1 / 55

Exchange Server 2003 Security

Agenda. Implementing Exchange SecuritySecuring Exchange Server Services and Messaging ProtocolsMaintaining Security on Exchange ServerConfiguring Exchange to Protect Against Unwanted E-mailSecuring Access to Exchange Using ISA Server 2004. Exchange Server 2003 Security Overview. Secure by designSecure by defaultSupport for Sender, Recipient and Connection Filtering (Block List Services)Secure by defaultUser logon on server disabledMessaging limits configuration 10 MBMicrosoft Exchange35803

sagittarius
Download Presentation

Exchange Server 2003 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Exchange Server 2003 Security Naam: Thomas de Klerk Functie: Trainer/Consultant Bedrijf: Info Support E-mail: thomask@infosupport.com

    2. Agenda Implementing Exchange Security Securing Exchange Server Services and Messaging Protocols Maintaining Security on Exchange Server Configuring Exchange to Protect Against Unwanted E-mail Securing Access to Exchange Using ISA Server 2004

    3. Exchange Server 2003 Security Overview Secure by design Secure by default Support for Sender, Recipient and Connection Filtering (Block List Services) Secure by default User logon on server disabled Messaging limits configuration 10 MB Microsoft Exchange Server 2003 Security Enhancements http://www.microsoft.com/exchange/evaluation/security_E2K3.mspx

    4. Exchange Server Deployments General FE/BE deployment ISA Server Integrated

    5. Exchange Server Client Scenarios General Clients: Microsoft Outlook Mobile client access: Outlook Web Access Outlook Mobile Access Exchange Server ActiveSync

    6. Configuration and Security Update Recommendations for Exchange Server Operating system and software: Windows Server 2003 with latest security updates Exchange Server 2003 with SP1 (or higher, SP2 is around the corner) Exchange Intelligent Message Filter Browser: IE 6 with latest security updates Security update management Microsoft Baseline Security Analyzer

    7. Implementing Defense-in-depth Data Application Host Internal Network Perimeter Physical Security Policies, procedures, awareness

    8. Securing Exchange Servers Maintaining the security of the underlying Windows infrastructure Maintain baseline security hardening practices Understanding security options for various deployment scenarios

    9. Hardening the Messaging Environment Server environment Domain, DC and Member Server Baseline policies Windows Server 2003 Security Guide http://go.microsoft.com/fwlink/?linkId=21638 Exchange Domain Controller Baseline Policy template Messaging Environment Exchange Server 2003 Security Hardening Guide http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx

    10. Exchange Security Templates

    11. Hardening Back-End Exchange Servers Tasks include: Hardening Services Hardening ACLs Changing privileges rights Enabling additional services (optional) Apply Exchange 2003 Backend.inf security template to your back-end servers

    12. Hardening Front-End Exchange Servers Tasks include: Hardening Services Hardening ACLs Enabling additional services (optional) Running URLScan (optional but recommended) Dismounting mailboxstore and delete public folder store Apply Exchange 2003 frontend.inf security template to your front-end servers

    13. Understanding SMTP Relaying SMTP Relaying: When an SMTP server accepts mail from one domain addresses to mailboxes in another domain, neither one of which the server owns Needed when: Accepting mail for other organization POP3 or IMAP4 clients Supporting applications that generate SMTP mail Prevent open relays by Allowing only authenticated computers to relay Restricting relaying to specific computers or users Using SMTP connector to relay to particular domains

    14. Demo SMTP Relay

    15. Securing SMTP Communication Between Mail Servers Install and configure X.509 certificate Enable TLS encryption for inbound mail Enable and configure TLS for outbound mail to specific domains

    16. Securing Exchange Servers Limit Exchange Server functionality to clients are strictly required Remain current with the latest updates for both Exchange and the OS Use ISA Sever 2004 to regulate access for HTTP, RPC over HTTPS, POP3 and IMAP4 traffic Use SSL/TLS and forms-based authentication for Outlook Web Access

    17. Maintaining Security on Exchange Server Keeping up with the latest security updates Keeping up with recommended best practices Understanding the impact of configuring various options within Exchange Server Document on configuration and security settings

