Security for Exchange: Assessment, Auditing, and Hardening Jim McBee Ithicos Solutions [email protected] Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii.
Download ReportTranscript Security for Exchange: Assessment, Auditing, and Hardening Jim McBee Ithicos Solutions [email protected] Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii.
Security for Exchange: Assessment, Auditing, and Hardening Jim McBee Ithicos Solutions [email protected] Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) • Principal clients ● ● USPACOM J2 USARPAC G6 • Author – Exchange 2003 24Seven (Sybex) • Contributor – Exchange and Outlook Administrator • Blog ● http://mostlyexchange.blogspot.com This session’s coverage • • • • • Introduction to me and the topic Presentation and demos – About 5 hours Break in the morning and afternoon Lunch Book give away – Drop off your business card or write your name on a slip of paper • Topics from today’s session comes from a small commercial consulting practice I run reviewing messaging security • Questions and answers ● I’ll try to take questions as they come up as long as this does not slow us down too much. Free eBook • Tips and Tricks Guide To Secure Messaging eBook ● http://tinyurl.com/kvxhx • Good follow-up to this presentation Audience Assumptions • You have at least a few months experience running Exchange 5.5, 2000, or 2003. • You have worked with Active Directory • You can install and configure a Windows 2000 / 2003 server Presentations coverage • • • • • • Risks and threats Reducing exposure Message hygiene Operations and accountability Message content security Best practices and checklists Introduction to messaging security • • • • Some statistics for your boss Getting “reasonably secure” Defining the right balance Believing in evolution Just the stats, ma’am • Viruses, worms, and Trojan horses are increasing complex and “blended” • Malware includes viruses, worms, Trojan horses, phishing, and spyware scams • 53% of e-mail users in the U.S. say they trust e-mail less now because of spam, viruses, phishing • Between 50 and 80% of all e-mail traffic is now spam • Malware estimated costs for 2004 between $169B and $204B • CipherTrust reported 172,000 new “zombies” each day in May 2005 • 323% rise in intellectual property theft/loss. 74% of these security breaches were from the inside. • Of the external threats, the most common attack vectors are weak passwords, known vulnerabilities, and social engineering • More? ● http://www.messagingsolutions.com/News/interesting_statistics.htm Why are these statistics important? • They affect the usage of the e-mail system • They affect the level of trust that users place in the data in the e-mail system • For most organizations, e-mail is “business critical”; data must be secure, available, and trusted • Reflect a need for continually evolving messaging system protection ● Protect from inside and outside threats Defining “Reasonably Secure” • Are you doing your “due diligence” • One attorney I recently heard speak defined “reasonably secure” as doing AT LEAST what everyone else is doing • Taking in to consideration assets, risks, and threats and then defining procedures to mitigate each of these. • Being realistic (and thorough) when defining risks ● ● ● Data disclosure is realistic Denial of service is realistic Alien abduction is not as common Striking a balance… • Security should strike a balance between: ● ● ● ● Effective security Usability / functionality Cost Complying with the law Risk Management • • • • • Put on your “MBA” hat and take off the “IT” hat Define and document the “process” Locating / defining assets Assessing the risks to these assets Reviewing the threats that may make the risks a reality • Mitigating these risks • For our discussions in this session, we will limit the scope of this to just messaging Process • What process do you use to go through a risk assessment? • Who is involved? ● ● ● ● Subject matter experts (IT department) Consultants / outside technical advisors Legal Senior management • Encourage “outside the box thinking” ● Avoid “group think” • Document everything about the process, the exchange of ideas, the discussions, disagreements, etc… • Senior management must have visibility ● Regarding regulatory compliance, corporate officers may often have fiscal or legal responsibility for IT security • “Process” is going to become a way of life for Information Technology What are your assets? • Data / intellectual property • Knowledge workers / productivity ● Lost productivity = $$$ • Business reputation • Mail servers and network infrastructure • Bandwidth ● ● ● To Internet To customers To users • Service availability What are the risks against to these assets • Financial loss • Law suits / regulatory liabilities • Accidental / intentional disclosure of intellectual property • Users with idle time or unable to work (lost productivity) • Unable to meet commitments to customers and vendors • Lost sales or opportunities • Damage to reputation / community embarrassment Predicting the “threats” • Accidental disclosure of intellectual property • Intentional disclosure of intellectual property • Denial-of-service (any interruption of messaging services) • Hackers • Sending malware