550 likes | 1.08k Views
Agenda. Implementing Exchange SecuritySecuring Exchange Server Services and Messaging ProtocolsMaintaining Security on Exchange ServerConfiguring Exchange to Protect Against Unwanted E-mailSecuring Access to Exchange Using ISA Server 2004. Exchange Server 2003 Security Overview. Secure by designSecure by defaultSupport for Sender, Recipient and Connection Filtering (Block List Services)Secure by defaultUser logon on server disabledMessaging limits configuration 10 MBMicrosoft Exchange35803
E N D
1. Exchange Server 2003 Security Naam: Thomas de Klerk
Functie: Trainer/Consultant
Bedrijf: Info Support
E-mail: thomask@infosupport.com
2. Agenda Implementing Exchange Security
Securing Exchange Server Services and Messaging Protocols
Maintaining Security on Exchange Server
Configuring Exchange to Protect Against Unwanted E-mail
Securing Access to Exchange Using ISA Server 2004
3. Exchange Server 2003Security Overview Secure by design
Secure by default
Support for Sender, Recipient and Connection Filtering (Block List Services)
Secure by default
User logon on server disabled
Messaging limits configuration 10 MB
Microsoft Exchange Server 2003 Security Enhancementshttp://www.microsoft.com/exchange/evaluation/security_E2K3.mspx
4. Exchange Server Deployments General
FE/BE deployment
ISA Server Integrated
5. Exchange Server Client Scenarios General Clients:
Microsoft Outlook
Mobile client access:
Outlook Web Access
Outlook Mobile Access
Exchange Server ActiveSync
6. Configuration and Security Update Recommendations for Exchange Server Operating system and software:
Windows Server 2003 with latest security updates
Exchange Server 2003 with SP1 (or higher, SP2 is around the corner)
Exchange Intelligent Message Filter
Browser:
IE 6 with latest security updates
Security update management
Microsoft Baseline Security Analyzer
7. Implementing Defense-in-depth Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, procedures, awareness
8. Securing Exchange Servers Maintaining the security of the underlying Windows infrastructure
Maintain baseline security hardening practices
Understanding security options for various deployment scenarios
9. Hardening the Messaging Environment Server environment
Domain, DC and Member Server Baseline policies
Windows Server 2003 Security Guidehttp://go.microsoft.com/fwlink/?linkId=21638
Exchange Domain Controller Baseline Policy template
Messaging Environment
Exchange Server 2003 Security Hardening Guidehttp://www.microsoft.com/technet/prodtechnol/exchange/2003/library/exsecure.mspx
10. Exchange Security Templates
11. Hardening Back-End Exchange Servers Tasks include:
Hardening Services
Hardening ACLs
Changing privileges rights
Enabling additional services (optional)
Apply Exchange 2003 Backend.inf security template to your back-end servers
12. Hardening Front-End Exchange Servers Tasks include:
Hardening Services
Hardening ACLs
Enabling additional services (optional)
Running URLScan (optional but recommended)
Dismounting mailboxstore and delete public folder store
Apply Exchange 2003 frontend.inf security template to your front-end servers
13. Understanding SMTP Relaying SMTP Relaying: When an SMTP server accepts mail from one domain addresses to mailboxes in another domain, neither one of which the server owns
Needed when:
Accepting mail for other organization
POP3 or IMAP4 clients
Supporting applications that generate SMTP mail
Prevent open relays by
Allowing only authenticated computers to relay
Restricting relaying to specific computers or users
Using SMTP connector to relay to particular domains
14. Demo SMTP Relay
15. Securing SMTP Communication Between Mail Servers Install and configure X.509 certificate
Enable TLS encryption for inbound mail
Enable and configure TLS for outbound mail to specific domains
16. Securing Exchange Servers Limit Exchange Server functionality to clients are strictly required
Remain current with the latest updates for both Exchange and the OS
Use ISA Sever 2004 to regulate access for HTTP, RPC over HTTPS, POP3 and IMAP4 traffic
Use SSL/TLS and forms-based authentication for Outlook Web Access
17. Maintaining Security on Exchange Server Keeping up with the latest security updates
Keeping up with recommended best practices
Understanding the impact of configuring various options within Exchange Server
Document on configuration and security settings
18. Analyzing Exchange Server 2003 Using the Microsoft Baseline Security Analyzer MBSA checks for issues related to the following:
Known Windows and Internet Explorer security issues
Missing Security updates
Weak account passwords
IIS security issues
SQL Server security issues
Exchange Server security issues
19. Validate Exchange Server Configuration Settings ExBPA can examine your Exchange servers to:
Generate a list of issues, such as misconfigurations or unsupported or non-recommended options
Judge the general heath of a system
Help troubleshoot specific problems
20. What Are the Exchange Options for Limiting Unwanted E-mail Recipient filtering
Sender filtering
Connection filtering
Microsoft Exchange Intelligent Message Filter (IMF)
21. Demo 2 ExBPA
Filtering
22. Implementing Antivirus Protection on Exchange Server Consider the following when designing and implementing an antivirus solution:
Design a defense-in-depth approach
Implement an antivirus scanner that supports AVAPI 2.5
Prevent file-bases scanning on Exchange Server folders
23. Securing Access to Exchange Using ISA Server 2004 Outlook Webaccess
RPC over HTTPS
Network designs
24. Security issues HTTPS is the transport
Intrusion detection?
