MSG308 Secure Access to Exchange from the Internet Steve Riley Microsoft Corporation.
-
Upload
barbra-curtis -
Category
Documents
-
view
215 -
download
1
Transcript of MSG308 Secure Access to Exchange from the Internet Steve Riley Microsoft Corporation.
MSG308
Secure Access to Exchangefrom the Internet
Steve Riley
Microsoft Corporation
FAQs
Exchange?On the Internet??
Are you out of your #!%@&$ mind???
It’s topical
Design alternativesVPNs
OWA
RPC—native and over HTTP
Recommended designTo DMZ or not to DMZ…that is the question
This session…
Is about—Securing Internet access to an Exchange installation
Isn’t about—General Exchange security
VPNs
The usual choice
VPN clients in all versions of WindowsYes, PPTP can be made secure
L2TP+IPsec is the future
Technology is well-understoodNeeds an IT staff, though
More work than most small and medium organizations want to deal with
Technical problems
Won’t work in some public locationsVPN protocols blocked
IPSec vs. NATBut see SEC406, 3:15 Thurs, Ballroom A 3-4!
Packet fragmentationIKE
IPSec NAT-T
Technical problems
Default gateway modificationsAll traffic goes to VPN tunnel
No access to local network
Split-tunneling often disallowedThis is a good thing!
VPNs are useful to connect remote clients to corporate networks
Less useful when connecting from corporate network to some ASP
Outlook Web Access
Universal availability
Browsers are everywhere
Familiar interface
OWA 2003 is almost just like Outlook
Security issues
HTTPS is the transportIntrusion detection?
Conformance to email policy?
OWA 2000 has no session timeoutFixed in OWA 2003
Forms authentication—cookie for session
Typical design
GoodSeparates protocol from message store
Network protection
BadTunnel through outside firewall: no inspection
Many holes in inside firewall for authentication
Anonymous initial connections to OWA
ExBEExBE ADAD
OWAOWA
Improving OWA security
Security goalsInspect SSL traffic
Maintain wire privacy
Enforce conformance to HTML/HTTP
Allow only known URL constructionBlock URL-borne attacks
OptionallyPre-authenticate incoming connections
Protect OWA with ISA Server
ISA Server becomes the “bastion host”
Web proxy terminates all connections
Decrypts HTTPS
Inspects content
Inspects URL (with URLScan)
Re-encrypts for delivery to OWA
OWAOWA
ISAISAServerServer
ExchangeExchange ADAD
x36dj23sx36dj23s2oipn49v2oipn49v<a href…<a href…http://...http://...
Protect OWA with ISA Server
Easy authentication to Active Directory
Pre-authenticate communications
ISA Server queries user for credentials
Verifies against AD
Embeds in HTTP headers to OWA
Avoids second prompt!
Requires FP1
OWAOWA
ISAISAServerServer
ExchangeExchange ADAD
404404
Results
Known good content
Known good URL
Known good user
Dare I say it… trusted access?
Exchange RPCon the Internet
RPC on the Internet?
Business case
Many users require full OutlookThird-party plugins
Mailbox synchronization
Client-side rules
Complete address book
VPNs are too costly if this is the only requirement
Design choices
Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
RPC server RPC server (Exchange)(Exchange)RPC server RPC server (Exchange)(Exchange)
RPC client RPC client (Outlook)(Outlook)
RPC client RPC client (Outlook)(Outlook)
Service UUID Port
Exchange {12341234-1111… 4402
AD replication {01020304-4444… 3544
MMC {19283746-7777… 9233
RPC services grab random RPC services grab random high ports when they start, high ports when they start,
server maintains tableserver maintains table
RPC connection setup
135/tcp135/tcp
Client connects to Client connects to portmapper on server portmapper on server
(port 135/tcp)(port 135/tcp)Client knows UUID Client knows UUID of service it wantsof service it wants
{12341234-1111…}{12341234-1111…}
Client accesses Client accesses application over application over
learned portlearned port
Client asks, “What Client asks, “What port is associated port is associated with my UUID?”with my UUID?”
Server matches UUID to Server matches UUID to the current port…the current port…
4402/tcp4402/tcp
Portmapper responds Portmapper responds with the port and closes with the port and closes
the connectionthe connection
4402/tcp4402/tcp
Design choices
Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
RPC naked on the net
GoodEasy to build!
BadEasy to compromise!
Firewall must permit all traffic on all high ports
Firewall can’t tell what’s Exchange and what isn’t
No protection against RPCDump, for instance
ExchangeExchange
Potential RPC attacks
ReconnaissanceNETSTAT
RPCDump
DoS against portmapper
Privilege escalation or other specific service attacks
Design choices
Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
Registry keys
Need to set fixed port numbers forInformation Service
Directory Service
System Attendant
See KB 148732
Best to use ports just above 5000
Fixed RPC ports
GoodStill easy to build
Limited open ports on firewall
135/tcp + 3 high ports
BadStill easy to compromise
Doesn’t stop any of the previous attacks
Firewall still can’t tell what’s Exchange and what isn’t
Scaleable?
ExchangeExchange
Design choices
Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
New in Exchange 2003
Result of high customer demand
UsefulAll firewalls allow 80/tcp and 443/tcp
Enables access from any location
No special firewall setup required
But is it secure?