or spam to YOUR customers • Malware / Virus / Trojan Horses / Spyware / Phishing • Misuse of the messaging system (passing around inappropriate content) which may result in company liability • Data theft (via hacking, backup media theft, hard drive theft, impersonating a user) Threats: What are the attack vectors that can be used against you? • Bad physical security / access control • Vulnerable servers exposed to the Internet ● • • • • • • • • Directly exposed mailbox servers (port 25 or 80/443) open directly to server from the Internet. Weak DMZ security Poor message hygiene control Social engineering Careless users Malicious users Poor backup media handling procedures Excessive administrative procedures Single point of failure for inbound and outbound message handling Threats: Entry points for malware • Inbound e-mail • Users surfing the Internet • Users downloading e-mail from outside provider (via POP3/IMAP4/free web providers) • Wireless network hacking • VPN connections (home and laptop) • Users bringing computers in from outside (personal laptops) • Connections with business partners • Removable media (USB drives, iPods, CD, DVD, floppy, PDA, cell phones) Mitigation • How do you mitigate all of this? ● That is what this session is all about • Taking the necessary steps to provide “reasonable security” • Firewalls / appliances / gateways / managed providers • Good server management and configuration practices • Filtering out as much unwanted content before it reaches the mail server • Acceptable use policies and information security policies • Applying appropriate levels of content security Vulnerabilities • • • • • • Improving physical security Backup media Operating system Exchange updates Users Quick assessments Physical security • Law # 3 of the 10 Immutable Laws of Security ● “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” • Locked doors / access control system that records entry information • Mandatory sign-in sheets • Cameras Backup media • Tape media can be your Achilles heel ● Many stories of backup tapes being compromised • Often tapes are stored outside of the data center • Consider data encryption technologies for tape media ● http://tinyurl.com/go4ea • Store in physically secure location • If off-site, transport in locked containers Operating system stability • Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. • Apply applicable critical updates within 3 – 4 weeks ● ● Applicable? Does the fix affect your configuration? Don’t apply on the day they are released • Apply service packs within 1 to 2 months ● Read the SP “readme” first • Use ‘Microsoft Update’ or WSUS ● http://tinyurl.com/dwj6n • Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system • Sufficient free disk space on all disk drives Exchange updates • Critical patches within 3 – 4 weeks of release • Service packs within 1 to 2 months of release • Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP) A word about scheduled downtime • Don’t sacrifice reliability for availability • If you don’t have downtime built-in to your operations, then how can you apply patches and updates? • Plan for a scheduled outage once every 2 weeks ● ● ● Schedule these late at night These outages should not affect your “nines” You don’t have to use them if you don’t need them Users • 60 – 70% of all security breaches occur from within. ● (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) • Require an Acceptable Use Policy ● ● ● ● Must have “bite” Must be enforceable Must be legal See http://www.sans.org/resources/policies • Require an IT Acceptable Use Policy • For IT, require an IT AUP or Ethics Statement ● “Don’t read other people’s mail” • Clearly define your information security policies Quick Assessments - ExBPA • Exchange Best Practices Analyzer ● http://www.exbpa.com Quick Assessments - MSBA • Microsoft Baseline Security Analyzer ● http://tinyurl.com/2e5fe Locking down servers • • • • • • • • Reduce a server’s attack surface Disabling unnecessary services Statically mapping RPC ports Configure Exchange to accept only certain versions of MAPI clients Apply policies consistently with GPOs Open SMTP relays? Apply IPSec MAC address filtering on hubs/switches Disabling unnecessary services • Install only Windows components necessary to run the server • POP3 / IMAP4/NNTP • MS Exchange Events • MS Exchange MTA Stacks • Browser • Messenger • Alerter • MS Search • TELNET Statically map RPC ports • Does not make security any tighter, but does let you easily identify the RPC traffic on your network. ● ● ● Exchange Server – KB 270836 Active Directory – KB 224196 Also useful if you have a data center firewall or WAN-firewall Restrict MAPI versions • Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 ● ● ● HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem Create REG_DWORD Disable MAPI Clients Put in to data field -5.3165.0 • See KB 328240 and 288894 • http://www.windowsitpro.com ● InstantDoc #26505 • Can help reduce the spread of viruses and worms by allowing only more recent versions • Use with caution! Group Policy Objects • Use GPOs to deploy consistent settings • Define ● ● ● ● Auditing Security Password / lockout Services Sample GPO • This sample can be found at ● http://tinyurl.com/kowcw • It WILL probably break something! • Expects W2K or later clients • Test your policies gradually Open SMTP Relay? • No one needs an open SMTP relay • The spammers and worms WILL find you! • Restrict relay to your own networks • Require authentication for clients • Exchange servers in your organization always authenticate IPSec • More than a reasonable measure • Allows IP-layer encryption and packet authentication • Additional CPU overhead • IPSec policies can get complex if you implement to a subset of workstations • Prevents spoofing and man-in-the-middle attacks MAC address filtering on hubs / switches • This is pretty extreme • Do this if you are concerned about intruders getting physical access to your infrastructure • Requires almost constant management for changes / adds / moves Security at the perimeter • Focus is on “security” not “message hygiene” • The Internet “path” to your mail servers • Denial of service attacks • Intercept inbound traffic in your DMZ • Restrictions, restrictions, restrictions… The path to your mail servers • Getting directly to mail servers is simple • MX records define your inbound SMTP servers • A or CNAME records point to your OWA, ActiveSync, POP3, or IMAP4 resources • These records may reveal IP addresses that point DIRECTLY to your mailbox servers • Your goal must be to reduce or eliminate this direct exposure Denial-of-service and e-mail • Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. ● Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. • DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. • Directory harvesting and tarpits An ugly trend: Virus writers, spammers, and ‘bots / zombies Directory harvesting / dictionary spamming • • • • • Directory harvesting tries to find valid SMTP addresses using dictionary or random strings Dictionary spamming sends to a dictionary full of common names This can overwhelm a mail server Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) A tarpit slows them down ● ● • See KB 842851 Recommended for Internet facing SMTP virtual servers Only one address in this list was valid, probably the “index patient” Prevent direct access to mailbox servers • Don’t allow direct access to mail server resources • Inbound SMTP mail through an SMTP relay ● ● ● Can be an “appliance”, Windows, or UNIX system Can act as part of your messaging hygiene system. More on this later • Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy ● ● ● ISA Server IronPort Whale Communications • Prevents direct exposure for mailbox servers, front-ends, and bridgeheads Use SMTP Relays and ISA Server proxies Remote Outlook client options • Some remote users are just going to have to have Outlook • Don’t open RPC ports directly to Exchange for remote Outlook clients • Use VPN • Use RPC application layer filter on firewall • Use RPC over HTTPS instead Restrictions, restrictions, restrictions • • • • • • • • Mailbox Message size Recipients per message Automatic responses Internet facing SMTP virtual servers Distribution list usage Monitor disk space usage and set alerts Users are going to hate you for this! Mailbox Limits • A necessary evil • Adjust based on you organization’s needs • Don’t limit users if they have a job to do • Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail Exchange reports on closed mailboxes • Monitoring for event ID 8528 can help you determine if mailboxes are filling up Message Size / Recipient Limits • Default inbound and outbound message sizes is 10MB. • Usually adequate for most organizations • This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger • Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user. Inbound limits from Internet • Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet • Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead • If this SMTP VS is used for internal message traffic, it may hurt public folder replication Outbound limits to the Internet • Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server) Automatic Responses • Defaults do not allow automatic responses • This may have been changed • You can override this by creating additional Internet Message Formats for specific domains • Considered risky due to “social engineering” risks Distribution list security • Prevent abuse of your distribution lists • Limit maximum message size • Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) • Limit who can send to the list internally Monitor disk space and set alerts • Common cause of downtime • Built-in monitoring tools can alert you to possible problems • Additional monitoring tools can automate disk usage and provide trend analysis and usage reports Monitoring usage from a script • Exchange MVP Glen Scales wrote a really nice script to report store usage and trends • http://tinyurl.com/m7w8j Restricting maximum store size • Exchange 2003 SP2 allows maximum store size to be set ● http://tinyurl.com/fmgxf • When a store exceeds that size, it is dismounted • Use with great care! You can still cause your users downtime with this feature. Outlook Web Access security • Implement a reverse proxy • Enable Forms Based Authentication ● Session timeouts • Use SSL • Train users to logout and close browser window • URLScan Put the front-end in the DMZ??? • Conventional