

Copyright 2000 (c) by Foundstone, Inc.

http://www.foundstone.com

Scan started at Fri Feb 22 00:50:30 2002

172.16.2.10 25/tcp - SMTP

172.16.2.10 80/tcp - HTTP

172.16.2.10 119/tcp - NNTP

172.16.2.10 135/tcp - RPC/DCE endpoint mapper

172.16.2.10 139/tcp - NetBIOS session

service

172.16.2.10 143/tcp - IMAP

172.16.2.10 443/tcp - HTTPS

172.16.2.10 445/tcp - Microsoft SMB/CIFS

172.16.2.10 563/tcp - NNTP/SSL

172.16.2.10 593/tcp - HTTP RPC endpoint

mapper

172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 993/tcp

Port Scan

XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339)

Securing Microsoft Exchange 2000 [email protected]

port and process mappings
Port and Process Mappings
  • Useful tools:
    • FPORT.EXE (from www.foundstone.com)
    • TLIST.EXE /S(from Windows 2000 installation CD \Support directory)

Securing Microsoft Exchange 2000 [email protected]

fport exe
FPort v1.31 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com

Securing the dot com world

Pid Process Port Proto Path

1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe

8 System -> 139 TCP

1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

8 System -> 445 TCP

1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe

1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe

264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe

600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe

860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe

1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe

1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe

fport.exe

Securing Microsoft Exchange 2000 [email protected]

tlist exe s
tlist.exe /s

0 System Process

8 System

172 SMSS.EXE

200 CSRSS.EXE

224 WINLOGON.EXE

252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs

368 termsrv.exe Svcs: TermService

512 svchost.exe Svcs: RpcSs

540 SPOOLSV.EXE Svcs: Spooler

600 msdtc.exe Svcs: MSDTC

748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS

764 LLSSRV.EXE Svcs: LicenseService

808 regsvc.exe Svcs: RemoteRegistry

840 LOCATOR.EXE Svcs: RpcLocator

860 mstask.exe Svcs: Schedule

944 WinMgmt.exe Svcs: WinMgmt

1000 dfssvc.exe Svcs: Dfs

1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC

1044 MAD.EXE Svcs: MSExchangeSA

1076 mssearch.exe Svcs: MSSEARCH

1524 STORE.EXE Svcs: MSExchangeIS

1556 EMSMTA.EXE Svcs: MSExchangeMTA

2360 CSRSS.EXE Title:

2384 WINLOGON.EXE Title: NetDDE Agent

2464 rdpclip.exe Title: CB Monitor Window

2508 explorer.exe Title: Program Manager

2560 mshta.exe Title: Windows 2000 Configure Your Server

2580 svchost.exe Svcs: TapiSrv

2652 mdm.exe Title: OleMainThreadWndName

2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s

976 notepad.exe Title: fport - Notepad

768 TLIST.EXE

Securing Microsoft Exchange 2000 [email protected]

exchange 2000
Exchange 2000

Some Security related changes from 5.5 to 2000

  • SMTP relay disabled
  • Rights to the Mailbox
    • Admin is DENIED access to mailboxes (by default), but easily changed
    • “Exchange Domain Servers” group full access
    • %COMPUTERNAME%$ full access
  • No more Service Account
    • Your LSA Secrets are safe…

Securing Microsoft Exchange 2000 [email protected]

exchange 200013
Exchange 2000

Secure Administration – Lock it down

  • Security Checklist:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp
    • Disable unnecessary services and ports
    • Enable Auditing
    • Rename local Admin account and enable a strong password
    • ACL and monitor critical Registry keys
  • Watch event logs for failed login attempts

Securing Microsoft Exchange 2000 [email protected]

exchange 200014
Exchange 2000

Secure Administration - Roles

  • Administrative Roles
    • Exchange Administrator
    • Exchange Full Administrator
    • Exchange View Only Administrator
    • XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054
  • Delegation Wizard
    • Use to add/edit Admin roles

Securing Microsoft Exchange 2000 [email protected]

exchange 200015
Exchange 2000

The All-Powerful Exchange Domain Servers Group

  • XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807)

Securing Microsoft Exchange 2000 [email protected]

exchange 200016
Exchange 2000

Secure Administration – Security Permissions Page

  • Registry Hack
    • To show the security tab in System Manager

HKCU\Software\Microsoft\Exchange\ExAdmin

Value: ShowSecurityPage

Date: 1 (REG_DWORD)

    • XADM: Security Tab Not Available on All Objects in System Manager (Q259221)

Securing Microsoft Exchange 2000 [email protected]

exchange 200017
Exchange 2000

Securing File Shares

  • Security of Shares
    • Tracking Logs:%COMPUTERNAME%.logContain user information such as email addresses and usernames.
    • EVERYONE or Authenticated Users can read by default

Securing Microsoft Exchange 2000 [email protected]

exchange 200018
Exchange 2000

Secure Administration - TURN OFF WHAT YOU DON’T NEED

  • Disable unnecessary services and protocols
    • For both Exchange and Windows
    • Do you need POP3? IMAP? HTTP?
    • Do you need the Alerter service? Messenger? DHCP client?

