MSG308 Secure Access to Exchange from the Internet Steve Riley Microsoft Corporation
FAQs Exchange? On the Internet?? Are you out of your mind???
It’s topical Design alternatives VPNs OWA RPC—native and over HTTP Recommended design To DMZ or not to DMZ…that is the question
This session… Is about— Securing Internet access to an Exchange installation Isn’t about— General Exchange security
VPNs
The usual choice VPN clients in all versions of Windows Yes, PPTP can be made secure L2TP+IPsec is the future Technology is well-understood Needs an IT staff, though More work than most small and medium organizations want to deal with
Technical problems Won’t work in some public locations VPN protocols blocked IPSec vs. NAT But see SEC406, 3:15 Thurs, Ballroom A 3-4! Packet fragmentation IKE IPSec NAT-T
Technical problems Default gateway modifications All traffic goes to VPN tunnel No access to local network Split-tunneling often disallowed This is a good thing! VPNs are useful to connect remote clients to corporate networks Less useful when connecting from corporate network to some ASP
Outlook Web Access
Universal availability Browsers are everywhere Familiar interface OWA 2003 is almost just like Outlook
Security issues HTTPS is the transport Intrusion detection? Conformance to policy? OWA 2000 has no session timeout Fixed in OWA 2003 Forms authentication—cookie for session
Typical design Good Separates protocol from message store Network protection Bad Tunnel through outside firewall: no inspection Many holes in inside firewall for authentication Anonymous initial connections to OWA ExBE AD OWA
Improving OWA security Security goals Inspect SSL traffic Maintain wire privacy Enforce conformance to HTML/HTTP Allow only known URL construction Block URL-borne attacks Optionally Pre-authenticate incoming connections
Protect OWA with ISA Server ISA Server becomes the “bastion host” Web proxy terminates all connections Decrypts HTTPS Inspects content Inspects URL (with URLScan) Re-encrypts for delivery to OWA OWA ISAServer Exchange AD x36dj23s2oipn49v <a href…
Protect OWA with ISA Server Easy authentication to Active Directory Pre-authenticate communications ISA Server queries user for credentials Verifies against AD Embeds in HTTP headers to OWA Avoids second prompt! Requires FP1 OWA ISAServer Exchange AD 404
Results Known good content Known good URL Known good user Dare I say it… trusted access?
Exchange RPC on the Internet
RPC on the Internet?
Business case Many users require full Outlook Third-party plugins Mailbox synchronization Client-side rules Complete address book VPNs are too costly if this is the only requirement
Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server
RPC server (Exchange) RPC client (Outlook) ServiceUUIDPort Exchange{ …4402 AD replication{ …3544 MMC{ …9233 RPC services grab random high ports when they start, server maintains table RPC connection setup135/tcp Client connects to portmapper on server (port 135/tcp) Client knows UUID of service it wants { …} Client accesses application over learned port Client asks, “What port is associated with my UUID?” Server matches UUID to the current port… 4402/tcp Portmapper responds with the port and closes the connection 4402/tcp
Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server
RPC naked on the net Good Easy to build! Bad Easy to compromise! Firewall must permit all traffic on all high ports Firewall can’t tell what’s Exchange and what isn’t No protection against RPCDump, for instance Exchange
Potential RPC attacks Reconnaissance NETSTAT RPCDump DoS against portmapper Privilege escalation or other specific service attacks
Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server
Registry keys Need to set fixed port numbers for Information Service Directory Service System Attendant See KB Best to use ports just above 5000
Fixed RPC ports Good Still easy to build Limited open ports on firewall 135/tcp + 3 high ports Bad Still easy to compromise Doesn’t stop any of the previous attacks Firewall still can’t tell what’s Exchange and what isn’t Scaleable? Exchange
Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server
New in Exchange 2003 Result of high customer demand Useful All firewalls allow 80/tcp and 443/tcp Enables access from any location No special firewall setup required