thinking says put front-end server in the DMZ. This requires many ports to be opened to internal network. Reverse proxy for OWA • Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened. Reverse proxy for OWA • More information ● Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology • http://tinyurl.com/5e6sv ● Protecting Exchange Servers by Don Jones • http://tinyurl.com/zfemv ● Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder • http://tinyurl.com/jocrz ● A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek • http://tinyurl.com/cb2f9 Enable Forms Based Authentication • Enable on the frontend servers • Implements timeouts ● ● ● Public = 15 minutes Private = 24 hours Customizable • Allows customizable logon page Forms Based Authentication Always use SSL from a trusted authority • Very bad to get users in the habit of ignoring security alerts • Many sources for lowcost, trusted SSL certificates ● ● GoDaddy – www.godaddy.com InstantSSL – www.instantssl.com Basic authentication passwords are very easy to intercept • Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. • Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== • Run it through any Base64 decoding program and you get: • namerica/arand:$culliRulz Domain name: namerica; User: arand; password: $culliRulz • Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded! Should you use URLScan? • Not necessary if using a reverse proxy that performs HTTP application layer inspection • URLScan can cause some messages to be un-openable with OWA ● If the subject line has the .. ./ \ % & characters • See KB 823175 for more information Mobile device security • Mobile devices often have sensitive data on them. • Implement Windows Mobile 2005 FP (available from the device vendor) • Use Exchange 2003 SP2 mobile device security features • Remote Wipe feature available User education • Train users to ● ● ● Always use HTTPS Always close the browser window when finished with OWA Be on the lookup for suspect kiosks or Internet cafes Administrative Security • • • • Practice principle of “least permission” Properly delegate roles Windows versus Exchange permissions ExMerge permissions Delegating Exchange roles • Mailbox admins (create/delete/modify mail attributes = Exchange View Only Administrator • Manage stores, move mailboxes, manage connectors, etc… = Exchange Administrator • Modify permissions = Exchange Full Administrator Exchange permissions versus Windows permissions • Delegating Exchange roles does not necessarily give you the Windows permissions necessary • Start / stop services = Power User / Administrator • Logon to console = Administrator • Restart server = Administrator / Power user • Manage SMTP Queues = Administrator ● Cannot be changed • Possible problem updating e-mail addresses ● See http://tinyurl.com/j4xwd ExMerge Permissions • • • • • Very handy tool Requires MORE than Exchange Full Administrator access Create security group: Exchange Full Mailbox Access Delegate Exchange View Only Administrator permissions to this group Modify permissions on Security property page, assign Receive As ● • • • See KB 259221 Create an ExMerge user and put that user in the Exchange Full Mailbox Access group Secure access to the ExMerge user account Ensure that ExMerge user is neither a member of Domain Admins or Enterprise Admins Daily Operations • • • • • • Verify successful backups Check available disk space Review event logs Check antivirus software and updates Check SMTP queues The more you know about normal operations, the more quickly you will recognize variances and react to them. Thing that make you go hummmm…. • When monitoring and reviewing your event logs, look for events that you cannot explain or did not expect. • Look for anything that is outside of the normal boundaries of operation. • Consider also the time of day that some things happen, such as restarts when no one is around or backups running off schedule Security related events… • Is this person supposed to be viewing this mailbox? • This might be perfectly legitimate, but it should raise questions. Security related events… • A mailbox store was mounted. • Was this scheduled / expected? • Thanks to tools like PowerControls or Quests Recovery Manager, I just need your EDB/STM file to do evil. Security related events… • Hey! Who is running a backup in the middle of the day??!! Security related events… • Look for unexpected system restarts • This may indicate someone is messing with the hardware Accountability and Auditing • Logging is usually one of those things you don’t know you need until you need it. • Caution: Increasing logging/auditing increases overhead • Event Log Sizes • Diagnostics Logging • Message tracking logs • Protocol logs • Protecting tracking and protocol logs • Auditing configuration changes to Exchange Windows Event Logs • Sizes: ● ● ● ● Application – 196608KB Security – 49152KB System – 49152KB See http://tinyurl.com/syua3 • Overwrite as needed • Set manually or via GPO • Find some tool to archive these and keep Windows Auditing • These events are audited to the Windows Security log • More auditing = more overhead • Apply to local security policy or via GPO Diagnostics Logging: Store System • Minimum level of logging is