SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
SEC 470 Using ISA Server for Application Layer Firewalling Frederico Baumhardt Senior Consultant – Infrastructure and Security Microsoft UK.
Securing the Perimeter – Exchange and VPN Access with ISA Server 2004 Jamie Sharp CISSP Security Advisor Amit Pawar National Technology Specialist Microsoft.
1 of 3 Open Outlook On the Tools menu, click Account Settings. 1 Enable Outlook Anywhere 2 Click your Microsoft Exchange account, and then click.
1 of 3 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
1 Integrating ISA Server and Exchange Server. 2 How works.
OFC324 Microsoft Project Server: Putting Enterprise Project Management (EPM) To Work Sam Brooks
1 Enabling Secure Internet Access with ISA Server.
Winter Consolidated Server Deployment Guide for Hosted Messaging and Collaboration version 3.5 Philippe Maurent Principal Consultant Microsoft.
Sec 311 Securing SharePoint Infrastructure and Technologies Fred Baumhardt Sandeep Modhvadia Microsoft UK – Technology Services.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 12 Electronic Mail.
Module 8: Managing Client Configuration and Connectivity.
Session 10 Windows Platform Eng. Dina Alkhoudari.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
OFC304 Excel 2003 Overview: XML Support Joseph Chirilov Program Manager.
OFC 200 Microsoft Solution Accelerator for Intranets Scott Fynn Microsoft Consulting Services National Practices.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
SEC303 Assessing and Managing Privacy in the Enterprise JC Cannon Privacy Strategist.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OFC290 Information Rights Management in Microsoft Office 2003 Lauren Antonoff Group Program Manager.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Application Layer Firewalling With ISA Server 2004 Fred Baumhardt Lead Security Technology Architect Microsoft EMEA.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Overview of Microsoft ISA Server. Introducing ISA Server New Product—Proxy Server In 1996, Netscape had begun to sell a web proxy product, which optimized.
OFC 307 Office 2003 Solution Case Studies Ray Stephenson Smart Client Technical Evangelist
Module 5: Configuring Internet Explorer and Supporting Applications.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
Leveraging your Active Directory (AD) for Perimeter Defense – Inside and Out (SEC205) Richard Warren Internet and Security Training Specialist SEC205.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Selling Strategies Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications.
MBL206 A First Look at the Microsoft Location Server (MLS) Steve Lombardi Technical Product Manager MapPoint Business Unit Microsoft Corporation.
ISA Server 2004 Introduction Владимир Александров MCT, MCSE, MCSD, MCDBA Корус, Управител
Module 7: Advanced Application and Web Filtering.
DEV303 ASP.NET: Leveraging Visual Studio.NET For Web Projects Tony Goodhew Product Manager Microsoft Corp.
ISA SERVER 2004 Group members : Sagar Bhakta – [intro] Orit Ahmed – [installation] Michael Wijaya [advantages] Rene Salazar - [features]
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
Security fundamentals Topic 10 Securing the network perimeter.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
MSG308 Secure Access to Exchange from the Internet Steve Riley Microsoft Corporation.
More Power Out: Empowering your mobile workforce Damir Bersinic IT Pro Advisor Microsoft Canada Rick.
Securing the Network Perimeter with ISA Server 2004 Ravi Sankar IT Professional Evangelist Microsoft.
Microsoft ® Internet Security and Acceleration Server 2006 Beta Technical Overview Steve Lamb Information Security Evangelist
VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
TMG Client Protection 6NPS – Session 7.
Module 3: Enabling Access to Internet Resources
Enabling Secure Internet Access with TMG
Securing the Network Perimeter with ISA 2004
Forefront Security ISA
Implementing TMG Server Publishing
Configuring TMG as a Firewall
Using Software Restriction Policies
Presentation transcript:

SEC304 Enhancing Exchange, OWA and IIS Security with ISA Server Feature Pack 1 Steve Riley Microsoft Corporation

Agenda The problem Enhancing Outlook-to-Exchange communication Enhancing Exchange OWA and IIS deployments More ISA Server Feature Pack 1

The Problem Packet filtering & stateful inspection are not enough to protect against today’s attacks! Traditional firewalls focus on packet filtering & stateful inspection Today’s attacks bypass this protection Ports & protocols cannot be trusted to indicate user intent Port 80 yesterday—Web browsing only Port 80 today—Web browsing, OWA, MSN Messenger, XML Web Services…

Internet to internal network Application-layer firewall Traditional firewall Application-layer Firewalls Are Necessary Required to protect against today’s attacks Enables deep content inspection Understanding what’s in the payload is a requirement

ISA Server = Application-Layer Security Packet filtering & stateful inspection Application-layer filtering Deep content inspection Advanced proxy architecture Extensible/pluggable architecture 30+ partners Best firewall for Microsoft environments

