Exchange Server 2003 Security

1
Exchange Server 2003 Security

• Naam Thomas de Klerk
• Functie Trainer/Consultant
• Bedrijf Info Support
• E-mail thomask_at_infosupport.com

2
Agenda

• Implementing Exchange Security
• Securing Exchange Server Services and Messaging
  Protocols
• Maintaining Security on Exchange Server
• Configuring Exchange to Protect Against Unwanted
  E-mail
• Securing Access to Exchange Using ISA Server 2004

3
Exchange Server 2003Security Overview

• Secure by design
• Secure by default
• Support for Sender, Recipient and Connection
  Filtering (Block List Services)
• Secure by default
• User logon on server disabled
• Messaging limits configuration 10 MB
• Microsoft Exchange Server 2003 Security
  Enhancementshttp//www.microsoft.com/exchange/eva
  luation/security_E2K3.mspx

4
Exchange Server Deployments

• General
• FE/BE deployment
• ISA Server Integrated

5
Exchange Server Client Scenarios

• General Clients
• Microsoft Outlook
• Mobile client access
• Outlook Web Access
• Outlook Mobile Access
• Exchange Server ActiveSync

6
Configuration and Security Update Recommendations
for Exchange Server

• Operating system and software
• Windows Server 2003 with latest security updates
• Exchange Server 2003 with SP1 (or higher, SP2 is
  around the corner)
• Exchange Intelligent Message Filter
• Browser
• IE 6 with latest security updates
• Security update management
• Microsoft Baseline Security Analyzer

7
Implementing Defense-in-depth

• Data
• Application
• Host
• Internal Network
• Perimeter
• Physical Security
• Policies, procedures, awareness

8
Securing Exchange Servers

• Maintaining the security of the underlying
  Windows infrastructure
• Maintain baseline security hardening practices
• Understanding security options for various
  deployment scenarios

9
Hardening the Messaging Environment

• Server environment
• Domain, DC and Member Server Baseline policies
• Windows Server 2003 Security Guidehttp//go.micro
  soft.com/fwlink/?linkId21638
• Exchange Domain Controller Baseline Policy
  template
• Messaging Environment
• Exchange Server 2003 Security Hardening
  Guidehttp//www.microsoft.com/technet/prodtechnol
  /exchange/2003/library/exsecure.mspx

10
Exchange Security Templates
11
Hardening Back-End Exchange Servers

• Tasks include
• Hardening Services
• Hardening ACLs
• Changing privileges rights
• Enabling additional services (optional)
• Apply Exchange 2003 Backend.inf security template
  to your back-end servers

12
Hardening Front-End Exchange Servers

• Tasks include
• Hardening Services
• Hardening ACLs
• Enabling additional services (optional)
• Running URLScan (optional but recommended)
• Dismounting mailboxstore and delete public folder
  store
• Apply Exchange 2003 frontend.inf security
  template to your front-end servers

13
Understanding SMTP Relaying

• SMTP Relaying When an SMTP server accepts mail
  from one domain addresses to mailboxes in another
  domain, neither one of which the server owns
• Needed when
• Accepting mail for other organization
• POP3 or IMAP4 clients
• Supporting applications that generate SMTP mail
• Prevent open relays by
• Allowing only authenticated computers to relay
• Restricting relaying to specific computers or
  users
• Using SMTP connector to relay to particular
  domains

14
Demo

• SMTP Relay

15
Securing SMTP Communication Between Mail Servers

• Install and configure X.509 certificate
• Enable TLS encryption for inbound mail
• Enable and configure TLS for outbound mail to
  specific domains

16
Securing Exchange Servers

• Limit Exchange Server functionality to clients
  are strictly required
• Remain current with the latest updates for both
  Exchange and the OS
• Use ISA Sever 2004 to regulate access for HTTP,
  RPC over HTTPS, POP3 and IMAP4 traffic
• Use SSL/TLS and forms-based authentication for
  Outlook Web Access

17
Maintaining Security on Exchange Server

• Keeping up with the latest security updates
• Keeping up with recommended best practices
• Understanding the impact of configuring various
  options within Exchange Server
• Document on configuration and security settings

18
Analyzing Exchange Server 2003 Using the
Microsoft Baseline Security Analyzer

• MBSA checks for issues related to the following
• Known Windows and Internet Explorer security
  issues
• Missing Security updates
• Weak account passwords
• IIS security issues
• SQL Server security issues
• Exchange Server security issues

19
Validate Exchange Server Configuration Settings

• ExBPA can examine your Exchange servers to
• Generate a list of issues, such as
  misconfigurations or unsupported or
  non-recommended options
• Judge the general heath of a system
• Help troubleshoot specific problems

