Book giveaway and e-mail notice • Please give me a piece of paper with your name for drawing • Include your e-mail address or give me a business card if you want: • 20% discount code for Directory Update software • Notification e-mail when Mastering Exchange Server 2007 is available • Keep an eye out for Mastering Exchange Server 2007 – Due out in late April
Are you a Low Hanging Fruit? Jim McBee ITCS Hawaii email@example.com
Who is Jim McBee!!?? • Consultant, Writer, MCSE, MVP and MCT – Honolulu, Hawaii (Aloha!) • Principal clients (Dell, Microsoft, SAIC, Servco Pacific) • Author – Exchange 2003 24Seven (Sybex) • Contributor – Exchange and Outlook Administrator • Blog • http://mostlyexchange.blogspot.com • http://www.directory-update.com
Audience Assumptions • You have at least a few months experience running Exchange 5.5, 2000, or 2003. • You have worked with Active Directory • You can install and configure a Windows 2000 / 2003 server
This session’s coverage • Introduction to me and the topic • Presentation and demos – About 65 minutes • Risks and threats • Multiple layers of protection • Reducing exposure • Best practices and checklists • Book give away – Drop off your business card or write your name on a slip of paper • Questions and answers • I’ll try to take questions as they come up as long as this does not slow us down too much.
Free eBook • Tips and Tricks Guide To Secure Messaging eBook • http://tinyurl.com/kvxhx • Good follow-up to this presentation
Why low hanging fruit? • “Hackers” go after easy targets • Most “hackers” are not all that sophisticated • If you are reasonably secure, they usually move on • Reasonably secure means doing at least what the rest of your industry is doing
Most common exploits use… • Weak / simple passwords • Denial of service • Known vulnerabilities • How did you get so vulnerable? • Failure to follow industry “best practices”
Risk Assessment: What are your assets? • Most important assets • Data • Intellectual property • Reputation • Knowledge workers time • Least important assets • Bandwidth • Servers/hardware/software
Risk assessment: What are the risks? • Financial loss • Law suits / regulatory liabilities • Accidental / intentional disclosure of intellectual property • Users with idle time or unable to work (lost productivity) • Unable to meet commitments to customers and vendors • Lost sales or opportunities • Damage to reputation / community embarrassment
Security Basics • Passwords • Physical security • Updates • Hardening Windows and Exchange • User considerations • Quick assessments
Improve password strength • Require longer passwords • Require special characters
Physical security • Law # 3 of the 10 Immutable Laws of Security • “If a bad guy has unrestricted physical access to your computer, it's not your computer anymore” • Locked doors / access control system that records entry information • Mandatory sign-in sheets • Cameras • Backup media should be secured
Operating system stability • Very basic, but OS vulnerabilities frequently contribute to access by external hackers. Very common attack vector for hackers as well as worms. • Apply applicable critical updates within 3 – 4 weeks • Applicable? Does the fix affect your configuration? • Don’t apply on the day they are released • Apply service packs within 1 to 2 months • Read the SP “readme” first • Use ‘Microsoft Update’ or WSUS • http://tinyurl.com/dwj6n • Check for hardware vendor’s remote administration tools such as BMC tools, Dell RAC cards, etc… These may provide access to system • Sufficient free disk space on all disk drives
Exchange updates • Critical patches within 3 – 4 weeks of release • Service packs within 1 to 2 months of release • Some updates will overwrite custom changes you have made (such as OWA’s LOGON.ASP)
Exchange and Windows Hardening • Not every service is necessary on all server roles • Use the Windows Security Configuration Wizard with W2K3 SP1 • Implement with care!
Users • 60 – 70% of all security breaches occur from within. • (Source: 2002 Computer Crime and Security Survey – CSI and SF FBI’s Computer Intrusion Squad) • Require an Acceptable Use Policy • Must have “bite” • Must be enforceable • Must be legal • See http://www.sans.org/resources/policies • Require an IT Acceptable Use Policy • For IT, require an IT AUP or Ethics Statement • “Don’t read other people’s mail” • Clearly define your information security policies
Quick Assessments - ExBPA • Exchange Best Practices Analyzer • http://www.exbpa.com
Quick Assessments - MSBA • Microsoft Baseline Security Analyzer • http://tinyurl.com/2e5fe
Use multiple layers of protection • Inbound e-mail • Use SMTP relay • Use managed provider • Web clients • Use reverse proxy
Prevent direct access to mailbox servers • Don’t allow direct access to mail server resources • Inbound SMTP mail through an SMTP relay • Can be an “appliance”, Windows, or UNIX system • Can act as part of your messaging hygiene system. • More on this later • Inbound OWA / RPC over HTTP / ActiveSync through a reverse proxy • ISA Server • IronPort • Whale Communications • Prevents direct exposure for mailbox servers, front-ends, and bridgeheads
Reverse proxy for OWA • Place front-end servers on the internal network and use an ISA Server in the DMZ. Much more secure, fewer ports that need to be opened.
