Securing exchange 2000
Download
1 / 29

Securing Exchange 2000 - PowerPoint PPT Presentation


  • 250 Views
  • Updated On :

Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing Exchange 2000' - johana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Securing exchange 2000 l.jpg

Securing Exchange 2000

Trustworthy Exchanges and the Art of doing it yourself

Chris Weber

chris.weber@foundstone.com

http://www.foundstone.com

http://www.privacydefended.com


Synopsis l.jpg
Synopsis

  • Focused on single backend Exchange Server with front-end OWA server

  • Hacking Exchange

    • Scanning

    • Enumerating

    • Attacking

  • The Exchange Application

    • Secure Administration

    • System Policies

    • Malware

    • OWA

    • Known Vulnerabilities

  • Other Fundamental Considerations

    • IIS 5.0

    • Windows OS

    • Network

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


What is not covered l.jpg
What is not covered

  • A lot!

    • Connectors and Replication

    • Internet POP3/SMTP clients like Outlook Express

    • Backups

    • Monitoring and status notifications

    • PKI

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Security policy l.jpg
Security Policy

  • Organizational security policies should be in place to guide daily actions.

  • Never start configuring without having a “management supported” plan in place.

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Secure network diagram l.jpg
Secure Network Diagram

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Hacking exchange 2000 l.jpg
Hacking Exchange 2000

  • Why Hack Exchange?

    • Learn host configuration information

    • Learn of hidden Public Folders

    • Glean User account names and email addresses

  • Information Gathering

    • Network port scan

    • Server enumeration

      • NetBIOS

      • LDAP

      • RPC

    • User and configuration enumeration

      • LDAP with Null session

      • NetBIOS will Null session

    • Pilfering shares

      • Tracking logs

  • Launching an attack

    • Aiming for admin access

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Hacking exchange 20007 l.jpg
Hacking Exchange 2000

LDAP exposes Users and Public Folders hidden from the Exchange Address Lists

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Port scan l.jpg

172.16.2.10 995/tcp - POP/SSL

172.16.2.10 1048/tcp

172.16.2.10 1049/tcp

172.16.2.10 1053/tcp

172.16.2.10 1055/tcp

172.16.2.10 1089/tcp

172.16.2.10 1104/tcp

172.16.2.10 1107/tcp

172.16.2.10 1198/tcp

172.16.2.10 1200/tcp

172.16.2.10 1247/tcp

172.16.2.10 1249/tcp

172.16.2.10 3372/tcp

172.16.2.10 3389/tcp - MS Terminal Server

172.16.2.10 4277/tcp

Scan finished at Fri Feb 22 00:55:48 2002

Time taken: 65535 ports in 318.138 secs (206.00 ports/sec)

D:\tools>fscan -p 1-65535 -z 128 exchange

FScan v1.12 - Command line port scanner.

Copyright 2000 (c) by Foundstone, Inc.

http://www.foundstone.com

Scan started at Fri Feb 22 00:50:30 2002

172.16.2.10 25/tcp - SMTP

172.16.2.10 80/tcp - HTTP

172.16.2.10 119/tcp - NNTP

172.16.2.10 135/tcp - RPC/DCE endpoint mapper

172.16.2.10 139/tcp - NetBIOS session

service

172.16.2.10 143/tcp - IMAP

172.16.2.10 443/tcp - HTTPS

172.16.2.10 445/tcp - Microsoft SMB/CIFS

172.16.2.10 563/tcp - NNTP/SSL

172.16.2.10 593/tcp - HTTP RPC endpoint

mapper

172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 993/tcp

Port Scan

XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339)

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Port and process mappings l.jpg
Port and Process Mappings

  • Useful tools:

    • FPORT.EXE (from www.foundstone.com)

    • TLIST.EXE /S(from Windows 2000 installation CD \Support directory)

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Fport exe l.jpg

FPort v1.31 - TCP/IP Process to Port Mapper

Copyright 2000 by Foundstone, Inc.