sufficient for informational events Diagnostics logging: Mailbox store • Minimum level of logging is sufficient for informational events Message tracking logs • Helpful in diagnosing problems • You don’t know you need these until you need them • May contain sensitive information, so protect them • Automatically purged HTTP protocol logging • Enabled via IIS Admin ● Use W3C log format • Enabled on front-end servers used by OWA • Will include ActiveSync and OMA traffic • These logs do not automatically delete ● For a script see http://tinyurl.com/nztyy SMTP protocol logging • Enabled in ESM on SMTP virtual server ● Use W3C log format • Enable on bridgeheads that accept mail from outside of the organization • Useful for troubleshooting and security purposes • These logs do not automatically delete ● For a script see http://tinyurl.com/nztyy Auditing changes to Exchange configuration • Most Exchange configuration is stored in the Active Directory • Requires “Audit Directory Service Access” policy enabled • Enable “Write” auditing on Exchange organization (via ADSIEdit) • Events are logged to Security logs on domain controllers Resulting events • Event reports object and attribute that is changed • Not necessarily easy to read unless you know what the attributes are for. • Here I changed the inbound message size Message hygiene • • • • • • • Multi-layer protection Hygiene basics Content inspection Blocked content Virus detection Spam detection Managed providers What did I do to deserve this? • Message hygiene collectively refers to spam, virus, and phishing detection and filtering • By some estimates, 50 – 80% of all inbound mail is spam! • Some estimates are that users spend 30 – 45 minutes PER DAY sorting through unwanted email • There may be some liability involved in spam or phishing schemes ● User sues their employer because they were offended! Or phished! You think you have problems! • One small business ● ● ● ● ● ● About 20 active mailboxes 90% inbound spam rate 18,000 messages in a 24 hour period of time Over 50MB worth of disk space to store Nearly 65MB worth of Internet bandwidth consumed Out of this, 20 viruses/worms were detected You think you have problems! Multi-layer protection • Employ multiple technologies • Intercept inbound mail at different points • Use differing scanning and detection technologies • Keep as much Malware as possible AWAY from the mailboxes and users Multi-layer protection Multi-layer protection to the extreme • One organization took the multiple layers to the extreme • The need for this system evolved over 5 years • Rather than replacing one gateway with a more feature-rich product, they just kept adding more Multi-layer protection to the extreme Hygiene system basics • We are seeing a convergence of tools and technologies • Buying a simple SMTP virus scanning is hard, most include anti-spam technologies • Higher-end and specialized systems also include more advanced content inspection Content inspection • Industry often refers to spam and virus detection and “content inspection” • I refer to more specialized systems • Implement “dictionary scanning” to block inbound or outbound messages • Look for messages that may violate Acceptable Use Policy Naughty words, pictures, jokes • Prevent sensitive data from being disclosed ● ● In the U.S. the HIPAA law “requires” this Vendors include: Tumbleweed and Clearswift Content inspection vendors • Evaluate a couple of different systems to make sure the product meets your needs. • CipherTrust IronMail • Tumbleweed MailGate • Clearswift MIMEsweeper • Symantec Brightmail • Aladdin eSafe • Barracuda Spam Firewall • Sendmail Sentrion Email Security Appliance • Mail Frontier Enterprise Email Protection • NetIQ MailMarshall Blocked content • Define a policy that allows you to block unwanted content ● Hostile content • http://tinyurl.com/atlz ● ● Multi-media files ZIP files • Most antivirus software lets you do this • Very common with most IT organizations • Blocked list should be published to your users Virus Detection • Virus detection / scanning is pretty common knowledge, but very important • Viruses are evolving quickly ● ● ● Sometimes 20 – 30 new variants of existing viruses come out daily “Virus” is often used when describing worms or Trojans. Most “viruses” today are really worms or blended threats Virus writers are continually looking for new system and user exploits • You should update signatures between 6 and 12 times per day Virus detection • Methodologies ● ● Generic / signature based detection Heuristic filters • Examining content for certain types of expected behavior ● Traffic analysis • Analyzing large volumes of traffic for similarities ● Behavioral analysis • Executing suspected content in a “virtual” environment SMTP scanning systems • Generic, can front-end any mail system • Usually located in the DMZ • Usually combines antivirus and anti-spam functions Antivirus scanning at the Exchange server • Requires Exchange-aware virus software ● ● E2K3 uses AVAPI 2.5 Can scan using AVAPI (when message hits the information store) or as message traverses SMTP • Should server have a file-based scanner? ● If you do this, ensure that it NEVER scans the EDB, STM, CHK, and LOG files. Also should skip