SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation
Agenda The problem Enhancing Outlook-to-Exchange communication Enhancing Exchange OWA and IIS deployments More ISA Server Feature Pack 1
The Problem Packet filtering & stateful inspection are not enough to protect against today’s attacks! Traditional firewalls focus on packet filtering & stateful inspection Today’s attacks bypass this protection Ports & protocols cannot be trusted to indicate user intent Port 80 yesterday—Web browsing only Port 80 today—Web browsing, OWA, MSN Messenger, XML Web Services…
Internet to internal network Application-layer firewall Traditional firewall Application-layer Firewalls Are Necessary Required to protect against today’s attacks Enables deep content inspection Understanding what’s in the payload is a requirement
ISA Server = Application-Layer Security Packet filtering & stateful inspection Application-layer filtering Deep content inspection Advanced proxy architecture Extensible/pluggable architecture 30+ partners Best firewall for Microsoft environments
Enhancing Outlook-To- Exchange Security
Enhanced SMTP Filter Uses ISA Server application-layer filtering ability Filter with increased reliability and security on several attributes Sender Domain Keyword Attachment extension, name, size Any SMTP command and its length
RPC server (Exchange) RPC client (Outlook) ServiceUUIDPort Exchange { … 4402 AD replication { … 3544 MMC { … 9233 RPC services grab random high ports when they start, server maintains table RPC /tcp Client connects to portmapper on server (port 135/tcp) Client knows UUID of service it wants Client accesses application over learned port Client asks, “What port is associated with my UUID?” Server matches UUID to the current port… 4402/tcp Portmapper responds with the port and closes the connection 4402/tcp{ …}
Exchange Server Outlook ISA Server Internet Exchange RPC Filter ISA Server Exchange RPC filter Only port 135 (portmapper) is open High ports are opened and closed for Outlook clients as necessary Inspects portmapper traffic at application- layer Only Exchange UUIDs allowed
ISA Server with Feature Pack 1 Exchange Server OutlookOutlook RPCRPC Internal network External network Exchange RPC Filter Enforce RPC encryption Outlook RPC encryption enforced centrally Enable outbound RPC communication Outlook clients behind ISA Server can now access external Exchange Servers
Enhancing Exchange OWA And IIS Security
URLScan 2.5 For ISA Server Filters incoming requests based on rules set Helps protect from attacks which Request unusual actions Have a large number of characters Are encoded using an alternate character set Can be used in conjunction with SSL inspection to detect attacks over SSL
RSA SecurID Authentication ISA Server prompts user for SecurID username and PASSCODE RSA ACE/Agent on ISA Server passes credentials to the RSA ACE/Server for validation When credentials are validated User is granted access to the protected content Cookie is delivered to the user's browser for subsequent activity during the session
Web server ISA Server Internet clientclient Client requests protected content from Web server ISA Server pre-authenticates users and logs their activity ISA Server forwards the credentials to the protected Web or OWA server Authentication Delegation For basic and SecurID authentication Authentication happens at ISA Server Eliminates multiple authentication dialogs Only valid traffic allowed past ISA Server Enabled per Web publishing rule
Protecting OWA Traditional firewall OWAOWA clientclient OWA server prompts for authentication — any Internet user can access this prompt SSLSSL SSL tunnels through traditional firewalls because it is encrypted… …which allows viruses and worms to pass through undetected… …and infect internal servers! ISA Server with Feature Pack 1 Basic authentication delegation ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through URLScan for ISA Server SSL or HTTP SSLSSL ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear. URLScan for ISA Server URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL InternetInternet
ISA Server Feature Pack 1 demo demo
Used in combination with the additional OWA deployment docs 1. Documentation = correct cert deployment 2. Wizard = easily configures ISA Server settings Generates destination set and Web publishing rule with correct elements Adds the correct listeners to external interface Selects correct certificate OWA Wizard
More ISA Server Feature Pack 1
New Documentation ISA Server Feature Pack 1 walkthroughs OWA, link translation, RSA SecurID Web Publishing Many scenarios & troubleshooting information Exchange Server Publishing Includes Exchange RPC filter, POP and IMAP & troubleshooting information Additional Documentation Including client types and digital certificates
ISA Server: ISA Server with Feature Pack 1: RPC Filter Wizard Create RPC service definitions used in server publishing rules Enumerates services on a given server UUID’s can also be entered manually
ISA Server Feature Pack 1 Web server ( Web server (int-mktg) int-mktg/ mktg.example.com/ LINK TRANSLATOR clientclient Client requests InternetInternet Link Translator Translates hyperlinks within responses Intranet computer names to those of externally available computers Including HTTP HTTPS; SPS
Allows removal of path prefix Details in translated to translated to ISA Server clientclient Internet Partial URL Path Translation site1.ex.comsite1.ex.com site2.ex.comsite2.ex.com
No Exchange Server or IIS deployment is complete without ISA Server protection! New firewall security designed to help protect Exchange Server and IIS Great fit into existing deployments Evaluate Security of your current Exchange Server or IIS deployment ISA Server Download ISA Server Feature Pack 1 What Can You Do Today?
Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers
Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Internet Security and Acceleration (ISA) Server 2000 Administrator's Pocket Consultant: Today Internet Information Services (IIS) 6.0 Resource Kit: /27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluations evaluations
© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Steve Riley