    18. Analyzing Exchange Server 2003 Using the Microsoft Baseline Security Analyzer MBSA checks for issues related to the following: Known Windows and Internet Explorer security issues Missing Security updates Weak account passwords IIS security issues SQL Server security issues Exchange Server security issues

    19. Validate Exchange Server Configuration Settings ExBPA can examine your Exchange servers to: Generate a list of issues, such as misconfigurations or unsupported or non-recommended options Judge the general heath of a system Help troubleshoot specific problems

    20. What Are the Exchange Options for Limiting Unwanted E-mail Recipient filtering Sender filtering Connection filtering Microsoft Exchange Intelligent Message Filter (IMF)

    21. Demo 2 ExBPA Filtering

    22. Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution: Design a defense-in-depth approach Implement an antivirus scanner that supports AVAPI 2.5 Prevent file-bases scanning on Exchange Server folders

    23. Securing Access to Exchange Using ISA Server 2004 Outlook Webaccess RPC over HTTPS Network designs

    24. Security issues HTTPS is the transport Intrusion detection? Conformance to email policy? OWA 2000 has no session timeout Fixed in OWA 2003 Forms authentication—cookie for session Check the lock – then check the certificate? What threat does the cookie fix? Oh, and keystroke loggers!!Check the lock – then check the certificate? What threat does the cookie fix? Oh, and keystroke loggers!!

    25. Typical Design Good: ? performance Separates protocol from message store Network protection Bad: ? security Tunnel through outside firewall: no inspection Many holes in inside firewall for authentication Anonymous initial connections to OWA

    26. Improving OWA security Security goals Inspect SSL traffic Maintain wire privacy Enforce conformance to HTML/HTTP Allow only known URL construction Block URL-borne attacks Optionally Pre-authenticate incoming connections

    27. Protect OWA with ISA Server ISA Server becomes the “bastion host” Web proxy terminates all connections Decrypts HTTPS Inspects content Inspects URL (with URLScan) Re-encrypts for delivery to OWA

    28. Protect OWA with ISA Server Better user authentication Easy authentication to Active Directory Pre-authenticate communications ISA Server queries user for credentials Verifies against AD Embeds in HTTP headers to OWA Avoids second prompt!

    29. URLScan 2.5 Policy-based URL evaluation Define what’s allowed; drop everything else Helps protect from attacks that— Request unusual actions Have a large number of characters Are encoded using an alternate character set Can be used in conjunction with SSL inspection to detect attacks over SSL

    30. RADIUS support Permits standalone servers to do authentication delegation Forms-based authentication ISA Server presents form and generates cookie Separate timeouts for public and private computers Attachment controls Block/allow on public or private computers HTTP policies on publishing rules Built-in URLScan-type behavior ISA Server 2004

    31. New delegation process

    32. Exchange RPC on the internet Many users require full Outlook Third-party plugins Mailbox synchronization Client-side rules Complete address book VPNs are too costly if this is the only requirement or not available

    33. Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server

    34. RPC connection setup

    35. Potential RPC attacks Reconnaissance NETSTAT RPCDump DoS against portmapper Privilege escalation or other specific service attacks

    36. New in Exchange 2003 Result of high customer demand Useful All firewalls allow 80/tcp and 443/tcp Enables access from any location No special firewall setup required

    37. RPC proxy New component ISAPI extension Relies on IIS for basic authentication So: HTTPS, riiiight? Sets up RPC session after authentication Inside HTTP, otherwise known as… Terminates incoming RPC-over-HTTP Decapsulates RPC Passes to back-end Exchange server Run on same machine as OWA FE

    38. RPC proxy in action

    39. Authentication methods HTTP basic authN only Over SSL, please! Others not supported in Outlook 2003 SecurID No dialog to ask for PIN Exchange can’t proxy to ACE/Server RADIUS Client certificates Possible with true Kerberos constrained delegation on RPC proxy

    40. Already pretty secure Successful basic authN required before any operations can commence Second Outlook-Exchange authN is transparent if cached credentials are on machine Is secure from RPC-borne attacks Attackers could write HTTP wrappers for RPC attack tools But would need to get past IIS authN