Conformance to email policy?
OWA 2000 has no session timeout
Fixed in OWA 2003
Forms authentication—cookie for session Check the lock – then check the certificate?
What threat does the cookie fix?
Oh, and keystroke loggers!!Check the lock – then check the certificate?
What threat does the cookie fix?
Oh, and keystroke loggers!!
25. Typical Design Good: ? performance
Separates protocol from message store
Network protection
Bad: ? security
Tunnel through outside firewall: no inspection
Many holes in inside firewall for authentication
Anonymous initial connections to OWA
26. Improving OWA security Security goals
Inspect SSL traffic
Maintain wire privacy
Enforce conformance to HTML/HTTP
Allow only known URL construction
Block URL-borne attacks
Optionally
Pre-authenticate incoming connections
27. Protect OWA with ISA Server ISA Server becomes the “bastion host”
Web proxy terminates all connections
Decrypts HTTPS
Inspects content
Inspects URL (with URLScan)
Re-encrypts for delivery to OWA
28. Protect OWA with ISA ServerBetter user authentication Easy authentication to Active Directory
Pre-authenticate communications
ISA Server queries user for credentials
Verifies against AD
Embeds in HTTP headers to OWA
Avoids second prompt!
29. URLScan 2.5 Policy-based URL evaluation
Define what’s allowed; drop everything else
Helps protect from attacks that—
Request unusual actions
Have a large number of characters
Are encoded using an alternate character set
Can be used in conjunction with SSL inspection to detect attacks over SSL
30. RADIUS support
Permits standalone servers to do authentication delegation
Forms-based authentication
ISA Server presents form and generates cookie
Separate timeouts for public and private computers
Attachment controls
Block/allow on public or private computers
HTTP policies on publishing rules
Built-in URLScan-type behavior ISA Server 2004
31. New delegation process
32. Exchange RPC on the internet Many users require full Outlook
Third-party plugins
Mailbox synchronization
Client-side rules
Complete address book
VPNs are too costly if this is the only requirement or not available
33. Design choices Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
34. RPC connection setup
35. Potential RPC attacks Reconnaissance
NETSTAT
RPCDump
DoS against portmapper
Privilege escalation or other specific service attacks
36. New in Exchange 2003 Result of high customer demand
Useful
All firewalls allow 80/tcp and 443/tcp
Enables access from any location
No special firewall setup required
37. RPC proxy New component
ISAPI extension
Relies on IIS for basic authentication
So: HTTPS, riiiight?
Sets up RPC session after authentication
Inside HTTP, otherwise known as…
Terminates incoming RPC-over-HTTP
Decapsulates RPC
Passes to back-end Exchange server
Run on same machine as OWA FE
38. RPC proxy in action
39. Authentication methods HTTP basic authN only
Over SSL, please!