But is it secure? Look back at the last slide… Not necessarily positive attributes Simply running RPC over HTTP doesn’t solve all the problems No protocol awareness in firewall No pre-authenticated connections No inspection if HTTPS Is secure from RPC-borne attacks Until attack tools have HTTP wrappers…
What’s the big deal? Knowing a port number or a UUID doesn’t mean you know the intent What do the following tell you: 80/tcp 49494/tcp { } They are application identifiers That’s all! well-known port for HTTP random (fixed?) port for Exchange well-known UUID for Exchange
So what’s it good for? RPC over HTTP is no more, and no less, secure than fixed-port RPC So use it: If your business case requires it You are comfortable with the risk It’s another option for customers who are satisfied with its operation
Design choices Run it naked Assign the RPC ports Use RPC over HTTP Publish with ISA Server
ISA Server More than just a proxy True application-aware content-filtering firewall Exchange RPC SMTP H.323 FTP DNS POP3/IMAP4
Exchange RPC filter Intimately aware of— How Exchange RPC connections establish What the proper protocol format is Allows only Exchange RPC UUIDs Enforces client authentication Can optionally enforce encryption Requires Feature Pack 1 Supports new mail notification
Published RPC interfaces {99E64010-B032-11D0-97A4-00C04FD6551D}: "Store admin (1)" {89742ACE-A9ED-11CF-9C0C-08002BE7AE86}: "Store admin (2)" {A4F1DB00-CA B31E-00DD010662DA}: "Store admin (3)" {A4F1DB00-CA B31F-00DD010662DA}: "Store EMSMDB" {9E8EE CE-979B-00AA005FFEBE}: "MTA" {1A BB9C-11CD-90F8-00AA }: "Database" {F5CC5A A-8C B2F8426}: "Directory NSP" {F5CC5A7C A-8C B2F8426}: "Directory XDS" {F5CC59B A-8C B2F8426}: "Directory DRS" {38A94E72-A9BC-11D2-8FAF-00C04fA378FF}: "MTA 'QAdmin'" {0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE}: "Information Store (1)" {1453C42C-0FA6-11D2-A910-00C04F990F3B}: "Information Store (2)" {10F24E8E-0FA6-11D2-A910-00C04F990F3B}: "Information Store (3)" {1544F5E0-613C-11D1-93DF-00C04FD7BD09}: "Directory RFR" {F930C D3-99A5-00A0C9B61B04}: "System Attendant Cluster" {83D72BF0-0D89-11CE-B13F-00AA003BAC6C}: "System Attendant Private" {469D6EC0-0D87-11CE-B13F-00AA003BAC6C}: "System Attendant Public Interface"
Filter operation Client connects to filter’s “portmapper” Runs as part of filter Responds only to requests for Exchange RPC ISA Server returns filter’s Exchange RPC port numbers Client makes new connection ISAServer Exchange AD
Filter operation ISA Server connects to Exchange’s portmapper Exchange returns port numbers ISA Server makes new connection ISAServer Exchange AD
Filter operation Client logs on to Exchange Exchange proxies logon to Active Directory Need “No RFR Service” key to make this happen: KB Filter watches for approval Filter checks whether encryption is on, if required Client mailbox opens ISAServer Exchange AD
Protects from RPC attacks Reconnaissance? NETSTAT shows only 135/tcp RPCDump simply fails DoS against portmapper? Known attacks fail Successful attack leaves Exchange protected Service attacks? No reconnaissance info available ISA Server-to-Exchange connections fail unless prior client-to-ISA Server connection is correctly formatted Yes!
Results Known good connection Known good encryption (optional) Known good user Dare I say it… trusted access?
Recommended design
Recall the typical design ExFESMTP ExBEAD
New requirements, new designs Move critical servers inside for better protection Add ISA Server to your existing DMZ Increase security by publishing: Exchange RPC OWA over HTTPS SMTP (content filter) ExFESMTP ExBEAD ISA Server
Next Steps Consider your risk— What do you have? What are you comfortable with? Consider the way attacks are evolving Ports mean nothing Attacks look like legitimate traffic Evaluate and deploy ISA Server for all current and future Exchange installations
Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers
Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Exchange Server 2003 Administrator's Companion: /24/03 Active Directory® for Microsoft® Windows® Server 2003 Technical Reference: Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluations evaluations
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.