290 likes | 643 Views
Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com Synopsis Focused on single backend Exchange Server with front-end OWA server Hacking Exchange Scanning Enumerating
E N D
Securing Exchange 2000 Trustworthy Exchanges and the Art of doing it yourself Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com
Synopsis • Focused on single backend Exchange Server with front-end OWA server • Hacking Exchange • Scanning • Enumerating • Attacking • The Exchange Application • Secure Administration • System Policies • Malware • OWA • Known Vulnerabilities • Other Fundamental Considerations • IIS 5.0 • Windows OS • Network Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
What is not covered • A lot! • Connectors and Replication • Internet POP3/SMTP clients like Outlook Express • Backups • Monitoring and status notifications • PKI Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Security Policy • Organizational security policies should be in place to guide daily actions. • Never start configuring without having a “management supported” plan in place. Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Secure Network Diagram Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Hacking Exchange 2000 • Why Hack Exchange? • Learn host configuration information • Learn of hidden Public Folders • Glean User account names and email addresses • Information Gathering • Network port scan • Server enumeration • NetBIOS • LDAP • RPC • User and configuration enumeration • LDAP with Null session • NetBIOS will Null session • Pilfering shares • Tracking logs • Launching an attack • Aiming for admin access Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Hacking Exchange 2000 LDAP exposes Users and Public Folders hidden from the Exchange Address Lists Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
172.16.2.10 995/tcp - POP/SSL 172.16.2.10 1048/tcp 172.16.2.10 1049/tcp 172.16.2.10 1053/tcp 172.16.2.10 1055/tcp 172.16.2.10 1089/tcp 172.16.2.10 1104/tcp 172.16.2.10 1107/tcp 172.16.2.10 1198/tcp 172.16.2.10 1200/tcp 172.16.2.10 1247/tcp 172.16.2.10 1249/tcp 172.16.2.10 3372/tcp 172.16.2.10 3389/tcp - MS Terminal Server 172.16.2.10 4277/tcp Scan finished at Fri Feb 22 00:55:48 2002 Time taken: 65535 ports in 318.138 secs (206.00 ports/sec) D:\tools>fscan -p 1-65535 -z 128 exchange FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 22 00:50:30 2002 172.16.2.10 25/tcp - SMTP 172.16.2.10 80/tcp - HTTP 172.16.2.10 119/tcp - NNTP 172.16.2.10 135/tcp - RPC/DCE endpoint mapper 172.16.2.10 139/tcp - NetBIOS session service 172.16.2.10 143/tcp - IMAP 172.16.2.10 443/tcp - HTTPS 172.16.2.10 445/tcp - Microsoft SMB/CIFS 172.16.2.10 563/tcp - NNTP/SSL 172.16.2.10 593/tcp - HTTP RPC endpoint mapper 172.16.2.10 691/tcp - SMTP/LSA 172.16.2.10 993/tcp Port Scan XGEN: TCP/UDP Ports Used By Exchange 2000 Server (Q278339) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Port and Process Mappings • Useful tools: • FPORT.EXE (from www.foundstone.com) • TLIST.EXE /S(from Windows 2000 installation CD \Support directory) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
FPort v1.31 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Securing the dot com world Pid Process Port Proto Path 1028 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 110 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 119 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 139 TCP 1028 inetinfo -> 143 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 8 System -> 445 TCP 1028 inetinfo -> 563 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 512 svchost -> 593 TCP C:\WINNT\system32\svchost.exe 1028 inetinfo -> 691 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 993 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1028 inetinfo -> 995 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 264 lsass -> 1032 TCP C:\WINNT\system32\lsass.exe 264 lsass -> 1033 TCP C:\WINNT\system32\lsass.exe 600 msdtc -> 1048 TCP C:\WINNT\System32\msdtc.exe 860 MSTask -> 1049 TCP C:\WINNT\system32\MSTask.exe 1044 mad -> 1053 TCP C:\Program Files\Exchsrvr\bin\mad.exe 1044 mad -> 1055 TCP C:\Program Files\Exchsrvr\bin\mad.exe fport.exe Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
