SEC 318 Guerilla Security – Securing Exchange 2000 and 2003 Infrastructures Fred Baumhardt and Rab Thynne Senior and Partner Strategy Consultant Microsoft.

Slides:



Advertisements
Similar presentations
Securing Network – Wireless – and Connected Infrastructures
Advertisements

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Module 5: Configuring Access for Remote Clients and Networks.
Paula Kiernan Senior Consultant Ward Solutions
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing Exchange, IIS, and SQL Infrastructures
Module 3 Windows Server 2008 Branch Office Scenario.
Implementing Application and Data Security Fred Baumhardt Senior Consultant – Security and Architecture Microsoft Consulting Services - UK.
SEC 470 Using ISA Server for Application Layer Firewalling Frederico Baumhardt Senior Consultant – Infrastructure and Security Microsoft UK.
Securing the Borderless Network March 21, 2000 Ted Barlow.
System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Implementing Server Security on Windows 2000 and Windows Server 2003 Steve Lamb Technical Security Advisor
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Implementing Exchange Server Security Ward Solutions.
Securing Windows Internet Servers 23.org / Covert Systems Jon Miller Senior Security Engineer Covert Systems, Inc.
Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Sec 311 Securing SharePoint Infrastructure and Technologies Fred Baumhardt Sandeep Modhvadia Microsoft UK – Technology Services.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Chapter 6: Packet Filtering
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Application Layer Firewalling With ISA Server 2004 Fred Baumhardt Lead Security Technology Architect Microsoft EMEA.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Security fundamentals Topic 10 Securing the network perimeter.
MSG308 Secure Access to Exchange from the Internet Steve Riley Microsoft Corporation.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Implementing Application and Data Security Brjann Brekkan Senior System Engineer Microsoft.
Securing the Network Perimeter with ISA Server 2004 Ravi Sankar IT Professional Evangelist Microsoft.
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
.
Working at a Small-to-Medium Business or ISP – Chapter 8
Securing the Network Perimeter with ISA 2004
Forefront Security ISA
Implementing Client Security on Windows 2000 and Windows XP Level 150
Designing IIS Security (IIS – Internet Information Service)
Using Software Restriction Policies
Presentation transcript:

SEC 318 Guerilla Security – Securing Exchange 2000 and 2003 Infrastructures Fred Baumhardt and Rab Thynne Senior and Partner Strategy Consultant Microsoft UK

Why do we call this Guerilla Guerilla as a type of warfare is exactly what we face in Internet Security Expect attacks from anywhere, with any device, at any time, from the inside Defences must be built exactly the same way, good monitoring, competent security forces, and ruthless execution of security policy on attackers

Session Overview Core Security Concepts applied to Exchange The Exchange Server Security Model Implementing End to End Exchange Security Implications of Client Selection Securing Client/Server to Server Communications Network Layer Security Exchange Host Server Security Questions.

The Big Picture Exchange is an Infrastructure product – ergo: it is only as secure as the infrastructure So design of Supporting Infra is critical : DMZ design DCs and their configuration DNS infrastructure Server Build Management and Operations

Internet Security Roots and Mail Lets be honest – from a security perspective: IPv4 Sucks – not designed for Security Internet used to require Sec clearance to use – physical access was restricted – no need for protocol security Resistance to Nuclear attack was more important than protecting traffic as people on the network were trusted TCP/IP was thus designed without security in mind – added as a bolt-on- SMTP has almost none SMTP takes anonymous un-authenticated messages from the dirty world and puts them into heart of your network No one thought mail storage would be mission critical.

Core Security Concepts applied to Exchange The OS is only one component of security AND Firewalls are not a Panacea Getting into the bank branch doesn’t mean you get into the vault In the real world security relies on multiple things. It should also do this in the IT world People and Process Internal and Edge Technologies Management and Operations Securing your Exchange system is securing your core systems – there is no silver bullet wizard.

Your Attack Sources for Comms Answer: Everyone – inside and out The majority of attacks originate internally Corporate espionage People with Inside knowledge Your Users playing with stuff they don’t understand Externally…could be anyone “Script kiddies” armed with widely accessible tools More serious attackers– fun or profit

Exchange Comms Architecture.

Internal DMZ Firewall Ports TCP 80 for HTTP 143 for IMAP 110 for POP 25 for SMTP 691 for Link State Algorithm routing protocol TCP/UDP port 389 for LDAP to Directory Service TCP port 3268 for LDAP to Global Catalog Server TCP/UDP port 88 for Kerberos authentication TCP/UDP port 53 - DNS TCP port RPC endpoint mapper TCP ports RPC service ports (unless DC and Exchange Restricted) If you use IPSec between the front-end and back-end, open the appropriate ports. If the policy you configure only uses AH, you do not need to allow ESP, and vice versa. UDP port 500 – RPC over HTTP can reduce this and 593.