the \windows\system32\inetsrv folder and the SMTP queues folders. If running Exchange 2000, also never scan the M:\ drive • See KB 823166: Overview of Exchange Server 2003 and antivirus software Exchange / AVAPI Software • • • • • • • • • • Sybari Antigen for Exchange Trend ScanMail for Microsoft Exchange 2003 Symantec Mail Security for Microsoft Exchange Sophos PureMessage for Microsoft Exchange F-Secure Anti-Virus for Microsoft Exchange GFI MailSecurity for Exchange F-Prot Antivirus for Exchange Norman Virus Control (NVC) for Exchange McAfee GroupShield® for Microsoft Exchange BitDefender for MS Exchange 2003 Client-side scanning • With all this protection on the mail servers, do you still need client-scanners? ● ● Absolutely. More than one attack vector for viruses. Users may download from HTML web mail or remote POP3 accounts Spam detection / prevention • Technologies ● White listing • Servers are verified against of known, good senders • Appliance / service provider ● Black listing • Inbound mail is checked against a database of blocked senders or mail servers • Real-time block lists or real-time black hole lists ● Gray listing • Inbound mail is temporarily rejected and assumes that valid senders will retry while spammer will not. • Exchange does not implement • See http://tinyurl.com/5c5oc ● Authenticated sender • Yahoo! Domain Keys • Sender ID ● These technologies are usually used in conjunction with message inspection White listing • • • • Sendio appliance Xwall SpamAssassin Spam Arrest (service provider) Real-time Block Lists • SMTP server that accepts inbound connections checks the IP address against the RBL • Connection can be rejected (in the case of Exchange) • Inbound message can be tagged for further examination by spam detection software • Many of these list providers • This can reduce inbound spam by 40 – 50% • Can reject valid inbound mail RBL providers • • • • Spamhaus ABUSEAT CBL ORDBs SpamCop ● Pretty aggressive • SORBS ● www.us.sorbs.net Pretty aggressive • RBL check ● www.spamhaus.org cbl.abuseat.org www.ordb.org www.spamcop.net www.dnsstuff.com Check to see if a host is on an RBL Configuring an RBL • Configure the DNS suffix • Custom message for rejected messages Sender ID • Industry effort to give SMTP servers ability to validate sending SMTP server to see if it is authorized to send mail for the sender of the message • Two parts to the technology ● ● Your domain needs SPF records for authorized SMTP servers Your SMTP servers lookup mail for inbound messages and validate that the sending server is authorized to send on behalf of that user Create DNS SPF records • Microsoft provides web-driven wizard ● http://www.anti-spamtools.org Configure Exchange to use Sender ID • Exchange 2003 SP2 and hot fix 909426 • Define internal mail servers • Enable on SMTP virtual servers that accept mail from the Internet Sender ID analysis on one SMTP server • 79% of the inbound connections had DNS SPF records Using the Intelligent Message Filter • Pretty darned good for a free tool • Only needs to be enabled on SMTP VS that are exposed to the Internet • Reject / Archive / Delete / No Action IMF customization • Automatic filter updates ● ● See KB 907747 Released bi-weekly • Implementing “custom weighting” ● ● Define words that NEVER mean spam or ALWAYS mean spam See Henrik Walther’s article at • http://tinyurl.com/ctqc8 • Viewing the IMF Archive ● http://tinyurl.com/5w5pr Effectiveness of RBLs and Recipient Filtering • Remember the organization with so much spam? • Here is what 2 RBLs and Recipient Filtering did for them ● ● ● In 5 days, 211654 inbound SMTP connections 53% rejected by RBLs 35% rejected by “Filter Recipients Who Are Not In The Directory” Leaving the IMF with the rest • The balance of the messages were handled by the IMF • 50% of messages ranked SCL of “6” or above Managed providers Using managed providers • Organization directs MX records to managed provider’s servers • Managed provider… ● ● ● ● ● ● ● Has better scalability and redundancy Immediate response to day zero threats Keeps malware and unwanted content from reaching your perimeter Reduce hardware and software required by organization as well as reducing complexity and IT resources required Allows organization to only accept inbound SMTP from the provider Unwanted content never makes it to the network in the first place Reduces threat spam and virus/worm ‘bots • Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection Managed providers • • • • • • • Microsoft FrontBridge MessageLabs Postini OWN ExchangeDefender Blue Ridge InternetWorks Anti-Spam Solutions CyberTrust Managed E-mail Firewall Service Symantec Managed Virus Protection Service Content protection • • • • PKI and encryption basics S/MIME Enterprise Rights Management S/MIME and ERM are complimentary technologies Symmetric encryption • Symmetric (a.k.a “secret”) key encryption ● Same key encrypts that decrypts • The “secret” key is easily compromised • Algorithm examples include DES, 3DES, CAST, AES, RC2, Blowfish, IDEA Original Data Cipher Text Original Data Asymmetric encryption • Public and private key pair • Uses two VERY large prime numbers (2^1024 and higher) • Computationally difficult to calculate the relationship between the