1 / 29

Securing Exchange 2000

Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating

johana
Download Presentation

Securing Exchange 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com

  2. Synopsis • Focused on single backend Exchange Server with front-end OWA server • Hacking Exchange • Scanning • Enumerating • Attacking • The Exchange Application • Secure Administration • System Policies • Malware • OWA • Known Vulnerabilities • Other Fundamental Considerations • IIS 5.0 • Windows OS • Network Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  3. What is not covered • A lot! • Connectors and Replication • Internet POP3/SMTP clients like Outlook Express • Backups • Monitoring and status notifications • PKI Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  4. Security Policy • Organizational security policies should be in place to guide daily actions. • Never start configuring without having a “management supported” plan in place. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  5. Secure Network Diagram Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  6. Hacking Exchange 2000 • Why Hack Exchange? • Learn host configuration information • Learn of hidden Public Folders • Glean User account names and email addresses • Information Gathering • Network port scan • Server enumeration • NetBIOS • LDAP • RPC • User and configuration enumeration • LDAP with Null session • NetBIOS will Null session • Pilfering shares • Tracking logs • Launching an attack • Aiming for admin access Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  7. Hacking Exchange 2000 LDAP exposes Users and Public Folders hidden from the Exchange Address Lists Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  8. 172.16.2.10 995/tcp - POP/SSL 172.16.2.10 1048/tcp 172.16.2.10 1049/tcp 172.16.2.10 1053/tcp 172.16.2.10 1055/tcp 172.16.2.10 1089/tcp 172.16.2.10 1104/tcp 172.16.2.10 1107/tcp 172.16.2.10 1198/tcp 172.16.2.10 1200/tcp 172.16.2.10 1247/tcp 172.16.2.10 1249/tcp 172.16.2.10 3372/tcp 172.16.2.10 3389/tcp - MS Terminal Server 172.16.2.10 4277/tcp Scan finished at Fri Feb 22 00:55:48 2002 Time taken: 65535 ports in 318.138 secs (206.00 ports/sec) D:\tools>fscan -p 1-65535 -z 128 exchange FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 22 00:50:30 2002 172.16.2.10 25/tcp - SMTP 172.16.2.10 80/tcp - HTTP 172.16.2.10 119/tcp - NNTP 172.16.2.10 135/tcp - RPC/DCE endpoint mapper 172.16.2.10 139/tcp - NetBIOS session service 172.16.2.10 143/tcp - IMAP 172.16.2.10 443/tcp - HTTPS 172.16.2.10 445/tcp - Microsoft SMB/CIFS 172.16.2.10 563/tcp - NNTP/SSL 172.16.2.10 593/tcp - HTTP RPC endpoint mapper 172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 993/tcp Port Scan XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  9. Port and Process Mappings • Useful tools: • FPORT.EXE (from www.foundstone.com) • TLIST.EXE /S(from Windows 2000 installation CD \Support directory) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  10. FPort v1.31 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Securing the dot com world Pid Process Port Proto Path 1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 8 System -> 445 TCP 1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe 1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe 600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe 860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe 1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe 1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe fport.exe Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  11. tlist.exe /s 0 System Process 8 System 172 SMSS.EXE 200 CSRSS.EXE 224 WINLOGON.EXE 252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi 264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs 368 termsrv.exe Svcs: TermService 512 svchost.exe Svcs: RpcSs 540 SPOOLSV.EXE Svcs: Spooler 600 msdtc.exe Svcs: MSDTC 748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS 764 LLSSRV.EXE Svcs: LicenseService 808 regsvc.exe Svcs: RemoteRegistry 840 LOCATOR.EXE Svcs: RpcLocator 860 mstask.exe Svcs: Schedule 944 WinMgmt.exe Svcs: WinMgmt 1000 dfssvc.exe Svcs: Dfs 1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC 1044 MAD.EXE Svcs: MSExchangeSA 1076 mssearch.exe Svcs: MSSEARCH 1524 STORE.EXE Svcs: MSExchangeIS 1556 EMSMTA.EXE Svcs: MSExchangeMTA 2360 CSRSS.EXE Title: 2384 WINLOGON.EXE Title: NetDDE Agent 2464 rdpclip.exe Title: CB Monitor Window 2508 explorer.exe Title: Program Manager 2560 mshta.exe Title: Windows 2000 Configure Your Server 2580 svchost.exe Svcs: TapiSrv 2652 mdm.exe Title: OleMainThreadWndName 2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s 976 notepad.exe Title: fport - Notepad 768 TLIST.EXE Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  12. Exchange 2000 Some Security related changes from 5.5 to 2000 • SMTP relay disabled • Rights to the Mailbox • Admin is DENIED access to mailboxes (by default), but easily changed • “Exchange Domain Servers” group full access • %COMPUTERNAME%$ full access • No more Service Account • Your LSA Secrets are safe… Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  13. Exchange 2000 Secure Administration – Lock it down • Security Checklist:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp • Disable unnecessary services and ports • Enable Auditing • Rename local Admin account and enable a strong password • ACL and monitor critical Registry keys • Watch event logs for failed login attempts Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  14. Exchange 2000 Secure Administration - Roles • Administrative Roles • Exchange Administrator • Exchange Full Administrator • Exchange