http://www.foundstone.com

Securing the dot com world

Pid Process Port Proto Path

1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe

8 System -> 139 TCP

1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

8 System -> 445 TCP

1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe

1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe

264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe

264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe

600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe

860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe

1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe

1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe

fport.exe

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Tlist exe s l.jpg
tlist.exe /s

0 System Process

8 System

172 SMSS.EXE

200 CSRSS.EXE

224 WINLOGON.EXE

252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi

264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs

368 termsrv.exe Svcs: TermService

512 svchost.exe Svcs: RpcSs

540 SPOOLSV.EXE Svcs: Spooler

600 msdtc.exe Svcs: MSDTC

748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS

764 LLSSRV.EXE Svcs: LicenseService

808 regsvc.exe Svcs: RemoteRegistry

840 LOCATOR.EXE Svcs: RpcLocator

860 mstask.exe Svcs: Schedule

944 WinMgmt.exe Svcs: WinMgmt

1000 dfssvc.exe Svcs: Dfs

1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC

1044 MAD.EXE Svcs: MSExchangeSA

1076 mssearch.exe Svcs: MSSEARCH

1524 STORE.EXE Svcs: MSExchangeIS

1556 EMSMTA.EXE Svcs: MSExchangeMTA

2360 CSRSS.EXE Title:

2384 WINLOGON.EXE Title: NetDDE Agent

2464 rdpclip.exe Title: CB Monitor Window

2508 explorer.exe Title: Program Manager

2560 mshta.exe Title: Windows 2000 Configure Your Server

2580 svchost.exe Svcs: TapiSrv

2652 mdm.exe Title: OleMainThreadWndName

2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s

976 notepad.exe Title: fport - Notepad

768 TLIST.EXE

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 2000 l.jpg
Exchange 2000

Some Security related changes from 5.5 to 2000

  • SMTP relay disabled

  • Rights to the Mailbox

    • Admin is DENIED access to mailboxes (by default), but easily changed

    • “Exchange Domain Servers” group full access

    • %COMPUTERNAME%$ full access

  • No more Service Account

    • Your LSA Secrets are safe…

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200013 l.jpg
Exchange 2000

Secure Administration – Lock it down

  • Security Checklist:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp

    • Disable unnecessary services and ports

    • Enable Auditing

    • Rename local Admin account and enable a strong password

    • ACL and monitor critical Registry keys

  • Watch event logs for failed login attempts

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200014 l.jpg
Exchange 2000

Secure Administration - Roles

  • Administrative Roles

    • Exchange Administrator

    • Exchange Full Administrator

    • Exchange View Only Administrator

    • XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054

  • Delegation Wizard

    • Use to add/edit Admin roles

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200015 l.jpg
Exchange 2000

The All-Powerful Exchange Domain Servers Group

  • XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807)

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200016 l.jpg
Exchange 2000

Secure Administration – Security Permissions Page

  • Registry Hack

    • To show the security tab in System Manager

      HKCU\Software\Microsoft\Exchange\ExAdmin

      Value: ShowSecurityPage

      Date: 1 (REG_DWORD)

    • XADM: Security Tab Not Available on All Objects in System Manager (Q259221)

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200017 l.jpg
Exchange 2000

Securing File Shares

  • Security of Shares

    • Tracking Logs:%COMPUTERNAME%.logContain user information such as email addresses and usernames.

    • EVERYONE or Authenticated Users can read by default

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200018 l.jpg
Exchange 2000

Secure Administration - TURN OFF WHAT YOU DON’T NEED

  • Disable unnecessary services and protocols

    • For both Exchange and Windows

    • Do you need POP3? IMAP? HTTP?

    • Do you need the Alerter service? Messenger? DHCP client?