Exchange Defence-in-Depth Orchestration Perimeter Defences: Packet Filtering, Stateful Inspection of Packets, Intrusion Detection Network Defences: VLAN Access Control Lists, Internal Firewall, Auditing, Intrusion Detection Host Defences: Server Hardening, Host Intrusion Detection, IPSec Filtering, Auditing Application Defences: AV, Content Scanning, Layer 7 (URL) Switching Source, Secure IIS, Secure Exchange Data and Resources: ACLs on PFs, Correct mail permissions, Data, Relay Permissions Data & Resources Application Defences Host Defences Network Defences Perimeter Defences Assume Prior Layers Fail.

Connection Strategies MethodExperienceComplexitySecurity POP3/IMAP4 via SSL with SMTP BasicMedium/ High Medium OWA via SSL with ISA ModerateLowFull VPN – PPTPv2FullHighFull Secure RPC with ISA FullMediumFull RPC over HTTPFullMedium/LowFull in None Out

POP3/IMAP4 with SMTP Uses SSL to secure POP or IMAP connection Does not authenticate at front end Requires SMTP at front-end to send mail OR separate SMTP relay (watch for relay spam) Removes much of the rich functionality Public Folder access can be tricky Don’t enable unless you absolutely have to.

OWA via SSL with ISA OWA is lightweight and available anywhere Not totally functional but close No Offline facility – but great usability SSL is an easy and proven security tool Can be terminated at ISA with Feature Pack Only used to Front-end server – not FE-BE in 2000 – 2003 can use Kerberos for delegation Pre-authentication with ISA is very strong.

Protecting HTTPS for OWA Traditional firewall OWAOWA clientclient Web server prompts for authentication — any Internet user can access this prompt SSLSSL SSL tunnels through traditional firewalls because it is encrypted… …which allows viruses and worms to pass through undetected… …and infect internal servers! ISA Server with Feature Pack 1 Basic authentication delegation ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through URLScan for ISA Server SSL or HTTP SSLSSL ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear. URLScan for ISA Server URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL Internet.

VPN Inbound Dedicated HW/SW VPN infrastructure Requires opening of ports for VPN and authentication Provides Full and Rich Network Access Can be costly for enterprises to implement RPC over HTTP can reduce need – also secure RPC publishing with ALF.

Using ISA for RPC Publishing ISA Can Securely Publish RPC Opens 135 and listens (can block by source) Only Allows Specific UUID for Outlook (configurable) Dynamically Port Filters subsequent connections Can require Encrypted RPC only Outlook can have full functionality without VPN.

RPC server (Exchange) RPC client (Outlook) ServiceUUIDPort Exchange{ …4402 AD replication{ …3544 MMC{ …9233 RPC services grab random high ports when they start, server maintains table RPC – Outlook to Exchange RPC /tcp Client connects to portmapper on server (port 135/tcp) Client knows UUID of service it wants { …} Client accesses application over learned port Client asks, “What port is associated with my UUID?” Server matches UUID to the current port… 4402/tcp Portmapper responds with the port and closes the connection 4402/tcp Due to the random nature of RPC, this is not feasible over the Internet All 64,512 high ports & port 135 must be opened on traditional firewalls.

Securing the Front Side Exchange 2000 SP2+ doesn’t require RPC for DSAccess from Front-end to Backend; However…. RPC is still required for IIS authentication (OWA), POP-IMAP Exchange DMZ Tradeoff: is it better to Allow RPC packets from the DMZ inward, or IPSec Tunnel through Firewall (Bypass it), (no NAT Firewalls) Allow anonymous requests from the FE to the BE? Swiss Cheesed or Bypassed Firewall TCP 443: HTTPS Stateful Packet Filtering Firewall Front End Server Internet TCP 443: HTTPS (OWA) RPC: Outlook SMTP, POP3, IMAP4 Back End Server RPC and/or Defined Port HTTP (TCP80).

Best Practice for the Front Side A Flat DMZ Design ISA layer 7 switching (OWA) or RPC filtration (Outlook) No Firewalls between front-end and backend servers Front-end and backend servers authenticate clients IPSec if required between front-end and backend Exchange Server TCP 443: HTTPS Stateful Packet FilteringFirewall Application Filtering Firewall (ISA Server) TCP 80: HTTP Internet TCP 443: HTTPS Or.

Is This Less Secure ? Same numbers of firewalls to defeat RPC or tunnelling can negate firewalls anyway Attacks come at Data Layer This is a shift in thinking as Firewalls move up the stack and switches start port filtering.

Secure Networking Internet Redundant Routers ISA Firewalls VLAN DC + Infrastructure NIC teams/2 switches VLAN Front-end VLAN Backend Intrusion Detection First Tier Firewalls URL Filtering for OWA RPC Termination for Outlook Switches Implement VLANs and Control Inter-VLAN Traffic like Firewalls do.

