1 / 59

Book giveaway and e-mail notice

Book giveaway and e-mail notice. Please give me a piece of paper with your name for drawing Include your e-mail address or give me a business card if you want: 20% discount code for Directory Update software Notification e-mail when Mastering Exchange Server 2007 is available

marva
Download Presentation

Book giveaway and e-mail notice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give me a business card if you want: • 20% discount code for Directory Update software • Notification e-mail when Mastering Exchange Server 2007 is available • Keep an eye out for Mastering Exchange Server 2007 – Due out in late April

  2. Are you a Low Hanging Fruit? Jim McBee ITCS Hawaii jim@somorita.com

  3. Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) • Principal clients (Dell, Microsoft, SAIC, Servco Pacific) • Author – Exchange 2003 24Seven (Sybex) • Contributor – Exchange and Outlook Administrator • Blog • http://mostlyexchange.blogspot.com • http://www.directory-update.com

  4. Audience Assumptions • You have at least a few months experience running Exchange 5.5, 2000, or 2003. • You have worked with Active Directory • You can install and configure a Windows 2000 / 2003 server

  5. This session’s coverage • Introduction to me and the topic • Presentation and demos – About 65 minutes • Risks and threats • Multiple layers of protection • Reducing exposure • Best practices and checklists • Book give away – Drop off your business card or write your name on a slip of paper • Questions and answers • I’ll try to take questions as they come up as long as this does not slow us down too much.

  6. Free eBook • Tips and Tricks Guide To Secure Messaging eBook • http://tinyurl.com/kvxhx • Good follow-up to this presentation

  7. Why low hanging fruit? • “Hackers” go after easy targets • Most “hackers” are not all that sophisticated • If you are reasonably secure, they usually move on • Reasonably secure means doing at least what the rest of your industry is doing

  8. Most common exploits use… • Weak / simple passwords • Denial of service • Known vulnerabilities • How did you get so vulnerable? • Failure to follow industry “best practices”

  9. Risk Assessment: What are your assets? • Most important assets • Data • Intellectual property • Reputation • Knowledge workers time • Least important assets • Bandwidth • Servers/hardware/software

  10. Risk assessment: What are the risks? • Financial loss • Law suits / regulatory liabilities • Accidental / intentional disclosure of intellectual property • Users with idle time or unable to work (lost productivity) • Unable to meet commitments to customers and vendors • Lost sales or opportunities • Damage to reputation / community embarrassment

  11. Security Basics • Passwords • Physical security • Updates • Hardening Windows and Exchange • User considerations • Quick assessments

  12. Improve password strength • Require longer passwords • Require special characters

  13. Physical security • Law # 3 of the 10 Immutable Laws of Security • “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” • Locked doors / access control system that records entry information • Mandatory sign-in sheets • Cameras • Backup media should be secured

  14. Operating system stability • Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. • Apply applicable critical updates within 3 – 4 weeks • Applicable? Does the fix affect your configuration? • Don’t apply on the day they are released • Apply service packs within 1 to 2 months • Read the SP “readme” first • Use ‘Microsoft Update’ or WSUS • http://tinyurl.com/dwj6n • Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system • Sufficient free disk space on all disk drives

  15. Exchange updates • Critical patches within 3 – 4 weeks of release • Service packs within 1 to 2 months of release • Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP)

  16. Exchange and Windows Hardening • Not every service is necessary on all server roles • Use the Windows Security Configuration Wizard with W2K3 SP1 • Implement with care!

  17. Users • 60 – 70% of all security breaches occur from within. • (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) • Require an Acceptable Use Policy • Must have “bite” • Must be enforceable • Must be legal • See http://www.sans.org/resources/policies • Require an IT Acceptable Use Policy • For IT, require an IT AUP or Ethics Statement • “Don’t read other people’s mail” • Clearly define your information security policies

  18. Quick Assessments - ExBPA • Exchange Best Practices Analyzer • http://www.exbpa.com

  19. Quick Assessments - MSBA • Microsoft Baseline Security Analyzer • http://tinyurl.com/2e5fe

  20. Use multiple layers of protection • Inbound e-mail • Use SMTP relay • Use managed provider • Web clients • Use reverse proxy

  21. Prevent direct access to mailbox servers • Don’t allow direct access to mail server resources • Inbound SMTP mail through an SMTP relay • Can be an “appliance”, Windows, or UNIX system • Can act as part of your messaging hygiene system. • More on this later • Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy • ISA Server • IronPort • Whale Communications • Prevents direct exposure for mailbox servers, front-ends, and bridgeheads

  22. Reverse proxy for OWA • Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened.

  23. Reverse proxy for OWA • More information • Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology • http://tinyurl.com/5e6sv • Protecting Exchange Servers by Don Jones • http://tinyurl.com/zfemv • Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder • http://tinyurl.com/jocrz • A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek • http://tinyurl.com/cb2f9

