Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give.
Download ReportTranscript Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give.
Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give me a business card if you want: ● ● 20% discount code for Directory Update software Notification e-mail when Mastering Exchange Server 2007 is available • Keep an eye out for Mastering Exchange Server 2007 – Due out in late April Are you a Low Hanging Fruit? Jim McBee ITCS Hawaii [email protected] Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) • Principal clients (Dell, Microsoft, SAIC, Servco Pacific) • Author – Exchange 2003 24Seven (Sybex) • Contributor – Exchange and Outlook Administrator • Blog ● ● http://mostlyexchange.blogspot.com http://www.directory-update.com Audience Assumptions • You have at least a few months experience running Exchange 5.5, 2000, or 2003. • You have worked with Active Directory • You can install and configure a Windows 2000 / 2003 server This session’s coverage • Introduction to me and the topic • Presentation and demos – About 65 minutes ● ● ● ● Risks and threats Multiple layers of protection Reducing exposure Best practices and checklists • Book give away – Drop off your business card or write your name on a slip of paper • Questions and answers ● I’ll try to take questions as they come up as long as this does not slow us down too much. Free eBook • Tips and Tricks Guide To Secure Messaging eBook ● http://tinyurl.com/kvxhx • Good follow-up to this presentation Why low hanging fruit? • “Hackers” go after easy targets • Most “hackers” are not all that sophisticated • If you are reasonably secure, they usually move on • Reasonably secure means doing at least what the rest of your industry is doing Most common exploits use… • Weak / simple passwords • Denial of service • Known vulnerabilities • How did you get so vulnerable? ● Failure to follow industry “best practices” Risk Assessment: What are your assets? • Most important assets ● ● ● ● Data Intellectual property Reputation Knowledge workers time • Least important assets ● ● Bandwidth Servers/hardware/software Risk assessment: What are the risks? • Financial loss • Law suits / regulatory liabilities • Accidental / intentional disclosure of intellectual property • Users with idle time or unable to work (lost productivity) • Unable to meet commitments to customers and vendors • Lost sales or opportunities • Damage to reputation / community embarrassment Security Basics • • • • • • Passwords Physical security Updates Hardening Windows and Exchange User considerations Quick assessments Improve password strength • Require longer passwords • Require special characters Physical security • Law # 3 of the 10 Immutable Laws of Security ● “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” • Locked doors / access control system that records entry information • Mandatory sign-in sheets • Cameras • Backup media should be secured Operating system stability • Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. • Apply applicable critical updates within 3 – 4 weeks ● ● Applicable? Does the fix affect your configuration? Don’t apply on the day they are released • Apply service packs within 1 to 2 months ● Read the SP “readme” first • Use ‘Microsoft Update’ or WSUS ● http://tinyurl.com/dwj6n • Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system • Sufficient free disk space on all disk drives Exchange updates • Critical patches within 3 – 4 weeks of release • Service packs within 1 to 2 months of release • Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP) Exchange and Windows Hardening • Not every service is necessary on all server roles • Use the Windows Security Configuration Wizard with W2K3 SP1 • Implement with care! Users • 60 – 70% of all security breaches occur from within. ● (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) • Require an Acceptable Use Policy ● ● ● ● Must have “bite” Must be enforceable Must be legal See http://www.sans.org/resources/policies • Require an IT Acceptable Use Policy • For IT, require an IT AUP or Ethics Statement ● “Don’t read other people’s mail” • Clearly define your information security policies Quick Assessments - ExBPA • Exchange Best Practices Analyzer ● http://www.exbpa.com Quick Assessments - MSBA • Microsoft Baseline Security Analyzer ● http://tinyurl.com/2e5fe Use multiple layers of protection • Inbound e-mail ● ● Use SMTP relay Use managed provider • Web clients ● Use reverse proxy Prevent direct access to mailbox servers • Don’t allow direct access to mail server resources • Inbound SMTP mail through an SMTP relay ● ● ● Can be an “appliance”, Windows, or UNIX system Can act as part of your messaging hygiene system. More on this later • Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy ● ● ● ISA Server IronPort Whale Communications • Prevents direct exposure for mailbox servers, front-ends, and bridgeheads Reverse proxy for OWA • Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened. Reverse proxy for OWA • More information ● Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology • http://tinyurl.com/5e6sv ● Protecting Exchange Servers by Don Jones • http://tinyurl.com/zfemv ● Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder • http://tinyurl.com/jocrz ● A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek • http://tinyurl.com/cb2f9 Multi-layer protection Managed providers Using managed providers • Organization directs MX records to managed provider’s servers • Managed provider… ● ● ● ● ● ● ● Has better scalability and redundancy Immediate response to day zero threats Keeps malware and unwanted content from reaching your perimeter Reduce hardware and software required by organization as well as reducing complexity and IT resources required Allows organization to only accept inbound SMTP from the provider Unwanted content never makes it to the network in the first place Reduces threat spam and virus/worm ‘bots • Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection Restrict MAPI versions • Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 ● ● ● HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem Create REG_DWORD Disable MAPI Clients Put in to data field -5.3165.0 • See KB 328240 and 288894 • http://www.windowsitpro.com ● InstantDoc #26505 • Can help reduce the spread of viruses and worms by allowing only more recent versions • Use with caution! Denial-of-service and e-mail • Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. ● Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. • DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. • Directory harvesting and tarpits Directory harvesting / dictionary spamming • • • • • Directory harvesting tries to find valid SMTP addresses using dictionary or random strings Dictionary spamming sends to a dictionary full of common names This can overwhelm a mail server Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) A tarpit slows them down ● ● • See KB 842851 Recommended for Internet facing SMTP virtual servers Only one address in this list was valid, probably the “index patient” An ugly trend: Virus writers, spammers, and ‘bots / zombies Restrictions, restrictions, restrictions • • • • • • • • Mailbox Message size Recipients per message Automatic responses Internet facing SMTP virtual servers Distribution list usage Monitor disk space usage and set alerts Users are going to hate you for this! Mailbox Limits • A necessary evil • Adjust based on you organization’s needs • Don’t limit users if they have a job to do • Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail Exchange reports on closed mailboxes • Monitoring for event ID 8528 can help you determine if mailboxes are filling up Message Size / Recipient Limits • Default inbound and outbound message sizes is 10MB. • Usually adequate for most organizations • This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger • Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user. Inbound limits from Internet • Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet • Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead • If this SMTP VS is used for internal message traffic, it may hurt public folder replication Outbound limits to the Internet • Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server) Automatic Responses • Defaults do not allow automatic responses • This may have been changed • You can override this by creating additional Internet Message Formats for specific domains • Considered risky due to “social engineering” risks Distribution list security • Prevent abuse of your distribution lists • Limit maximum message size • Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) • Limit who can send to the list internally Restricting maximum store size • Exchange 2003 SP2 allows maximum store size to be set ● http://tinyurl.com/fmgxf • When a store exceeds that size, it is dismounted • Use with great care! You can still cause your users downtime with this feature. Additional Security Best Practices • OWA security improvements • Generic best practices Enable Forms Based Authentication • Enable on the frontend servers • Implements timeouts ● ● ● Public = 15 minutes Private = 24 hours Customizable • Allows customizable logon page Forms Based Authentication Always use SSL from a trusted authority • Very bad to get users in the habit of ignoring security alerts • Many sources for lowcost, trusted SSL certificates ● ● GoDaddy – www.godaddy.com InstantSSL – www.instantssl.com Basic authentication passwords are very easy to intercept • Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. • Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== • Run it through any Base64 decoding program and you get: • namerica/arand:$culliRulz Domain name: namerica; User: arand; password: $culliRulz • Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded! Best practices • Block outbound SMTP except from authorized hosts ● Be a good ‘net citizen • Never web surf from a server console • Don’t install e-mail client software on server • Operators and administrators should not have mailboxes • Separate admin rights from your regular user account • Grant administrative permissions to groups, not individual users Best practices • Block inbound SMTP if using a managed provider ● Only accept mail from the provider • Protect protocol and message tracking logs ● Some sensitive information may be disseminated from those logs • Review your event logs • Keep PLENTY of free disk space available? ● At least enough to mount one database in an RSG Checklists • • • • • Assessing the situation Exchange Servers Message hygiene Outside the perimeter Assessment • Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the problems. • Determine what is documented: ● Document servers, roles, network infrastructure, and dependencies • Get an accurate count of active mailboxes ● ● If inactive, then why? Disable inactive accounts then delete! Inactive accounts • Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute • Write script • Use “Additional Account Info” from ALTools ● http://tinyurl.com/a5zj Assessments: Environment • Interview: ● ● ● ● ● ● ● Backup schedule / procedures / rotation / media storage Client software and versions in use Client antivirus / anti-spyware procedures Remote access procedures Administrators that are approved to manage Exchange Disaster recovery / business continuance plan What is the perception of the “spam problem?” Assessment: Starting point • Run ExBPA against entire organization • Run ExchDump • Run MSBA against each server ● ● Exchange servers Domain controllers Assessment: Servers • Free disk space ● • • • • • • • Should be enough to mount an RSG Disk configuration / fault tolerance Memory / page file usage / available RAM DNS configuration Event logs sizes / archival procedures BOOT.INI check (using /3GB and /USERVA=3030 if applicable) Additional services running? Dedicated Exchange server role? How often do you update servers with fixes and patches? ● Check for vendor’s hardware management software and versions • How many users/groups are members of the local Administrators and Power Users group? • Is the local Guest disabled? • Examine local policies for weaknesses • Are messaging system limits being imposed? Assessment: Exchange • • • Review Exchange Full Administrator and Exchange Administrator role delegation Domain controllers / Global catalog servers in use Are limits being imposed? ● ● ● • Are PSTs in use? ● ● • • • • • • Message sizes Mailbox sizes Distribution list usage Primary delivery mechanism? Archival mechanism? Mailbox store sizes Largest mailbox users Confirm backups and online maintenance is running Exchange database and transaction log placement on disks Is circular logging enabled? If so, get explanation as to why. Are automatic responses allowed? Assessment: Logs • Review Application logs • Review System logs • Review HTTP and SMTP protocol logs Assessment: Message hygiene • How recent is the A/V software? • How often are signatures updated? • Is there a file-based scanner on the server and if so, does it exclude Exchange files? • Does inbound SMTP system use RBLs? Recipient filtering? Drawing for book giveaway Did you get your business card to me? Questions? Thanks for attending! More information… • Tips and Tricks for Secure Messaging eBook by Jim McBee ● http://nexus.realtimepublishers.com/ttgsm.htm • My blog (Mostly Exchange) ● http://mostlyexchange.blogspot.com • Paul Robichaux’s Exchange Security blog ● http://www.e2ksecurity.com/ • Paul Robichaux’s Secure Messaging with Microsoft Exchange Server 2003 book (Microsoft Press, 2004) • Exchange 2003 Support Home Page ● http://support.microsoft.com/default.aspx?scid=fh;EN-US;exch2003 • Slipstick Systems ● http://www.slipstick.com • Security for Exchange: Assessment, Auditing, and Hardening presentation slides ● http://preview.tinyurl.com/32m3dt Your Feedback is Important Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. You could win one of 10 subscriptions to TechNet Plus Direct: The essential resource for IT Professionals . Winners will be drawn and names will be posted Tuesday morning from Monday evals, Wednesday morning from Tuesday evals, and during closing session from Wendesday evals. Include your badge number on your session eval so we can figure out the winners! Thank you!