Exchange Server 2003 Security - PowerPoint PPT Presentation

1 / 55
About This Presentation
Title:

Exchange Server 2003 Security

Description:

Securing Exchange Server Services and Messaging Protocols ... Run it naked. Assign the RPC ports. Use RPC over HTTP. Publish with ISA Server ... – PowerPoint PPT presentation

Number of Views:188
Avg rating:3.0/5.0
Slides: 56
Provided by: downloadM
Category:

less

Transcript and Presenter's Notes

Title: Exchange Server 2003 Security


1
Exchange Server 2003 Security
  • Naam Thomas de Klerk
  • Functie Trainer/Consultant
  • Bedrijf Info Support
  • E-mail thomask_at_infosupport.com

2
Agenda
  • Implementing Exchange Security
  • Securing Exchange Server Services and Messaging
    Protocols
  • Maintaining Security on Exchange Server
  • Configuring Exchange to Protect Against Unwanted
    E-mail
  • Securing Access to Exchange Using ISA Server 2004

3
Exchange Server 2003Security Overview
  • Secure by design
  • Secure by default
  • Support for Sender, Recipient and Connection
    Filtering (Block List Services)
  • Secure by default
  • User logon on server disabled
  • Messaging limits configuration 10 MB
  • Microsoft Exchange Server 2003 Security
    Enhancementshttp//www.microsoft.com/exchange/eva
    luation/security_E2K3.mspx

4
Exchange Server Deployments
  • General
  • FE/BE deployment
  • ISA Server Integrated

5
Exchange Server Client Scenarios
  • General Clients
  • Microsoft Outlook
  • Mobile client access
  • Outlook Web Access
  • Outlook Mobile Access
  • Exchange Server ActiveSync

6
Configuration and Security Update Recommendations
for Exchange Server
  • Operating system and software
  • Windows Server 2003 with latest security updates
  • Exchange Server 2003 with SP1 (or higher, SP2 is
    around the corner)
  • Exchange Intelligent Message Filter
  • Browser
  • IE 6 with latest security updates
  • Security update management
  • Microsoft Baseline Security Analyzer

7
Implementing Defense-in-depth
  • Data
  • Application
  • Host
  • Internal Network
  • Perimeter
  • Physical Security
  • Policies, procedures, awareness

8
Securing Exchange Servers
  • Maintaining the security of the underlying
    Windows infrastructure
  • Maintain baseline security hardening practices
  • Understanding security options for various
    deployment scenarios

9
Hardening the Messaging Environment
  • Server environment
  • Domain, DC and Member Server Baseline policies
  • Windows Server 2003 Security Guidehttp//go.micro
    soft.com/fwlink/?linkId21638
  • Exchange Domain Controller Baseline Policy
    template
  • Messaging Environment
  • Exchange Server 2003 Security Hardening
    Guidehttp//www.microsoft.com/technet/prodtechnol
    /exchange/2003/library/exsecure.mspx

10
Exchange Security Templates
11
Hardening Back-End Exchange Servers
  • Tasks include
  • Hardening Services
  • Hardening ACLs
  • Changing privileges rights
  • Enabling additional services (optional)
  • Apply Exchange 2003 Backend.inf security template
    to your back-end servers

12
Hardening Front-End Exchange Servers
  • Tasks include
  • Hardening Services
  • Hardening ACLs
  • Enabling additional services (optional)
  • Running URLScan (optional but recommended)
  • Dismounting mailboxstore and delete public folder
    store
  • Apply Exchange 2003 frontend.inf security
    template to your front-end servers

13
Understanding SMTP Relaying
  • SMTP Relaying When an SMTP server accepts mail
    from one domain addresses to mailboxes in another
    domain, neither one of which the server owns
  • Needed when
  • Accepting mail for other organization
  • POP3 or IMAP4 clients
  • Supporting applications that generate SMTP mail
  • Prevent open relays by
  • Allowing only authenticated computers to relay
  • Restricting relaying to specific computers or
    users
  • Using SMTP connector to relay to particular
    domains

14
Demo
  • SMTP Relay

15
Securing SMTP Communication Between Mail Servers
  • Install and configure X.509 certificate
  • Enable TLS encryption for inbound mail
  • Enable and configure TLS for outbound mail to
    specific domains

16
Securing Exchange Servers
  • Limit Exchange Server functionality to clients
    are strictly required
  • Remain current with the latest updates for both
    Exchange and the OS
  • Use ISA Sever 2004 to regulate access for HTTP,
    RPC over HTTPS, POP3 and IMAP4 traffic
  • Use SSL/TLS and forms-based authentication for
    Outlook Web Access

17
Maintaining Security on Exchange Server
  • Keeping up with the latest security updates
  • Keeping up with recommended best practices
  • Understanding the impact of configuring various
    options within Exchange Server
  • Document on configuration and security settings

18
Analyzing Exchange Server 2003 Using the
Microsoft Baseline Security Analyzer
  • MBSA checks for issues related to the following
  • Known Windows and Internet Explorer security
    issues
  • Missing Security updates
  • Weak account passwords
  • IIS security issues
  • SQL Server security issues
  • Exchange Server security issues