tlist.exe /s 0 System Process 8 System 172 SMSS.EXE 200 CSRSS.EXE 224 WINLOGON.EXE 252 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkWks,W32Time,Wmi 264 LSASS.EXE Svcs: Netlogon,NtLmSsp,PolicyAgent,SamSs 368 termsrv.exe Svcs: TermService 512 svchost.exe Svcs: RpcSs 540 SPOOLSV.EXE Svcs: Spooler 600 msdtc.exe Svcs: MSDTC 748 svchost.exe Svcs: EventSystem,Netman,NtmsSvc,SENS 764 LLSSRV.EXE Svcs: LicenseService 808 regsvc.exe Svcs: RemoteRegistry 840 LOCATOR.EXE Svcs: RpcLocator 860 mstask.exe Svcs: Schedule 944 WinMgmt.exe Svcs: WinMgmt 1000 dfssvc.exe Svcs: Dfs 1028 inetinfo.exe Svcs: IISADMIN,IMAP4Svc,NntpSvc,POP3Svc,RESvc,SMTPSVC,W3SVC 1044 MAD.EXE Svcs: MSExchangeSA 1076 mssearch.exe Svcs: MSSEARCH 1524 STORE.EXE Svcs: MSExchangeIS 1556 EMSMTA.EXE Svcs: MSExchangeMTA 2360 CSRSS.EXE Title: 2384 WINLOGON.EXE Title: NetDDE Agent 2464 rdpclip.exe Title: CB Monitor Window 2508 explorer.exe Title: Program Manager 2560 mshta.exe Title: Windows 2000 Configure Your Server 2580 svchost.exe Svcs: TapiSrv 2652 mdm.exe Title: OleMainThreadWndName 2736 CMD.EXE Title: C:\WINNT\System32\cmd.exe - tlist /s 976 notepad.exe Title: fport - Notepad 768 TLIST.EXE Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Some Security related changes from 5.5 to 2000 • SMTP relay disabled • Rights to the Mailbox • Admin is DENIED access to mailboxes (by default), but easily changed • “Exchange Domain Servers” group full access • %COMPUTERNAME%$ full access • No more Service Account • Your LSA Secrets are safe… Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Secure Administration – Lock it down • Security Checklist:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp • Disable unnecessary services and ports • Enable Auditing • Rename local Admin account and enable a strong password • ACL and monitor critical Registry keys • Watch event logs for failed login attempts Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Secure Administration - Roles • Administrative Roles • Exchange Administrator • Exchange Full Administrator • Exchange View Only Administrator • XADM: How to Get Service Account Access to All Mailboxes in Exchange 2000 (Q262054)http://support.microsoft.com/default.aspx?scid=kb;en-us;Q262054 • Delegation Wizard • Use to add/edit Admin roles Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 The All-Powerful Exchange Domain Servers Group • XADM: Enhancing the Security of Exchange 2000 for the Exchange Domain Servers Group (Q313807) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Secure Administration – Security Permissions Page • Registry Hack • To show the security tab in System Manager HKCU\Software\Microsoft\Exchange\ExAdmin Value: ShowSecurityPage Date: 1 (REG_DWORD) • XADM: Security Tab Not Available on All Objects in System Manager (Q259221) Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Securing File Shares • Security of Shares • Tracking Logs:%COMPUTERNAME%.logContain user information such as email addresses and usernames. • EVERYONE or Authenticated Users can read by default Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Secure Administration - TURN OFF WHAT YOU DON’T NEED • Disable unnecessary services and protocols • For both Exchange and Windows • Do you need POP3? IMAP? HTTP? • Do you need the Alerter service? Messenger? DHCP client? Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 System Policies • System Policies • Server policy • Mailbox policy • Public Folder policy Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Malware - Virus, trojan and worm protection • Use SMTP content filter for Internet email • Use a separate host or a firewall for SMTP relay • Catch incoming/outgoing malware elsewhere, and relieve your Exchange server of the load • Virus protection in the Information Store • Well, some viruses originate within, so you still need protection. • Several server based virus scanners will protect (i.e. MailSecurity by GFI, Trend Micro, Sybari Antigen, NAI GroupShield) • Virus protection on the client Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange and Outlook Malware – Protection in Outlook • Prevent scripts and Active content from running on your user’s workstations • Set the Security Zone in Outlook to “Restricted Sites” – under Tools > Options > Security • Keep up-to-date with latest MS Outlook and Internet Explorer patches and security hotfixes Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Outlook Web Access Installation and Design Considerations • General OWA security • Lock down IIS • Security checklists http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp • IISLock.exe • Definitely use SSL • Decide on Front-end vs. Back-end modelMust read: http://www.microsoft.com/Exchange/techinfo/deployment/2000/E2KFrontBack.asp • Front-End serverIsolate it even in the DMZ (it should only communicate with the Exchange BE server and an AD DC) • Intranet Firewall between Front End and Back End • Use STATIC RPC ports:http://support.microsoft.com/support/kb/articles/q224/1/96.asp Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Secure Network Diagram Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Internet firewall DENY ALL incoming and outgoing Allow only what you need! For example:Incoming from Internet Allow: TCP port 443 (HTTPS) TCP port 25 (SMTP) TCP/UDP port 53 (DNS) Outgoing Allow: Only established connections Intranet Assign static RPC ports to the Exchange Server DMZ firewall DENY ALL incoming and outgoin Allow only what you need! For example:Incoming from DMZ Allow:TCP port 80 (HTTP) TCP/UDP port 88 (Kerberos) TCP/UDP port 53 TCP/UDP port 389 (LDAP) TCP port 3268 (GC) TCP port 135 (endpoing mapper) TCP port 1025 (optional RPC static port) TCP port 445 (SMB/CIFS) Outgoing Allow: Only established connections Firewalls DENY everything. Only allow what you need! Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Vulnerabilities • * February 2002 *MS02-003 : Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissionshttp://archives.neohapsis.com/archives/vendor/2002-q1/0023.html • September 2001MS01-049 : Deeply-nested OWA Request Can Consume Server CPU Availability • August 2001MS01-043 : NNTP Service in Windows NT 4.0 and Windows 2000 Contains Memory Leak • July 2001MS01-041 : Malformed RPC Request Can Cause Service Failure • June 2001MS01-030 : Incorrect Attachment Handling in Exchange OWA Can Execute Script • March 2001MS01-014 : Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 • November 2000MS00-088 : Exchange User Account Vulnerability Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
The Windows OS The FOUNDATION of Exchange • Security is a pyramid • Exchange security depends on the OS security • Follow checklists and best practices available from www.microsoft.com/security as well as many third parties like SANS (www.sans.org) • Ensure new OS and Exchange installs are hardened before placed into production • Don’t let unnecessary services and software run! • Keep up-to-date on latest MS Service Packs and security hotfixes Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
Exchange 2000 Additional Thoughts • SMTP replication in clear text!!! • Use IPSec with encryption parameters to protect this traffic • Public Folders • EVERYONE group can add new folders by default • Event Sinks • XCCC: Script Host Sink Is Not Registered on Exchange 2000 Server by Default (Q264995) • http://www.outlookexchange.com/articles/glenscales/wssevtar.asp by Glen Scales Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
References • Exchange http://www.microsoft.com/exchange http://www.microsoft.com/security http://www.slipstick.com http://www.msexchange.org http://www.labmice.net • IPSec http://www.securityfocus.com/infocus/1519 Securing Microsoft Exchange 2000 Chris.Weber@Foundstone.com
The End Ask a Question Now! Securing Exchange 2000 Chris Weber chris.weber@foundstone.com http://www.foundstone.com http://www.privacydefended.com