Securing Microsoft Exchange 2000 [email protected]

exchange 200019
Exchange 2000

System Policies

  • System Policies
    • Server policy
    • Mailbox policy
    • Public Folder policy

Securing Microsoft Exchange 2000 [email protected]

exchange 200020
Exchange 2000

Malware - Virus, trojan and worm protection

  • Use SMTP content filter for Internet email
    • Use a separate host or a firewall for SMTP relay
    • Catch incoming/outgoing malware elsewhere, and relieve your Exchange server of the load
  • Virus protection in the Information Store
    • Well, some viruses originate within, so you still need protection.
    • Several server based virus scanners will protect (i.e. MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield)
  • Virus protection on the client

Securing Microsoft Exchange 2000 [email protected]

exchange and outlook
Exchange and Outlook

Malware – Protection in Outlook

  • Prevent scripts and Active content from running on your user’s workstations
    • Set the Security Zone in Outlook to “Restricted Sites” – under Tools > Options > Security
  • Keep up-to-date with latest MS Outlook and Internet Explorer patches and security hotfixes

Securing Microsoft Exchange 2000 [email protected]

outlook web access
Outlook Web Access

Installation and Design Considerations

  • General OWA security
    • Lock down IIS
      • Security checklists http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp
      • IISLock.exe
    • Definitely use SSL
    • Decide on Front-end vs. Back-end modelMust read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp
  • Front-End serverIsolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC)
    • Intranet Firewall between Front End and Back End
    • Use STATIC RPC ports:http://support.microsoft.com/support/kb/articles/q224/1/96.asp

Securing Microsoft Exchange 2000 [email protected]

secure network diagram23
Secure Network Diagram

Securing Microsoft Exchange 2000 [email protected]

firewalls
Internet firewall

DENY ALL incoming and outgoing

Allow only what you need! For example:Incoming from Internet Allow:

TCP port 443 (HTTPS)

TCP port 25 (SMTP)

TCP/UDP port 53 (DNS)

Outgoing Allow:

Only established connections

Intranet

Assign static RPC ports to the Exchange Server

DMZ firewall

DENY ALL incoming and outgoin

Allow only what you need! For example:Incoming from DMZ Allow:TCP port 80 (HTTP)

TCP/UDP port 88 (Kerberos)

TCP/UDP port 53

TCP/UDP port 389 (LDAP)

TCP port 3268 (GC)

TCP port 135 (endpoing mapper)

TCP port 1025 (optional RPC static port)

TCP port 445 (SMB/CIFS)

Outgoing Allow:

Only established connections

Firewalls

DENY everything. Only allow what you need!

Securing Microsoft Exchange 2000 [email protected]

exchange 2000 vulnerabilities
Exchange 2000 Vulnerabilities
  • * February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionshttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.html
  • September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability
  • August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak
  • July 2001MS01-041 : Malformed RPC Request Can Cause Service Failure
  • June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Script
  • March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000
  • November 2000MS00-088 : Exchange User Account Vulnerability

Securing Microsoft Exchange 2000 [email protected]

the windows os
The Windows OS

The FOUNDATION of Exchange

  • Security is a pyramid
  • Exchange security depends on the OS security
    • Follow checklists and best practices available from www.microsoft.com/security as well as many third parties like SANS (www.sans.org)
    • Ensure new OS and Exchange installs are hardened before placed into production
    • Don’t let unnecessary services and software run!
    • Keep up-to-date on latest MS Service Packs and security hotfixes

Securing Microsoft Exchange 2000 [email protected]

exchange 200027
Exchange 2000

Additional Thoughts

  • SMTP replication in clear text!!!
    • Use IPSec with encryption parameters to protect this traffic
  • Public Folders
    • EVERYONE group can add new folders by default
  • Event Sinks
    • XCCC: Script Host Sink Is Not Registered on Exchange 2000 Server by Default (Q264995)
    • http://www.outlookexchange.com/articles/glenscales/wssevtar.asp by Glen Scales

Securing Microsoft Exchange 2000 [email protected]

references
References
  • Exchange

http://www.microsoft.com/exchange

http://www.microsoft.com/security

http://www.slipstick.com

http://www.msexchange.org

http://www.labmice.net

  • IPSec

http://www.securityfocus.com/infocus/1519

Securing Microsoft Exchange 2000 [email protected]

the end
The End

Ask a Question Now!

Securing Exchange 2000

Chris Weber

[email protected]

http://www.foundstone.com

http://www.privacydefended.com

ad