19
Validate Exchange Server Configuration Settings
  • ExBPA can examine your Exchange servers to
  • Generate a list of issues, such as
    misconfigurations or unsupported or
    non-recommended options
  • Judge the general heath of a system
  • Help troubleshoot specific problems

20
What Are the Exchange Options for Limiting
Unwanted E-mail
  • Recipient filtering
  • Sender filtering
  • Connection filtering
  • Microsoft Exchange Intelligent Message Filter
    (IMF)

21
Demo 2
  • ExBPA
  • Filtering

22
Implementing Antivirus Protection on Exchange
Server
  • Consider the following when designing and
    implementing an antivirus solution
  • Design a defense-in-depth approach
  • Implement an antivirus scanner that supports
    AVAPI 2.5
  • Prevent file-bases scanning on Exchange Server
    folders

23
Securing Access to Exchange Using ISA Server 2004
  • Outlook Webaccess
  • RPC over HTTPS
  • Network designs

24
Security issues
  • HTTPS is the transport
  • Intrusion detection?
  • Conformance to email policy?
  • OWA 2000 has no session timeout
  • Fixed in OWA 2003
  • Forms authenticationcookie for session

25
Typical Design
  • Good ? performance
  • Separates protocol from message store
  • Network protection
  • Bad ? security
  • Tunnel through outside firewall no inspection
  • Many holes in inside firewall for authentication
  • Anonymous initial connections to OWA

OWA
ExBE
AD
26
Improving OWA security
  • Security goals
  • Inspect SSL traffic
  • Maintain wire privacy
  • Enforce conformance to HTML/HTTP
  • Allow only known URL construction
  • Block URL-borne attacks
  • Optionally
  • Pre-authenticate incoming connections

27
Protect OWA with ISA Server
  • ISA Server becomes the bastion host
  • Web proxy terminates all connections
  • Decrypts HTTPS
  • Inspects content
  • Inspects URL (with URLScan)
  • Re-encrypts for delivery to OWA

x36dj23s 2oipn49v
lta href
http//...
ISA Server
28
Protect OWA with ISA ServerBetter user
authentication
  • Easy authentication to Active Directory
  • Pre-authenticate communications
  • ISA Server queries user for credentials
  • Verifies against AD
  • Embeds in HTTP headers to OWA
  • Avoids second prompt!

ISA Server
OWA
Exchange
AD
29
URLScan 2.5
  • Policy-based URL evaluation
  • Define whats allowed drop everything else
  • Helps protect from attacks that
  • Request unusual actions
  • Have a large number of characters
  • Are encoded using an alternate character set
  • Can be used in conjunction with SSL inspection to
    detect attacks over SSL

30
ISA Server 2004
  • RADIUS support
  • Permits standalone servers to do authentication
    delegation
  • Forms-based authentication
  • ISA Server presents form and generates cookie
  • Separate timeouts for public and private
    computers
  • Attachment controls
  • Block/allow on public or private computers
  • HTTP policies on publishing rules
  • Built-in URLScan-type behavior

31
New delegation process
browser
RADIUS
AD
ISA Server
OWA (IIS)
32
Exchange RPC on the internet
  • Many users require full Outlook
  • Third-party plugins
  • Mailbox synchronization
  • Client-side rules
  • Complete address book
  • VPNs are too costly if this is the only
    requirement or not available

33
Design choices
  • Run it naked
  • Assign the RPC ports
  • Use RPC over HTTP
  • Publish with ISA Server

34
RPC connection setup
On what port is UUID blah?
Blah is on nnnn/tcp. Close.
I want to talk with UUID blah.
server
client
35
Potential RPC attacks
  • Reconnaissance
  • NETSTAT
  • RPCDump
  • DoS against portmapper
  • Privilege escalation or other specific service
    attacks

36
New in Exchange 2003
  • Result of high customer demand
  • Useful
  • All firewalls allow 80/tcp and 443/tcp
  • Enables access from any location
  • No special firewall setup required

37
RPC proxy
  • New component
  • ISAPI extension
  • Relies on IIS for basic authentication
  • So HTTPS, riiiight?
  • Sets up RPC session after authentication
  • Inside HTTP, otherwise known as
  • Terminates incoming RPC-over-HTTP
  • Decapsulates RPC
  • Passes to back-end Exchange server
  • Run on same machine as OWA FE

38
RPC proxy in action
Outlook 2003
RPC proxy
AD
Exchange
39
Authentication methods
  • HTTP basic authN only
  • Over SSL, please!
  • Others not supported in Outlook 2003
  • SecurID
  • No dialog to ask for PIN
  • Exchange cant proxy to ACE/Server
  • RADIUS
  • Client certificates
  • Possible with true Kerberos constrained
    delegation on RPC proxy

40
Already pretty secure
  • Successful basic authN required before any
    operations can commence
  • Second Outlook-Exchange authN is transparent if
    cached credentials are on machine
  • Is secure from RPC-borne attacks
  • Attackers could write HTTP wrappers for RPC
    attack tools
  • But would need to get past IIS authN