View Only Administrator • XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054 • Delegation Wizard • Use to add/edit Admin roles Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  15. Exchange 2000 The All-Powerful Exchange Domain Servers Group • XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  16. Exchange 2000 Secure Administration – Security Permissions Page • Registry Hack • To show the security tab in System Manager HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) • XADM: Security Tab Not Available on All Objects in System Manager (Q259221) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  17. Exchange 2000 Securing File Shares • Security of Shares • Tracking Logs:%COMPUTERNAME%.logContain user information such as email addresses and usernames. • EVERYONE or Authenticated Users can read by default Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  18. Exchange 2000 Secure Administration - TURN OFF WHAT YOU DON’T NEED • Disable unnecessary services and protocols • For both Exchange and Windows • Do you need POP3? IMAP? HTTP? • Do you need the Alerter service? Messenger? DHCP client? Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  19. Exchange 2000 System Policies • System Policies • Server policy • Mailbox policy • Public Folder policy Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  20. Exchange 2000 Malware - Virus, trojan and worm protection • Use SMTP content filter for Internet email • Use a separate host or a firewall for SMTP relay • Catch incoming/outgoing malware elsewhere, and relieve your Exchange server of the load • Virus protection in the Information Store • Well, some viruses originate within, so you still need protection. • Several server based virus scanners will protect (i.e. MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield) • Virus protection on the client Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  21. Exchange and Outlook Malware – Protection in Outlook • Prevent scripts and Active content from running on your user’s workstations • Set the Security Zone in Outlook to “Restricted Sites” – under Tools > Options > Security • Keep up-to-date with latest MS Outlook and Internet Explorer patches and security hotfixes Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  22. Outlook Web Access Installation and Design Considerations • General OWA security • Lock down IIS • Security checklists http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp • IISLock.exe • Definitely use SSL • Decide on Front-end vs. Back-end modelMust read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp • Front-End serverIsolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC) • Intranet Firewall between Front End and Back End • Use STATIC RPC ports:http://support.microsoft.com/support/kb/articles/q224/1/96.asp Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  23. Secure Network Diagram Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  24. Internet firewall DENY ALL incoming and outgoing Allow only what you need! For example:Incoming from Internet Allow: TCP port 443 (HTTPS) TCP port 25 (SMTP) TCP/UDP port 53 (DNS) Outgoing Allow: Only established connections Intranet Assign static RPC ports to the Exchange Server DMZ firewall DENY ALL incoming and outgoin Allow only what you need! For example:Incoming from DMZ Allow:TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP/UDP port 53 TCP/UDP port 389 (LDAP) TCP port 3268 (GC) TCP port 135 (endpoing mapper) TCP port 1025 (optional RPC static port) TCP port 445 (SMB/CIFS) Outgoing Allow: Only established connections Firewalls DENY everything. Only allow what you need! Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  25. Exchange 2000 Vulnerabilities • * February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionshttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.html • September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability • August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak • July 2001MS01-041 : Malformed RPC Request Can Cause Service Failure • June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Script • March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 • November 2000MS00-088 : Exchange User Account Vulnerability Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  26. The Windows OS The FOUNDATION of Exchange • Security is a pyramid • Exchange security depends on the OS security • Follow checklists and best practices available from www.microsoft.com/security as well as many third parties like SANS (www.sans.org) • Ensure new OS and Exchange installs are hardened before placed into production • Don’t let unnecessary services and software run! • Keep up-to-date on latest MS Service Packs and security hotfixes Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  27. Exchange 2000 Additional Thoughts • SMTP replication in clear text!!! • Use IPSec with encryption parameters to protect this traffic • Public Folders • EVERYONE group can add new folders by default • Event Sinks • XCCC: Script Host Sink Is Not Registered on Exchange 2000 Server by Default (Q264995) • http://www.outlookexchange.com/articles/glenscales/wssevtar.asp by Glen Scales Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  28. References • Exchange http://www.microsoft.com/exchange http://www.microsoft.com/security http://www.slipstick.com http://www.msexchange.org http://www.labmice.net • IPSec http://www.securityfocus.com/infocus/1519 Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com

  29. The End Ask a Question Now! Securing Exchange 2000 Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com

More Related