Others not supported in Outlook 2003
SecurID
No dialog to ask for PIN
Exchange can’t proxy to ACE/Server
RADIUS
Client certificates
Possible with true Kerberos constrained delegation on RPC proxy
40. Already pretty secure Successful basic authN required before any operations can commence
Second Outlook-Exchange authN is transparent if cached credentials are on machine
Is secure from RPC-borne attacks
Attackers could write HTTP wrappers for RPC attack tools
But would need to get past IIS authN
41. Could be better… Simply running RPC over HTTP doesn’t solve all the problems
No inner protocol awareness in firewall
No inspection if HTTPS
42. Publish with ISA Server Move RPC proxy to corp net
Just like we did for OWA
Web publish RPC proxy
Destination set with /rpc/*
SSL bridging (“regeneration”)
URLScan
AuthN delegation probably not necessary
43. Exchange RPC filter Intimately aware of—
How Exchange RPC connections establish
What the proper protocol format is
Allows only Exchange RPC UUIDs
Enforces client authentication
Can optionally enforce encryption
Supports new mail notification
44. Published RPC interfaces {99E64010-B032-11D0-97A4-00C04FD6551D}: "Store admin (1)"
{89742ACE-A9ED-11CF-9C0C-08002BE7AE86}: "Store admin (2)"
{A4F1DB00-CA47-1067-B31E-00DD010662DA}: "Store admin (3)"
{A4F1DB00-CA47-1067-B31F-00DD010662DA}: "Store EMSMDB"
{9E8EE830-4459-11CE-979B-00AA005FFEBE}: "MTA"
{1A190310-BB9C-11CD-90F8-00AA00466520}: "Database"
{F5CC5A18-4264-101A-8C59-08002B2F8426}: "Directory NSP"
{F5CC5A7C-4264-101A-8C59-08002B2F8426}: "Directory XDS"
{F5CC59B4-4264-101A-8C59-08002B2F8426}: "Directory DRS"
{38A94E72-A9BC-11D2-8FAF-00C04fA378FF}: "MTA 'QAdmin'"
{0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE}: "Information Store (1)"
{1453C42C-0FA6-11D2-A910-00C04F990F3B}: "Information Store (2)"
{10F24E8E-0FA6-11D2-A910-00C04F990F3B}: "Information Store (3)"
{1544F5E0-613C-11D1-93DF-00C04FD7BD09}: "Directory RFR"
{F930C514-1215-11D3-99A5-00A0C9B61B04}: "System Attendant Cluster"
{83D72BF0-0D89-11CE-B13F-00AA003BAC6C}: "System Attendant Private"
{469D6EC0-0D87-11CE-B13F-00AA003BAC6C}: "System Attendant Public Interface"
45. Filter operation Client connects to filter’s “portmapper”
Runs as part of filter
Responds only to requests for Exchange RPC
Not actually an (exploitable) portmapper
ISA Server returns filter’s Exchange RPC port numbers
Client makes new connection
46. Filter operation ISA Server connects to Exchange’s portmapper
Exchange returns port numbers
ISA Server makes new connection
47. Filter operation Client logs on to Exchange
Exchange proxies logon to Active Directory
Need “No RFR Service” key to make this happen: KB 302914
Filter watches for approval
Filter checks whether encryption is on, if required
Client mailbox opens
48. Protects from RPC attacks Reconnaissance?
NETSTAT shows only 135/tcp
RPCDump simply fails
DoS against portmapper?
Known attacks fail
Successful attack leaves Exchange protected
Service attacks?
No reconnaissance info available
ISA Server-to-Exchange connections fail unless prior client-to-ISA Server connection is correctly formatted
49. Recommended design Recall typical design
50. New requirements, new designs Move critical servers inside for better protection
Add ISA Server to your existing DMZ
Increase security by publishing:
Exchange RPC
OWA over HTTPS
RPC over HTTPS
SMTP (content filter)
51. Standalone ISA Server 2004 in DMZ
Forms-based client authN
RADIUS for basic delegation
Open firewall accordingly ISA Server 2004 and Exchange 2003
52. Next steps Consider your risk—
What do you have?
What are you comfortable with?
Consider the way attacks are evolving
Ports mean nothing
Attacks look like legitimate traffic
Evaluate and deploy ISA Server for all current and future Exchange installations
53. Around the corner SP 2 (mobility focus)
Direct push to mobile devices
Control and security
Policy setting. Force a password to unlock device
Local wipe, reset the password after x failed login attempts
Remote wipe
Support for certificate-based authentication
Support for S/MIME
Support for Sender ID e-mail authentication
54. Complete guide to Exchange 2003 security
Covers OWA, OMA/EAS, S/MIME, installation, auditing, and hardening
Covers archiving, compliance, legal issues