41
Could be better
  • Simply running RPC over HTTP doesnt solve all
    the problems
  • No inner protocol awareness in firewall
  • No inspection if HTTPS

42
Publish with ISA Server
  • Move RPC proxy to corp net
  • Just like we did for OWA
  • Web publish RPC proxy
  • Destination set with /rpc/
  • SSL bridging (regeneration)
  • URLScan
  • AuthN delegation probably not necessary

43
Exchange RPC filter
  • Intimately aware of
  • How Exchange RPC connections establish
  • What the proper protocol format is
  • Allows only Exchange RPC UUIDs
  • Enforces client authentication
  • Can optionally enforce encryption
  • Supports new mail notification

44
Published RPC interfaces
  • 99E64010-B032-11D0-97A4-00C04FD6551D "Store
    admin (1)"
  • 89742ACE-A9ED-11CF-9C0C-08002BE7AE86 "Store
    admin (2)"
  • A4F1DB00-CA47-1067-B31E-00DD010662DA "Store
    admin (3)"
  • A4F1DB00-CA47-1067-B31F-00DD010662DA "Store
    EMSMDB"
  • 9E8EE830-4459-11CE-979B-00AA005FFEBE "MTA"
  • 1A190310-BB9C-11CD-90F8-00AA00466520
    "Database"
  • F5CC5A18-4264-101A-8C59-08002B2F8426
    "Directory NSP"
  • F5CC5A7C-4264-101A-8C59-08002B2F8426
    "Directory XDS"
  • F5CC59B4-4264-101A-8C59-08002B2F8426
    "Directory DRS"
  • 38A94E72-A9BC-11D2-8FAF-00C04fA378FF "MTA
    'QAdmin'"
  • 0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE
    "Information Store (1)"
  • 1453C42C-0FA6-11D2-A910-00C04F990F3B
    "Information Store (2)"
  • 10F24E8E-0FA6-11D2-A910-00C04F990F3B
    "Information Store (3)"
  • 1544F5E0-613C-11D1-93DF-00C04FD7BD09
    "Directory RFR"
  • F930C514-1215-11D3-99A5-00A0C9B61B04 "System
    Attendant Cluster"
  • 83D72BF0-0D89-11CE-B13F-00AA003BAC6C "System
    Attendant Private"
  • 469D6EC0-0D87-11CE-B13F-00AA003BAC6C "System
    Attendant Public Interface"

45
Filter operation
  • Client connects to filters portmapper
  • Runs as part of filter
  • Responds only to requests for Exchange RPC
  • Not actually an (exploitable) portmapper
  • ISA Server returns filters Exchange RPC port
    numbers
  • Client makes new connection

ISA Server
Exchange
AD
46
Filter operation
  • ISA Server connects to Exchanges portmapper
  • Exchange returns port numbers
  • ISA Server makes new connection

ISA Server
Exchange
AD
47
Filter operation
  • Client logs on to Exchange
  • Exchange proxies logon to Active Directory
  • Need No RFR Service key to make this happen KB
    302914
  • Filter watches for approval
  • Filter checks whether encryption is on, if
    required
  • Client mailbox opens

ISA Server
Exchange
AD
48
Protects from RPC attacks
  • Reconnaissance?
  • NETSTAT shows only 135/tcp
  • RPCDump simply fails
  • DoS against portmapper?
  • Known attacks fail
  • Successful attack leaves Exchange protected
  • Service attacks?
  • No reconnaissance info available
  • ISA Server-to-Exchange connections fail unless
    prior client-to-ISA Server connection is
    correctly formatted

Yes!
Yes!
Yes!
49
Recommended design
  • Recall typical design

ExFE
SMTP
ExBE
AD
50
New requirements, new designs
  • Move critical servers inside for better
    protection
  • Add ISA Server to your existing DMZ
  • Increase security by publishing
  • Exchange RPC
  • OWA over HTTPS
  • RPC over HTTPS
  • SMTP (content filter)

ISA Server
51
ISA Server 2004 and Exchange 2003
  • Standalone ISA Server 2004 in DMZ
  • Forms-based client authN
  • RADIUS for basic delegation
  • Open firewall accordingly

ISA Server 2004
ExFE
SMTP
ExBE
Corp AD
RADIUS
52
Next steps
  • Consider your risk
  • What do you have?
  • What are you comfortable with?
  • Consider the way attacks are evolving
  • Ports mean nothing
  • Attacks look like legitimate traffic
  • Evaluate and deploy ISA Server for all current
    and future Exchange installations

53
Around the corner
  • SP 2 (mobility focus)
  • Direct push to mobile devices
  • Control and security
  • Policy setting. Force a password to unlock device
  • Local wipe, reset the password after x failed
    login attempts
  • Remote wipe
  • Support for certificate-based authentication
  • Support for S/MIME
  • Support for Sender ID e-mail authentication

54
  • Complete guide to Exchange 2003 security
  • Covers OWA, OMA/EAS, S/MIME, installation,
    auditing, and hardening
  • Covers archiving, compliance, legal issues

ISBN 07356-1990-5
55
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com