Look back at the last slide…Not necessarily positive attributes
Simply running RPC over HTTP doesn’t solve all the problems
No protocol awareness in firewall
No pre-authenticated connections
No inspection if HTTPS
Is secure from RPC-borne attacksUntil attack tools have HTTP wrappers…
What’s the big deal?
Knowing a port number or a UUID doesn’t mean you know the intent
What do the following tell you:80/tcp
49494/tcp
{23947829-3857-2983-9838293069843927}
They are application identifiersThat’s all!
well-known port
well-known port
for HTTP
for HTTP
random (fixed?) p
ort
random (fixed?) p
ort
for Exchange
for Exchange
well-known UUID
well-known UUID
for Exchange
for Exchange
So what’s it good for?
RPC over HTTP is no more, and no less, secure than fixed-port RPC
So use it:If your business case requires it
You are comfortable with the risk
It’s another option for customers who are satisfied with its operation
Design choices
Run it naked
Assign the RPC ports
Use RPC over HTTP
Publish with ISA Server
ISA Server
More than just a proxy
True application-aware content-filtering firewall
Exchange RPC
SMTP
H.323
FTP
DNS
POP3/IMAP4
Exchange RPC filter
Intimately aware of—How Exchange RPC connections establish
What the proper protocol format is
Allows only Exchange RPC UUIDs
Enforces client authentication
Can optionally enforce encryptionRequires Feature Pack 1
Supports new mail notification
Published RPC interfaces
{99E64010-B032-11D0-97A4-00C04FD6551D}: "Store admin (1)"
{89742ACE-A9ED-11CF-9C0C-08002BE7AE86}: "Store admin (2)"
{A4F1DB00-CA47-1067-B31E-00DD010662DA}: "Store admin (3)"
{A4F1DB00-CA47-1067-B31F-00DD010662DA}: "Store EMSMDB"
{9E8EE830-4459-11CE-979B-00AA005FFEBE}: "MTA"
{1A190310-BB9C-11CD-90F8-00AA00466520}: "Database"
{F5CC5A18-4264-101A-8C59-08002B2F8426}: "Directory NSP"
{F5CC5A7C-4264-101A-8C59-08002B2F8426}: "Directory XDS"
{F5CC59B4-4264-101A-8C59-08002B2F8426}: "Directory DRS"
{38A94E72-A9BC-11D2-8FAF-00C04fA378FF}: "MTA 'QAdmin'"
{0E4A0156-DD5D-11D2-8C2F-00C04FB6BCDE}: "Information Store (1)"
{1453C42C-0FA6-11D2-A910-00C04F990F3B}: "Information Store (2)"
{10F24E8E-0FA6-11D2-A910-00C04F990F3B}: "Information Store (3)"
{1544F5E0-613C-11D1-93DF-00C04FD7BD09}: "Directory RFR"
{F930C514-1215-11D3-99A5-00A0C9B61B04}: "System Attendant Cluster"
{83D72BF0-0D89-11CE-B13F-00AA003BAC6C}: "System Attendant Private"
{469D6EC0-0D87-11CE-B13F-00AA003BAC6C}: "System Attendant Public Interface"
Filter operation
Client connects to filter’s “portmapper”
Runs as part of filter
Responds only to requests for Exchange RPC
ISA Server returns filter’s Exchange RPC port numbers
Client makes new connection
ISAISAServerServer
ExchangeExchange ADAD
Filter operation
ISA Server connects to Exchange’s portmapper
Exchange returns port numbers
ISA Server makes new connection
ISAISAServerServer
ExchangeExchange ADAD
Filter operation
Client logs on to Exchange
Exchange proxies logon to Active Directory
Need “No RFR Service” key to make this happen: KB 302914
Filter watches for approval
Filter checks whether encryption is on, if required
Client mailbox opens
ISAISAServerServer
ExchangeExchange ADAD
Protects from RPC attacks
Reconnaissance?NETSTAT shows only 135/tcp
RPCDump simply fails
DoS against portmapper?Known attacks fail
Successful attack leaves Exchange protected
Service attacks?No reconnaissance info available
ISA Server-to-Exchange connections fail unless prior client-to-ISA Server connection is correctly formatted
Yes!
Yes!
Yes!
Results
Known good connection
Known good encryption (optional)
Known good user
Dare I say it… trusted access?
Recommended design
Recall the typical design
ExFEExFE SMTPSMTP
ExBEExBE ADAD
New requirements, new designs
Move critical servers inside for better protection
Add ISA Server to your existing DMZ
Increase security by publishing:
Exchange RPC
OWA over HTTPS
SMTP (content filter)
ExFEExFE SMTPSMTP
ExBEExBE ADAD
ISA ServerISA Server
Next StepsNext Steps
Consider your risk—What do you have?
What are you comfortable with?
Consider the way attacks are evolvingPorts mean nothing
Attacks look like legitimate traffic
Evaluate and deploy ISA Server for all current and future Exchange installations
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Microsoft® Exchange Server 2003 Microsoft® Exchange Server 2003 Administrator's Companion: 0-Administrator's Companion: 0-7356-1979-47356-1979-4
9/24/039/24/03
Active Directory® for Microsoft® Active Directory® for Microsoft® Windows® Server 2003 Windows® Server 2003 Technical Reference: 0-7356-Technical Reference: 0-7356-1577-21577-2
TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.