Enhancing Outlook-To- Exchange Security

Enhanced SMTP Filter Uses ISA Server application-layer filtering ability Filter with increased reliability and security on several attributes Sender Domain Keyword Attachment extension, name, size Any SMTP command and its length

RPC server (Exchange) RPC client (Outlook) ServiceUUIDPort Exchange { … 4402 AD replication { … 3544 MMC { … 9233 RPC services grab random high ports when they start, server maintains table RPC /tcp Client connects to portmapper on server (port 135/tcp) Client knows UUID of service it wants Client accesses application over learned port Client asks, “What port is associated with my UUID?” Server matches UUID to the current port… 4402/tcp Portmapper responds with the port and closes the connection 4402/tcp{ …}

Exchange Server Outlook ISA Server Internet Exchange RPC Filter ISA Server Exchange RPC filter Only port 135 (portmapper) is open High ports are opened and closed for Outlook clients as necessary Inspects portmapper traffic at application- layer Only Exchange UUIDs allowed

ISA Server with Feature Pack 1 Exchange Server OutlookOutlook RPCRPC Internal network External network Exchange RPC Filter Enforce RPC encryption Outlook RPC encryption enforced centrally Enable outbound RPC communication Outlook clients behind ISA Server can now access external Exchange Servers

Enhancing Exchange OWA And IIS Security

URLScan 2.5 For ISA Server Filters incoming requests based on rules set Helps protect from attacks which Request unusual actions Have a large number of characters Are encoded using an alternate character set Can be used in conjunction with SSL inspection to detect attacks over SSL

RSA SecurID Authentication ISA Server prompts user for SecurID username and PASSCODE RSA ACE/Agent on ISA Server passes credentials to the RSA ACE/Server for validation When credentials are validated User is granted access to the protected content Cookie is delivered to the user's browser for subsequent activity during the session

Web server ISA Server Internet clientclient Client requests protected content from Web server ISA Server pre-authenticates users and logs their activity ISA Server forwards the credentials to the protected Web or OWA server Authentication Delegation For basic and SecurID authentication Authentication happens at ISA Server Eliminates multiple authentication dialogs Only valid traffic allowed past ISA Server Enabled per Web publishing rule

Protecting OWA Traditional firewall OWAOWA clientclient OWA server prompts for authentication — any Internet user can access this prompt SSLSSL SSL tunnels through traditional firewalls because it is encrypted… …which allows viruses and worms to pass through undetected… …and infect internal servers! ISA Server with Feature Pack 1 Basic authentication delegation ISA Server pre-authenticates users, eliminating multiple dialog boxes and only allowing valid traffic through URLScan for ISA Server SSL or HTTP SSLSSL ISA Server can decrypt and inspect SSL traffic inspected traffic can be sent to the internal server re-encrypted or in the clear. URLScan for ISA Server URLScan for ISA Server can stop Web attacks at the network edge, even over encrypted SSL InternetInternet

ISA Server Feature Pack 1 demo demo

Used in combination with the additional OWA deployment docs 1. Documentation = correct cert deployment 2. Wizard = easily configures ISA Server settings Generates destination set and Web publishing rule with correct elements Adds the correct listeners to external interface Selects correct certificate OWA Wizard

More ISA Server Feature Pack 1

New Documentation ISA Server Feature Pack 1 walkthroughs OWA, link translation, RSA SecurID Web Publishing Many scenarios & troubleshooting information Exchange Server Publishing Includes Exchange RPC filter, POP and IMAP & troubleshooting information Additional Documentation Including client types and digital certificates

ISA Server: ISA Server with Feature Pack 1: RPC Filter Wizard Create RPC service definitions used in server publishing rules Enumerates services on a given server UUID’s can also be entered manually

ISA Server Feature Pack 1 Web server ( Web server (int-mktg) int-mktg/ mktg.example.com/ LINK TRANSLATOR clientclient Client requests InternetInternet Link Translator Translates hyperlinks within responses Intranet computer names to those of externally available computers Including HTTP  HTTPS; SPS

Allows removal of path prefix Details in translated to translated to ISA Server clientclient Internet Partial URL Path Translation site1.ex.comsite1.ex.com site2.ex.comsite2.ex.com

No Exchange Server or IIS deployment is complete without ISA Server protection! New firewall security designed to help protect Exchange Server and IIS Great fit into existing deployments Evaluate Security of your current Exchange Server or IIS deployment ISA Server Download ISA Server Feature Pack 1 What Can You Do Today?

Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers

Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Microsoft® Internet Security and Acceleration (ISA) Server 2000 Administrator's Pocket Consultant: Today Internet Information Services (IIS) 6.0 Resource Kit: /27/03 Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

evaluations evaluations

© 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Steve Riley