  24. Multi-layer protection

  25. Managed providers

  26. Using managed providers • Organization directs MX records to managed provider’s servers • Managed provider… • Has better scalability and redundancy • Immediate response to day zero threats • Keeps malware and unwanted content from reaching your perimeter • Reduce hardware and software required by organization as well as reducing complexity and IT resources required • Allows organization to only accept inbound SMTP from the provider • Unwanted content never makes it to the network in the first place • Reduces threat spam and virus/worm ‘bots • Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection

  27. Restrict MAPI versions • Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 • HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem • Create REG_DWORD Disable MAPI Clients • Put in to data field -5.3165.0 • See KB 328240 and 288894 • http://www.windowsitpro.com • InstantDoc #26505 • Can help reduce the spread of viruses and worms by allowing only more recent versions • Use with caution!

  28. Denial-of-service and e-mail • Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. • Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. • DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. • Directory harvesting and tarpits

  29. Directory harvesting / dictionary spamming • Directory harvesting tries to find valid SMTP addresses using dictionary or random strings • Dictionary spamming sends to a dictionary full of common names • This can overwhelm a mail server • Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) • A tarpit slows them down • See KB 842851 • Recommended for Internet facing SMTP virtual servers • Only one address in this list was valid, probably the “index patient”

  30. An ugly trend: Virus writers, spammers, and ‘bots / zombies

  31. Restrictions, restrictions, restrictions • Mailbox • Message size • Recipients per message • Automatic responses • Internet facing SMTP virtual servers • Distribution list usage • Monitor disk space usage and set alerts • Users are going to hate you for this! 

  32. Mailbox Limits • A necessary evil • Adjust based on you organization’s needs • Don’t limit users if they have a job to do • Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail

  33. Exchange reports on closed mailboxes • Monitoring for event ID 8528 can help you determine if mailboxes are filling up

  34. Message Size / Recipient Limits • Default inbound and outbound message sizes is 10MB. • Usually adequate for most organizations • This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger • Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user.

  35. Inbound limits from Internet • Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet • Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead • If this SMTP VS is used for internal message traffic, it may hurt public folder replication

  36. Outbound limits to the Internet • Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server)

  37. Automatic Responses • Defaults do not allow automatic responses • This may have been changed • You can override this by creating additional Internet Message Formats for specific domains • Considered risky due to “social engineering” risks

  38. Distribution list security • Prevent abuse of your distribution lists • Limit maximum message size • Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) • Limit who can send to the list internally

  39. Restricting maximum store size • Exchange 2003 SP2 allows maximum store size to be set • http://tinyurl.com/fmgxf • When a store exceeds that size, it is dismounted • Use with great care! You can still cause your users downtime with this feature.

  40. Additional Security Best Practices • OWA security improvements • Generic best practices

  41. Enable Forms Based Authentication • Enable on the front-end servers • Implements timeouts • Public = 15 minutes • Private = 24 hours • Customizable • Allows customizable logon page

  42. Forms Based Authentication

  43. Always use SSL from a trusted authority • Very bad to get users in the habit of ignoring security alerts • Many sources for low-cost, trusted SSL certificates • GoDaddy – www.godaddy.com • InstantSSL – www.instantssl.com

  44. Basic authentication passwords are very easy to intercept • Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. • Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== • Run it through any Base64 decoding program and you get: namerica/arand:$culliRulz • Domain name: namerica; User: arand; password: $culliRulz • Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded!

  45. Best practices • Block outbound SMTP except from authorized hosts • Be a good ‘net citizen • Never web surf from a server console • Don’t install e-mail client software on server • Operators and administrators should not have mailboxes • Separate admin rights from your regular user account • Grant administrative permissions to groups, not individual users

  46. Best practices • Block inbound SMTP if using a managed provider • Only accept mail from the provider • Protect protocol and message tracking logs • Some sensitive information may be disseminated from those logs • Review your event logs • Keep PLENTY of free disk space available? • At least enough to mount one database in an RSG

  47. Checklists • Assessing the situation • Exchange • Servers • Message hygiene • Outside the perimeter

  48. Assessment • Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the problems. • Determine what is documented: • Document servers, roles, network infrastructure, and dependencies • Get an accurate count of active mailboxes • If inactive, then why? • Disable inactive accounts then delete!

  49. Inactive accounts • Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute • Write script • Use “Additional Account Info” from ALTools • http://tinyurl.com/a5zj

  50. Assessments: Environment • Interview: • Backup schedule / procedures / rotation / media storage • Client software and versions in use • Client antivirus / anti-spyware procedures • Remote access procedures • Administrators that are approved to manage Exchange • Disaster recovery / business continuance plan • What is the perception of the “spam problem?”

More Related