Reverse proxy for OWA • More information • Exchange Server 2003 and Exchange 2000 Server Front-End and Back-End Topology • http://tinyurl.com/5e6sv • Protecting Exchange Servers by Don Jones • http://tinyurl.com/zfemv • Protecting Microsoft Exchange with ISA Server 2004 Firewalls by Tom Shinder • http://tinyurl.com/jocrz • A Reverse Proxy Is A Proxy By Any Other Name by Art Stricek • http://tinyurl.com/cb2f9
Using managed providers • Organization directs MX records to managed provider’s servers • Managed provider… • Has better scalability and redundancy • Immediate response to day zero threats • Keeps malware and unwanted content from reaching your perimeter • Reduce hardware and software required by organization as well as reducing complexity and IT resources required • Allows organization to only accept inbound SMTP from the provider • Unwanted content never makes it to the network in the first place • Reduces threat spam and virus/worm ‘bots • Providers such as FrontBridge can provide regulatory compliance features such as archiving and content inspection
Restrict MAPI versions • Restrict Exchange so that it will only accept Outlook versions after Outlook 2000 SP3 • HKLM\System\CurrentControlSet\Services\ MSExchangeIS\ParametersSystem • Create REG_DWORD Disable MAPI Clients • Put in to data field -5.3165.0 • See KB 328240 and 288894 • http://www.windowsitpro.com • InstantDoc #26505 • Can help reduce the spread of viruses and worms by allowing only more recent versions • Use with caution!
Denial-of-service and e-mail • Anything a hacker/intruder can do to prevent your messaging system from providing messaging services or allowing your users to do their jobs. • Spam could be considered a denial-of-service since users spend so much time going through it to find legitimate mail. • DOS attack may attempt to fill-up disk space, overload messaging queues, overwhelm users, exceed bandwidth capacity, etc.. • Directory harvesting and tarpits
Directory harvesting / dictionary spamming • Directory harvesting tries to find valid SMTP addresses using dictionary or random strings • Dictionary spamming sends to a dictionary full of common names • This can overwhelm a mail server • Recipient filtering rejects mail going to unknown senders (rather than your NDR mailbox) • A tarpit slows them down • See KB 842851 • Recommended for Internet facing SMTP virtual servers • Only one address in this list was valid, probably the “index patient”
Restrictions, restrictions, restrictions • Mailbox • Message size • Recipients per message • Automatic responses • Internet facing SMTP virtual servers • Distribution list usage • Monitor disk space usage and set alerts • Users are going to hate you for this!
Mailbox Limits • A necessary evil • Adjust based on you organization’s needs • Don’t limit users if they have a job to do • Most important limit is the “Prohibit Send and Receive” as that closes down the mailbox and it does not accept any more mail
Exchange reports on closed mailboxes • Monitoring for event ID 8528 can help you determine if mailboxes are filling up
Message Size / Recipient Limits • Default inbound and outbound message sizes is 10MB. • Usually adequate for most organizations • This is the MAXIMUM for users. It can be overridden to a smaller amount, but not larger • Maximum recipients per message is 5000, but I recommend dropping this. This can be overridden per user.
Inbound limits from Internet • Limit inbound messages from the Internet on the SMTP virtual servers that accept mail from the Internet • Will apply to outbound messages only if the SMTP Connector to the Internet uses this SMTP VS as a bridgehead • If this SMTP VS is used for internal message traffic, it may hurt public folder replication
Outbound limits to the Internet • Limit outbound message size on the SMTP Connector (if not limited on the SMTP Virtual Server)
Automatic Responses • Defaults do not allow automatic responses • This may have been changed • You can override this by creating additional Internet Message Formats for specific domains • Considered risky due to “social engineering” risks
Distribution list security • Prevent abuse of your distribution lists • Limit maximum message size • Limit to authenticated users only (prevents someone on Internet from using the group’s SMTP address) • Limit who can send to the list internally
Restricting maximum store size • Exchange 2003 SP2 allows maximum store size to be set • http://tinyurl.com/fmgxf • When a store exceeds that size, it is dismounted • Use with great care! You can still cause your users downtime with this feature.
Additional Security Best Practices • OWA security improvements • Generic best practices
Enable Forms Based Authentication • Enable on the front-end servers • Implements timeouts • Public = 15 minutes • Private = 24 hours • Customizable • Allows customizable logon page
Always use SSL from a trusted authority • Very bad to get users in the habit of ignoring security alerts • Many sources for low-cost, trusted SSL certificates • GoDaddy – www.godaddy.com • InstantSSL – www.instantssl.com
Basic authentication passwords are very easy to intercept • Using a tool such as Network Monitor, capture an OWA authentication string when using Basic authentication. • Take the authentication string bmFtZXJpY2EvYXJhbmQ6JGN1bGxpUnVseg== • Run it through any Base64 decoding program and you get: namerica/arand:$culliRulz • Domain name: namerica; User: arand; password: $culliRulz • Scary, eh? POP3, IMAP4, and NNTP passwords do not even have to be decoded!
Best practices • Block outbound SMTP except from authorized hosts • Be a good ‘net citizen • Never web surf from a server console • Don’t install e-mail client software on server • Operators and administrators should not have mailboxes • Separate admin rights from your regular user account • Grant administrative permissions to groups, not individual users
Best practices • Block inbound SMTP if using a managed provider • Only accept mail from the provider • Protect protocol and message tracking logs • Some sensitive information may be disseminated from those logs • Review your event logs • Keep PLENTY of free disk space available? • At least enough to mount one database in an RSG
Checklists • Assessing the situation • Exchange • Servers • Message hygiene • Outside the perimeter
Assessment • Assessments should be a “hands off the config” process. Don’t make configuration changes, but document what you find and the path to fix the problems. • Determine what is documented: • Document servers, roles, network infrastructure, and dependencies • Get an accurate count of active mailboxes • If inactive, then why? • Disable inactive accounts then delete!
Inactive accounts • Windows 2003 in 2003 forest functional mode will replicate “last logon” attribute • Write script • Use “Additional Account Info” from ALTools • http://tinyurl.com/a5zj
Assessments: Environment • Interview: • Backup schedule / procedures / rotation / media storage • Client software and versions in use • Client antivirus / anti-spyware procedures • Remote access procedures • Administrators that are approved to manage Exchange • Disaster recovery / business continuance plan • What is the perception of the “spam problem?”