    41. Could be better… Simply running RPC over HTTP doesn’t solve all the problems No inner protocol awareness in firewall No inspection if HTTPS

    42. Publish with ISA Server Move RPC proxy to corp net Just like we did for OWA Web publish RPC proxy Destination set with /rpc/* SSL bridging (“regeneration”) URLScan AuthN delegation probably not necessary

    43. Exchange RPC filter Intimately aware of— How Exchange RPC connections establish What the proper protocol format is Allows only Exchange RPC UUIDs Enforces client authentication Can optionally enforce encryption Supports new mail notification

    44. Published RPC interfaces {99E64010-B032-11D0-97A4-00C04FD6551D}: "Store admin (1)" {89742ACE-A9ED-11CF-9C0C-08002BE7AE86}: "Store admin (2)" {A4F1DB00-CA47-1067-B31E-00DD010662DA}: "Store admin (3)" {A4F1DB00-CA47-1067-B31F-00DD010662DA}: "Store EMSMDB" {9E8EE830-4459-11CE-979B-00AA005FFEBE}: "MTA" {1A190310-BB9C-11CD-90F8-00AA00466520}: "Database" {F5CC5A18-4264-101A-8C59-08002B2F8426}: "Directory NSP" {F5CC5A7C-4264-101A-8C59-08002B2F8426}: "Directory XDS" {F5CC59B4-4264-101A-8C59-08002B2F8426}: "Directory DRS" {38A94E72-A9BC-11D2-8FAF-00C04fA378FF}: "MTA 'QAdmin'" {0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE}: "Information Store (1)" {1453C42C-0FA6-11D2-A910-00C04F990F3B}: "Information Store (2)" {10F24E8E-0FA6-11D2-A910-00C04F990F3B}: "Information Store (3)" {1544F5E0-613C-11D1-93DF-00C04FD7BD09}: "Directory RFR" {F930C514-1215-11D3-99A5-00A0C9B61B04}: "System Attendant Cluster" {83D72BF0-0D89-11CE-B13F-00AA003BAC6C}: "System Attendant Private" {469D6EC0-0D87-11CE-B13F-00AA003BAC6C}: "System Attendant Public Interface"

    45. Filter operation Client connects to filter’s “portmapper” Runs as part of filter Responds only to requests for Exchange RPC Not actually an (exploitable) portmapper ISA Server returns filter’s Exchange RPC port numbers Client makes new connection

    46. Filter operation ISA Server connects to Exchange’s portmapper Exchange returns port numbers ISA Server makes new connection

    47. Filter operation Client logs on to Exchange Exchange proxies logon to Active Directory Need “No RFR Service” key to make this happen: KB 302914 Filter watches for approval Filter checks whether encryption is on, if required Client mailbox opens

    48. Protects from RPC attacks Reconnaissance? NETSTAT shows only 135/tcp RPCDump simply fails DoS against portmapper? Known attacks fail Successful attack leaves Exchange protected Service attacks? No reconnaissance info available ISA Server-to-Exchange connections fail unless prior client-to-ISA Server connection is correctly formatted

    49. Recommended design Recall typical design

    50. New requirements, new designs Move critical servers inside for better protection Add ISA Server to your existing DMZ Increase security by publishing: Exchange RPC OWA over HTTPS RPC over HTTPS SMTP (content filter)

    51. Standalone ISA Server 2004 in DMZ Forms-based client authN RADIUS for basic delegation Open firewall accordingly ISA Server 2004 and Exchange 2003

    52. Next steps Consider your risk— What do you have? What are you comfortable with? Consider the way attacks are evolving Ports mean nothing Attacks look like legitimate traffic Evaluate and deploy ISA Server for all current and future Exchange installations

    53. Around the corner SP 2 (mobility focus) Direct push to mobile devices Control and security Policy setting. Force a password to unlock device Local wipe, reset the password after x failed login attempts Remote wipe Support for certificate-based authentication Support for S/MIME Support for Sender ID e-mail authentication

    54. Complete guide to Exchange 2003 security Covers OWA, OMA/EAS, S/MIME, installation, auditing, and hardening Covers archiving, compliance, legal issues

More Related