two numbers • Encrypting large amounts of data is very processor and time intensive Recipient’s private key Recipient’s public key Original Data Cipher Text Original Data Encryption based entirely on public / private keys is impractical • Too much CPU usage when using such large keys • Diffie-Hellman proposed combining the strengths of the two systems ● http://tinyurl.com/lbzf3 • Most modern encryption systems use some type of “secret key” exchange including S/MIME, SSL, IPSec, EFS, ERM, etc… Combining symmetric and asymmetric encryption to protect data 1) Recipient’s certificate (and public key) is retrieved 2) A random “secret” key is generated 3) Data is encrypted with “secret” key 4) “Secret” key is encrypted with recipients public key and placed in a “lockbox” 5) Encrypted data and lockbox is sent to the recipient 6) Recipient uses private key to open lockbox and get the “secret key” 7) Recipient uses “secret key” to decrypt data Digital signatures are similar 1) A hashing function (SHA-1 or MD5) is calculated using the binary data 2) The hash is encrypted using the sender’s private key 3) The data, the encrypted hash, and the sender’s certificate are sent to the recipient 4) Recipient decrypts encrypted hash value using sender’s public key 5) Recipient performs their own hash of the binary data 6) Recipient compares the sender’s hash with the one they calculated S/MIME • Mature technology ● ● ● ● ● Non-repudiation Verifiable message integrity Verifiable message origin Encrypted / protected Protects content “at rest” and in transit • Can be difficult to deploy for large organizations • Certificate needs to be trusted • Free S/MIME certs from http://www.thawte.com • More information: ● http://www.microsoft.com/pki Enterprise Rights Management • Assists in information security policy enforcement • Content rights may include forwarding, review, modification, copying, or printing • Content can be audited, expired or superseded • Application and operating system must support rights management • Any type of binary content can be protected including e-mail, documents, spreadsheets, web pages, etc… • More information ● http://www.microsoft.com/rms RMS Key Flow Detail: Client “Bootstrapping” RMS Server Client Computer(s) (single-server configuration) 1. Install RMS-enabled application(s) 2. Install RMS Client Software 3. User uses RMS for the first time RMS Client Activates Machine -Calls RMActivate.exe to generate machine key pair and signs Machine Certificate (containing machine public key) Protects user-specific machine private key with DPAPI 4. User authenticates User can publish online or consume Authentication credentials Certification: Check user SID against AD Generate User Key Pair Rights Account Certificate (RAC), signed with RMS Server Public key -User Private Key, Encrypted with the machine public key -User Public Key Request Client Licensor Certificate User can publish offline RAC Validate RAC Generate “Client” Key Pair Client Licensor Certificate (CLC), signed with RMS Server Public key -CLC Private key, encrypted with the RAC public key -CLC Public key and copy of SLC RMS Key Flow Detail: Offline Publishing & Consumption Publishing License Publishing License •2 encrypted AES keys •rights information •url of RMS server •2 encrypted AES keys •rights information •url of RMS server • encrypted content • encrypted content “Publisher” / Sender (Assuming recipient has RMS Client and RAC) Saves content (e.g. Word doc) Recipient user opens content Application and RMS client 1. 2. 3. 4. Application and RMS Client Client RAC private 1.RMS Inspect PLuses for RMS keyService (unavailable url. to user) to theLicense content key 2.unencrypt Send “Use Application renders the Request “ (PL + RAC) to file and enforces thespecified rights licensing server by url. Generate AES key and encrypt content Encrypt AES key with the public key of the client’s CLC (for “owner” license) Encrypt another copy of the AES key with RMS server’s public key (so server can decrypt it later for the recipient…server public key is contained in client CLC) Create “Publishing License” (PL), sign with CLC private key and append to encrypted content RMS Server 1. 2. 3. 4. 5. “Consumer” / Recipient Validates recipient RAC Inspects PL for rights Validates user in AD Un-encrypts content key & reencrypts it with recipient RAC’s public key Returns encrypted content key in use license RMS Server Example: Rights-Protected Document Word, Excel, or Powerpoint 2003 Pro Created when file is protected Publishing License Encrypted with the server’s public key Content Key Encrypted with the server’s public key Encrypted with Content Key, a cryptographically secure 128-bit AES symmetric encryption key End User Licenses Rights for a particular user Rights Info Content Key w/ email addresses (big random number) a The Content of the File (Text, Pictures, metadata, etc) NOTE: Outlook E-mail EULsto Only added arethe stored in file after the local user a server licenses profile user to open it directory Encrypted with the user’s public key Encrypted with the user’s public key Application support for ERM • Application must support ERM system • Office 2003 Professional application supported S/MIME versus ERM • S/MIME provides