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200019 l.jpg
Exchange 2000

System Policies

  • System Policies

    • Server policy

    • Mailbox policy

    • Public Folder policy

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200020 l.jpg
Exchange 2000

Malware - Virus, trojan and worm protection

  • Use SMTP content filter for Internet email

    • Use a separate host or a firewall for SMTP relay

    • Catch incoming/outgoing malware elsewhere, and relieve your Exchange server of the load

  • Virus protection in the Information Store

    • Well, some viruses originate within, so you still need protection.

    • Several server based virus scanners will protect (i.e. MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield)

  • Virus protection on the client

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange and outlook l.jpg
Exchange and Outlook

Malware – Protection in Outlook

  • Prevent scripts and Active content from running on your user’s workstations

    • Set the Security Zone in Outlook to “Restricted Sites” – under Tools > Options > Security

  • Keep up-to-date with latest MS Outlook and Internet Explorer patches and security hotfixes

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Outlook web access l.jpg
Outlook Web Access

Installation and Design Considerations

  • General OWA security

    • Lock down IIS

      • Security checklists http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp

      • IISLock.exe

    • Definitely use SSL

    • Decide on Front-end vs. Back-end modelMust read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp

  • Front-End serverIsolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC)

    • Intranet Firewall between Front End and Back End

    • Use STATIC RPC ports:http://support.microsoft.com/support/kb/articles/q224/1/96.asp

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Secure network diagram23 l.jpg
Secure Network Diagram

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Firewalls l.jpg

Internet firewall

DENY ALL incoming and outgoing

Allow only what you need! For example:Incoming from Internet Allow:

TCP port 443 (HTTPS)

TCP port 25 (SMTP)

TCP/UDP port 53 (DNS)

Outgoing Allow:

Only established connections

Intranet

Assign static RPC ports to the Exchange Server

DMZ firewall

DENY ALL incoming and outgoin

Allow only what you need! For example:Incoming from DMZ Allow:TCP port 80 (HTTP)

TCP/UDP port 88 (Kerberos)

TCP/UDP port 53

TCP/UDP port 389 (LDAP)

TCP port 3268 (GC)

TCP port 135 (endpoing mapper)

TCP port 1025 (optional RPC static port)

TCP port 445 (SMB/CIFS)

Outgoing Allow:

Only established connections

Firewalls

DENY everything. Only allow what you need!

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 2000 vulnerabilities l.jpg
Exchange 2000 Vulnerabilities

  • * February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionshttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.html

  • September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability

  • August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak

  • July 2001MS01-041 : Malformed RPC Request Can Cause Service Failure

  • June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Script

  • March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000

  • November 2000MS00-088 : Exchange User Account Vulnerability

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


The windows os l.jpg
The Windows OS

The FOUNDATION of Exchange

  • Security is a pyramid

  • Exchange security depends on the OS security

    • Follow checklists and best practices available from www.microsoft.com/security as well as many third parties like SANS (www.sans.org)

    • Ensure new OS and Exchange installs are hardened before placed into production

    • Don’t let unnecessary services and software run!

    • Keep up-to-date on latest MS Service Packs and security hotfixes

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


Exchange 200027 l.jpg
Exchange 2000

Additional Thoughts

  • SMTP replication in clear text!!!

    • Use IPSec with encryption parameters to protect this traffic

  • Public Folders

    • EVERYONE group can add new folders by default

  • Event Sinks

    • XCCC: Script Host Sink Is Not Registered on Exchange 2000 Server by Default (Q264995)

    • http://www.outlookexchange.com/articles/glenscales/wssevtar.asp by Glen Scales

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


References l.jpg
References

  • Exchange

    http://www.microsoft.com/exchange

    http://www.microsoft.com/security

    http://www.slipstick.com

    http://www.msexchange.org

    http://www.labmice.net

  • IPSec

    http://www.securityfocus.com/infocus/1519

Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com


The end l.jpg
The End

Ask a Question Now!

Securing Exchange 2000

Chris Weber

chris.weber@foundstone.com

http://www.foundstone.com

http://www.privacydefended.com