20
What Are the Exchange Options for Limiting
Unwanted E-mail

• Recipient filtering
• Sender filtering
• Connection filtering
• Microsoft Exchange Intelligent Message Filter
  (IMF)

21
Demo 2

• ExBPA
• Filtering

22
Implementing Antivirus Protection on Exchange
Server

• Consider the following when designing and
  implementing an antivirus solution
• Design a defense-in-depth approach
• Implement an antivirus scanner that supports
  AVAPI 2.5
• Prevent file-bases scanning on Exchange Server
  folders

23
Securing Access to Exchange Using ISA Server 2004

• Outlook Webaccess
• RPC over HTTPS
• Network designs

24
Security issues

• HTTPS is the transport
• Intrusion detection?
• Conformance to email policy?
• OWA 2000 has no session timeout
• Fixed in OWA 2003
• Forms authenticationcookie for session

25
Typical Design

• Good ? performance
• Separates protocol from message store
• Network protection
• Bad ? security
• Tunnel through outside firewall no inspection
• Many holes in inside firewall for authentication
• Anonymous initial connections to OWA

OWA
ExBE
AD
26
Improving OWA security

• Security goals
• Inspect SSL traffic
• Maintain wire privacy
• Enforce conformance to HTML/HTTP
• Allow only known URL construction
• Block URL-borne attacks
• Optionally
• Pre-authenticate incoming connections

27
Protect OWA with ISA Server

• ISA Server becomes the bastion host
• Web proxy terminates all connections
• Decrypts HTTPS
• Inspects content
• Inspects URL (with URLScan)
• Re-encrypts for delivery to OWA

x36dj23s 2oipn49v
lta href
http//...
ISA Server
28
Protect OWA with ISA ServerBetter user
authentication

• Easy authentication to Active Directory
• Pre-authenticate communications
• ISA Server queries user for credentials
• Verifies against AD
• Embeds in HTTP headers to OWA
• Avoids second prompt!

ISA Server
OWA
Exchange
AD
29
URLScan 2.5

• Policy-based URL evaluation
• Define whats allowed drop everything else
• Helps protect from attacks that
• Request unusual actions
• Have a large number of characters
• Are encoded using an alternate character set
• Can be used in conjunction with SSL inspection to
  detect attacks over SSL

30
ISA Server 2004

• RADIUS support
• Permits standalone servers to do authentication
  delegation
• Forms-based authentication
• ISA Server presents form and generates cookie
• Separate timeouts for public and private
  computers
• Attachment controls
• Block/allow on public or private computers
• HTTP policies on publishing rules
• Built-in URLScan-type behavior

31
New delegation process
browser
RADIUS
AD
ISA Server
OWA (IIS)
32
Exchange RPC on the internet

• Many users require full Outlook
• Third-party plugins
• Mailbox synchronization
• Client-side rules
• Complete address book
• VPNs are too costly if this is the only
  requirement or not available

33
Design choices

• Run it naked
• Assign the RPC ports
• Use RPC over HTTP
• Publish with ISA Server

34
RPC connection setup
On what port is UUID blah?
Blah is on nnnn/tcp. Close.
I want to talk with UUID blah.
server
client
35
Potential RPC attacks

• Reconnaissance
• NETSTAT
• RPCDump
• DoS against portmapper
• Privilege escalation or other specific service
  attacks

36
New in Exchange 2003

• Result of high customer demand
• Useful
• All firewalls allow 80/tcp and 443/tcp
• Enables access from any location
• No special firewall setup required

37
RPC proxy

• New component
• ISAPI extension
• Relies on IIS for basic authentication
• So HTTPS, riiiight?
• Sets up RPC session after authentication
• Inside HTTP, otherwise known as
• Terminates incoming RPC-over-HTTP
• Decapsulates RPC
• Passes to back-end Exchange server
• Run on same machine as OWA FE

38
RPC proxy in action
Outlook 2003
RPC proxy
AD
Exchange
39
Authentication methods

• HTTP basic authN only
• Over SSL, please!
• Others not supported in Outlook 2003
• SecurID
• No dialog to ask for PIN
• Exchange cant proxy to ACE/Server
• RADIUS
• Client certificates
• Possible with true Kerberos constrained
  delegation on RPC proxy

40
Already pretty secure

• Successful basic authN required before any
  operations can commence
• Second Outlook-Exchange authN is transparent if
  cached credentials are on machine
• Is secure from RPC-borne attacks
• Attackers could write HTTP wrappers for RPC
  attack tools
• But would need to get past IIS authN

41
Could be better

• Simply running RPC over HTTP doesnt solve all
  the problems
• No inner protocol awareness in firewall
• No inspection if HTTPS