only authenticity and protection • No control for the disposition of the contents • Applies only to e-mail and message content • Content owner loses control once message is sent • Does not prevent user from forwarding content once it is in their possession The Problem with Traditional Access Control Technologies Traditional solutions control initial access Clear-text content Authorized Users Information Leakage Access Control List / File Encryption Unauthorized Users Unauthorized Users Firewall Perimeter …but not ongoing information usage Best practices • Block outbound SMTP except from authorized hosts ● Be a good ‘net citizen • Never web surf from a server console • Don’t install e-mail client software on server • Operators and administrators should not have mailboxes • Separate admin rights from your regular user account • Grant administrative permissions to groups, not individual users Best practices • Block inbound SMTP if using a managed provider ● Only accept mail from the provider • Protect protocol and message tracking logs ● Some sensitive information may be disseminated from those logs • Review your event logs • Keep PLENTY of free disk space available? ● At least enough to mount one database in an RSG Checklists • • • • • Assessing the situation Exchange Servers Message hygiene Outside the perimeter Assessment • Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the. • Determine what is documented: ● Document servers, roles, network infrastructure, and dependencies • Get an accurate count of active mailboxes ● ● If inactive, then why? Disable inactive accounts then delete! Inactive accounts • Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute • Write script • Use “Additional Account Info” from ALTools ● http://tinyurl.com/a5zj Assessments: Environment • Interview: ● ● ● ● ● ● ● Backup schedule / procedures / rotation / media storage Client software and versions in use Client antivirus / anti-spyware procedures Remote access procedures Administrators that are approved to manage Exchange Disaster recovery / business continuance plan What is the perception of the “spam problem?” Assessment: Starting point • Run ExBPA against entire organization • Run ExchDump • Run MSBA against each server ● ● Exchange servers Domain controllers Assessment: Servers • Free disk space ● • • • • • • • Should be enough to mount an RSG Disk configuration / fault tolerance Memory / page file usage / available RAM DNS configuration Event logs sizes / archival procedures BOOT.INI check (using /3GB and /USERVA=3030 if applicable) Additional services running? Dedicated Exchange server role? How often do you update servers with fixes and patches? ● Check for vendor’s hardware management software and versions • How many users/groups are members of the local Administrators and Power Users group? • Is the local Guest disabled? • Examine local policies for weaknesses • Are messaging system limits being imposed? Assessment: Exchange • • • Review Exchange Full Administrator and Exchange Administrator role delegation Domain controllers / Global catalog servers in use Are limits being imposed? ● ● ● • Are PSTs in use? ● ● • • • • • • Message sizes Mailbox sizes Distribution list usage Primary delivery mechanism? Archival mechanism? Mailbox store sizes Largest mailbox users Confirm backups and online maintenance is running Exchange database and transaction log placement on disks Is circular logging enabled? If so, get explanation as to why. Are automatic responses allowed? Assessment: Logs • Review Application logs • Review System logs • Review HTTP and SMTP protocol logs Assessment: Message hygiene • How recent is the A/V software? • How often are signatures updated? • Is there a file-based scanner on the server and if so, does it exclude Exchange files? • Does inbound SMTP system use RBLs? Recipient filtering? Assessment: Outside the perimeter • Examine your DNS records ● ● ● Are there invalid A and MX records Do you have SPF records? Are they correct? Do IP addresses used for outbound SMTP have PTR records? • Do Internet clients have direct access to Exchange servers? ● TELNET to “A” records provided by SMTP • What ports are open through your firewall to your internal network? ● ● Perform port scans against “A” records for SMTP and for OWA Get permission to run a port scan! • Are their any protocols that are not requiring SSL? ● POP3, IMAP4, OWA, ActiveSync, OMA Securing the DMZ • What is in the DMZ? ● ● ● Front-end servers? SMTP servers? Proxy servers? • Reduce the number of ports open between DMZ and internal network (ideally only 25 and 443) Whew! I’m exhausted! Questions? Thanks for attending! More information… • Tips and Tricks for Secure Messaging eBook by Jim McBee ● http://nexus.realtimepublishers.com/ttgsm.htm • My blog (Mostly Exchange) ● http://mostlyexchange.blogspot.com • Paul Robichaux’s Exchange Security blog ● http://www.e2ksecurity.com/ • Paul Robichaux’s Secure Messaging with Microsoft Exchange Server 2003 book (Microsoft Press, 2004) • Exchange 2003 Support Home Page ● http://support.microsoft.com/default.aspx?scid=fh;EN-US;exch2003 • Slipstick Systems ● http://www.slipstick.com Your Feedback is Important Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. Thank you!