Client Security from Internet Every time you connect into a network you extend the security perimeter RPC Publishing and VPN both require great care at the client Harden your clients on the Internet or hackers will attack clients and ride the VPN Require RPC encryption for Outlook Client Based IDS systems

General Member Server Hardening Role-based Hardening OU Structure to hold FE-BE servers by role Security Templates from Exchange Security Operations Guide AD is a great Security Tool

IIS Lockdown Changes File ACLs-denies relevant permissions on home directory Also sets ACL on (ExchDirectory)\ExchWeb Denies execute access to all system utilities, such as cmd.exe, in the c:\winnt\system32 folder. Changes by IISLockdown can be overwritten by Group Policy

Front-end OWA Server Hardening Run IISLockdown w/ Template for Exchange; see Q Removes all unnecessary script mappings Vdirs, and applications Disables password change (HTR) – so hide in UI to avoid confusion (Q297121) Configure URLScan Blocks special characters, extensions and canonicalisation.../ \ % & DSAccess uses RPC to contact Netlogon for authentication Limit RPC ports on all DC’s & allow this through the internal firewall Use ISA to securely publish RPC from FE in the DMZ to BE if applicable Use MetaEdit to change the SMTP banner Run EDSLock to lockdown folder and mailbox store group access Dismount the Mailbox Store and delete the Public Folder Store.

Front-end OWA Server Hardening Disable the following Exchange Services Exchange IMAP4, POP3 Exchange Information Store Microsoft Search Exchange Event, Site Replication Service Exchange Management, Exchange MTA Disable all other unnecessary services – Messenger, Alerter, etc. Network Bindings

Front End OWA Server Hardening Ensure the following are enabled Exchange Routing Engine IPSEC Policy Agent RPC Locator IIS Admin Service World Wide Web Publishing Service

Backend Server Hardening Enabled Exchange Services Information Store Exchange Management Exchange Management Instrumentation Exchange System Attendant Exchange Routing Engine Disabled Exchange Services IMAP4 POP Exchange Event Service (If E2K only) Exchange Site Replication Service (If E2K only) Exchange MTA Stacks (If E2K only and no X.400)

Backend Server Hardening Exchange Required O/S Services WWW Service (OWA comms) IIS Admin Service (Exchange Routing) SMTP RPC Locator (DC comms) IPSEC Policy Agent System Attendant Depends on Event Log NTLM Security Support Provider RPC RPC Locator Server Workstation

Generic Exchange Server Hardening Filesystem ACLs DirectoryOld ACLNew ACL Applied to Subdirectories? %systremdrive%\Inetpub\Mail root Everyone: FullDomain Admins: Full Local System: Full Yes %systremdrive%\Inetpub\nnt pfile\ Everyone: FullDomain Admins: Full Local System: Full Yes %systremdrive%\Inetpub\nnt pfile\root Everyone:Full Yes.

Business Continuity Security planning also needs to cover breaches Think through disaster recovery strategy Backup and Recovery Strategy critical Critical Incident Management Procedure

Physical Server Access Physical Infrastructure access must be strictly controlled Access to Domain Controllers can cripple networks in seconds We often find mission critical machines under desks

Additional Security Protection Antivirus applications are critical to exchange SMTP Screening software is becoming increasingly important Content Blocking – Appropriate s

Maintaining Security Microsoft Baseline Security Analyzer V1.2 Scans Exchange and Windows Software Update Services – simplified patch management and control – free tool Not enterprise focused tools – SMS 2003 is better option Use Group Policy to enforce configuration.

Top 10 Ways to Get Secure 1. Implement the Security Operations Guides for Windows and Exchange 2. Use MBSA to identify missing patches 3. Implement IISLockdown based on role 4. Secure Infrastructure Assets 5. Use the EDSLock script to restrict groups.

Top 10 Ways To Get Secure 6. Get adequate antivirus protection for servers and desktops 7. Use perimeter SMTP scanning 8. Automate Patch Management 9. Use SSL, IPsec, and MAPI encryption where appropriate 10. Plan your response to an intrusion before it happens

Exchange Security Resources Exchange Security Operations Guide Windows Security Operations Guide NSA Security Guides Microsoft Systems Architecture – EDC-IDC Microsoft Operations Framework.

Other Links Exchange 2000 – EDS Lockdown ort/kb/articles/Q313/8/07.asp&NoWebContent=1 ort/kb/articles/Q313/8/07.asp&NoWebContent=1 Exchange Library Exchange Security E9A7-FE36-4A02-A0F8-75D4F9EB8D2D

In Closing… Thanks for coming! Feel free to send comments or feedback PLEASE fill out your evaluations!.

evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.