42
Publish with ISA Server

• Move RPC proxy to corp net
• Just like we did for OWA
• Web publish RPC proxy
• Destination set with /rpc/
• SSL bridging (regeneration)
• URLScan
• AuthN delegation probably not necessary

43
Exchange RPC filter

• Intimately aware of
• How Exchange RPC connections establish
• What the proper protocol format is
• Allows only Exchange RPC UUIDs
• Enforces client authentication
• Can optionally enforce encryption
• Supports new mail notification

44
Published RPC interfaces

• 99E64010-B032-11D0-97A4-00C04FD6551D "Store
  admin (1)"
• 89742ACE-A9ED-11CF-9C0C-08002BE7AE86 "Store
  admin (2)"
• A4F1DB00-CA47-1067-B31E-00DD010662DA "Store
  admin (3)"
• A4F1DB00-CA47-1067-B31F-00DD010662DA "Store
  EMSMDB"
• 9E8EE830-4459-11CE-979B-00AA005FFEBE "MTA"
• 1A190310-BB9C-11CD-90F8-00AA00466520
  "Database"
• F5CC5A18-4264-101A-8C59-08002B2F8426
  "Directory NSP"
• F5CC5A7C-4264-101A-8C59-08002B2F8426
  "Directory XDS"
• F5CC59B4-4264-101A-8C59-08002B2F8426
  "Directory DRS"
• 38A94E72-A9BC-11D2-8FAF-00C04fA378FF "MTA
  'QAdmin'"
• 0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE
  "Information Store (1)"
• 1453C42C-0FA6-11D2-A910-00C04F990F3B
  "Information Store (2)"
• 10F24E8E-0FA6-11D2-A910-00C04F990F3B
  "Information Store (3)"
• 1544F5E0-613C-11D1-93DF-00C04FD7BD09
  "Directory RFR"
• F930C514-1215-11D3-99A5-00A0C9B61B04 "System
  Attendant Cluster"
• 83D72BF0-0D89-11CE-B13F-00AA003BAC6C "System
  Attendant Private"
• 469D6EC0-0D87-11CE-B13F-00AA003BAC6C "System
  Attendant Public Interface"

45
Filter operation

• Client connects to filters portmapper
• Runs as part of filter
• Responds only to requests for Exchange RPC
• Not actually an (exploitable) portmapper
• ISA Server returns filters Exchange RPC port
  numbers
• Client makes new connection

ISA Server
Exchange
AD
46
Filter operation

• ISA Server connects to Exchanges portmapper
• Exchange returns port numbers
• ISA Server makes new connection

ISA Server
Exchange
AD
47
Filter operation

• Client logs on to Exchange
• Exchange proxies logon to Active Directory
• Need No RFR Service key to make this happen KB
  302914
• Filter watches for approval
• Filter checks whether encryption is on, if
  required
• Client mailbox opens

ISA Server
Exchange
AD
48
Protects from RPC attacks

• Reconnaissance?
• NETSTAT shows only 135/tcp
• RPCDump simply fails
• DoS against portmapper?
• Known attacks fail
• Successful attack leaves Exchange protected
• Service attacks?
• No reconnaissance info available
• ISA Server-to-Exchange connections fail unless
  prior client-to-ISA Server connection is
  correctly formatted

Yes!
Yes!
Yes!
49
Recommended design

• Recall typical design

ExFE
SMTP
ExBE
AD
50
New requirements, new designs

• Move critical servers inside for better
  protection
• Add ISA Server to your existing DMZ
• Increase security by publishing
• Exchange RPC
• OWA over HTTPS
• RPC over HTTPS
• SMTP (content filter)

ISA Server
51
ISA Server 2004 and Exchange 2003

• Standalone ISA Server 2004 in DMZ
• Forms-based client authN
• RADIUS for basic delegation
• Open firewall accordingly

ISA Server 2004
ExFE
SMTP
ExBE
Corp AD
RADIUS
52
Next steps

• Consider your risk
• What do you have?
• What are you comfortable with?
• Consider the way attacks are evolving
• Ports mean nothing
• Attacks look like legitimate traffic
• Evaluate and deploy ISA Server for all current
  and future Exchange installations

53
Around the corner

• SP 2 (mobility focus)
• Direct push to mobile devices
• Control and security
• Policy setting. Force a password to unlock device
• Local wipe, reset the password after x failed
  login attempts
• Remote wipe
• Support for certificate-based authentication
• Support for S/MIME
• Support for Sender ID e-mail authentication

54

• Complete guide to Exchange 2003 security
• Covers OWA, OMA/EAS, S/MIME, installation,
  auditing, and hardening
• Covers archiving, compliance, legal issues

ISBN 07356-1990-5
55
(No Transcript)